asherp
commented
1 year ago Here's a medium post on the topic https://rockbag.medium.com/why-you-should-pin-your-docker-images-with-sha-instead-of-tags-fd132443b8a6
There doesn't appear to be any automated way to check the image tag against the hash of the pulled image, though. We could write a script that validates the tag in docker-compose against the pulled image.
An example of the type of syntax that should be used can be found here: https://github.com/getumbrel/umbrel-apps/blob/eeeab6deaf54e8e186462afacd271c377934fb95/btc-rpc-explorer/docker-compose.yml#L10 .