Proposal: reference images using digests
Especially for external images, but potentially for Gitlab images, we could be more secure by referring to images by digest instead of tag.
From: https://success.docker.com/article/images-tagging-vs-digests
Pinning-by-digest is best practice because
- Tags are mutable, so there is no guarantee a tag will never change.
- It guarantees that every instance of the service is running exactly the same code.
- It allows you to put an image through QA/testing and verify that that version of the image is approved to go into production.
- You can use Docker Content Trust and sign specific versions of the image.
- You can roll back to an earlier version of the image, even if that version was not tagged (or "no longer tagged").
- Digests also prevent race-conditions; if a new image is pushed while a deploy is in progress, different nodes may be pulling the images at different times, so some nodes have the new image, some have the old one.