# Pinned-digest catalogue consumed by `nyx-image-builder` and the # `build.rs` codegen that populates `src/dynamic/toolchain.rs::IMAGE_DIGESTS`. # # Each `[[image]]` entry corresponds to one `(lang, toolchain)` cell of the # Docker backend. The `toolchain_id` matches the IDs surfaced by # `src/dynamic/toolchain.rs` (`python-3.11`, `node-20`, `java-21`, …) and is # the lookup key used by `IMAGE_DIGESTS`. # # Fields: # - toolchain_id string Lookup key (see toolchain.rs). # - base string Docker image reference (e.g. "python:3.11-slim"). # The `nyx-image-builder verify` command refuses to # run if this is not pinnable to a digest. # - toolchain string Human-readable interpreter / compiler version. # - packages table Inline pinned package names → versions (apt / # apk pins applied during image build). Empty `{}` # when the upstream image already covers everything. # - digest string `sha256:…` content digest written back by # `nyx-image-builder build`. Empty until the # first successful build. # # The CI workflow runs `nyx-image-builder build --all` daily. When any digest # drifts, the workflow opens a PR updating this file; reviewers approve before # the new digest pin is merged. [[image]] toolchain_id = "python-3.11" base = "python:3.11-slim" toolchain = "Python 3.11" packages = {} digest = "sha256:a3ab0b966bc4e91546a033e22093cb840908979487a9fc0e6e38295747e49ac0" [[image]] toolchain_id = "python-3.12" base = "python:3.12-slim" toolchain = "Python 3.12" packages = {} digest = "sha256:090ba77e2958f6af52a5341f788b50b032dd4ca28377d2893dcf1ecbdfdfe203" [[image]] toolchain_id = "python-3.13" base = "python:3.13-slim" toolchain = "Python 3.13" packages = {} digest = "sha256:b04b5d7233d2ad9c379e22ea8927cd1378cd15c60d4ef876c065b25ea8fb3bf3" [[image]] toolchain_id = "node-18" base = "node:18-slim" toolchain = "Node.js 18" packages = {} digest = "sha256:f9ab18e354e6855ae56ef2b290dd225c1e51a564f87584b9bd21dd651838830e" [[image]] toolchain_id = "node-20" base = "node:20-slim" toolchain = "Node.js 20" packages = {} digest = "sha256:2cf067cfed83d5ea958367df9f966191a942351a2df77d6f0193e162b5febfc0" [[image]] toolchain_id = "node-22" base = "node:22-slim" toolchain = "Node.js 22" packages = {} digest = "sha256:7af03b14a13c8cdd38e45058fd957bf00a72bbe17feac43b1c15a689c029c732" [[image]] toolchain_id = "java-17" base = "eclipse-temurin:17-jre-jammy" toolchain = "Eclipse Temurin 17 JRE" packages = {} digest = "sha256:47c73dc23524b031bed0a5030410c722af6a8b49d4b25898ea8f4615895065f0" [[image]] toolchain_id = "java-21" base = "eclipse-temurin:21-jre-jammy" toolchain = "Eclipse Temurin 21 JRE" packages = {} digest = "sha256:199aebeb3adcde4910695cdebfe782ada38dadb6cc8013159b58d3724451befd" [[image]] toolchain_id = "php-8.1" base = "php:8.1-cli" toolchain = "PHP 8.1 CLI" packages = {} digest = "sha256:76e563191d1ade120313a8736df24154d21da5155c0756f147c0b01bd19d9087" [[image]] toolchain_id = "php-8.2" base = "php:8.2-cli" toolchain = "PHP 8.2 CLI" packages = {} digest = "sha256:4a03865a30b1b8f9d8f52704719676047b2bcdb05188e01f0085447ecb14bef3" [[image]] toolchain_id = "php-8.3" base = "php:8.3-cli" toolchain = "PHP 8.3 CLI" packages = {} digest = "sha256:861deb86c83e92f416ebdb1a1d15c957474d2f39e112c7edea4446070afd8055" [[image]] toolchain_id = "ruby-3.2" base = "ruby:3.2-slim" toolchain = "Ruby 3.2" packages = {} digest = "sha256:84184c9e2c368885a1d0c93ad1953c33d81081058d274b87b4aa6f3e209e5d16" [[image]] toolchain_id = "ruby-3.3" base = "ruby:3.3-slim" toolchain = "Ruby 3.3" packages = {} digest = "sha256:66937a8df3bab00d8f589ebba96144b9bc5b6fa3f636365f57df42ffe3e4c6ca" # Native runtime image: compiled Rust + Go binaries are copied into a # `debian:bookworm-slim` container. Kept here so the image-builder workflow # pins it alongside the per-lang interpreter images. [[image]] toolchain_id = "native-binary" base = "debian:bookworm-slim" toolchain = "Debian 12 slim (native binary runner)" packages = {} digest = "sha256:0104b334637a5f19aa9c983a91b54c89887c0984081f2068983107a6f6c21eeb"