# Pinned-digest catalogue consumed by `nyx-image-builder` and the # `build.rs` codegen that populates `src/dynamic/toolchain.rs::IMAGE_DIGESTS`. # # Each `[[image]]` entry corresponds to one `(lang, toolchain)` cell of the # Docker backend. The `toolchain_id` matches the IDs surfaced by # `src/dynamic/toolchain.rs` (`python-3.11`, `node-20`, `java-21`, …) and is # the lookup key used by `IMAGE_DIGESTS`. # # Fields: # - toolchain_id string Lookup key (see toolchain.rs). # - base string Docker image reference (e.g. "python:3.11-slim"). # The `nyx-image-builder verify` command refuses to # run if this is not pinnable to a digest. # - toolchain string Human-readable interpreter / compiler version. # - packages table Inline pinned package names → versions (apt / # apk pins applied during image build). Empty `{}` # when the upstream image already covers everything. # - digest string `sha256:…` content digest written back by # `nyx-image-builder build`. Empty until the # first successful build. # # The CI workflow runs `nyx-image-builder build --all` daily. When any digest # drifts, the workflow opens a PR updating this file; reviewers approve before # the new digest pin is merged. [[image]] toolchain_id = "python-3.11" base = "python:3.11-slim" toolchain = "Python 3.11" packages = {} digest = "sha256:563c216740fec2091c99b62bea4ba35cd550c31e644510120504d0be3d0eee80" [[image]] toolchain_id = "python-3.12" base = "python:3.12-slim" toolchain = "Python 3.12" packages = {} digest = "sha256:ba7e2064c4e1ab67d2af2cd761183b4af961cbc21f47020ef785b738472b01ac" [[image]] toolchain_id = "python-3.13" base = "python:3.13-slim" toolchain = "Python 3.13" packages = {} digest = "sha256:aec3f1588bdda76cde971575692e33d11bf83a2bcaa2e1c315c47de6f72ee21a" [[image]] toolchain_id = "node-18" base = "node:18-slim" toolchain = "Node.js 18" packages = {} digest = "sha256:f9ab18e354e6855ae56ef2b290dd225c1e51a564f87584b9bd21dd651838830e" [[image]] toolchain_id = "node-20" base = "node:20-slim" toolchain = "Node.js 20" packages = {} digest = "sha256:2cf067cfed83d5ea958367df9f966191a942351a2df77d6f0193e162b5febfc0" [[image]] toolchain_id = "node-22" base = "node:22-slim" toolchain = "Node.js 22" packages = {} digest = "sha256:5d7730838f61b227480a7536103a3223d9f2f87c015ff0b11d9318647b2a7a3a" [[image]] toolchain_id = "java-17" base = "eclipse-temurin:17-jre-jammy" toolchain = "Eclipse Temurin 17 JRE" packages = {} digest = "sha256:47c73dc23524b031bed0a5030410c722af6a8b49d4b25898ea8f4615895065f0" [[image]] toolchain_id = "java-21" base = "eclipse-temurin:21-jre-jammy" toolchain = "Eclipse Temurin 21 JRE" packages = {} digest = "sha256:199aebeb3adcde4910695cdebfe782ada38dadb6cc8013159b58d3724451befd" [[image]] toolchain_id = "php-8.1" base = "php:8.1-cli" toolchain = "PHP 8.1 CLI" packages = {} digest = "sha256:76e563191d1ade120313a8736df24154d21da5155c0756f147c0b01bd19d9087" [[image]] toolchain_id = "php-8.2" base = "php:8.2-cli" toolchain = "PHP 8.2 CLI" packages = {} digest = "sha256:2d4d63df6d598e16b474296db3ac05754b54b0932c6f1799b5f10116e25c2aa1" [[image]] toolchain_id = "php-8.3" base = "php:8.3-cli" toolchain = "PHP 8.3 CLI" packages = {} digest = "sha256:ab3f1ce29304b9cdf40de0394ce76e7566759e3fa592c4672d3d3e94333fbaf1" [[image]] toolchain_id = "ruby-3.2" base = "ruby:3.2-slim" toolchain = "Ruby 3.2" packages = {} digest = "sha256:84184c9e2c368885a1d0c93ad1953c33d81081058d274b87b4aa6f3e209e5d16" [[image]] toolchain_id = "ruby-3.3" base = "ruby:3.3-slim" toolchain = "Ruby 3.3" packages = {} digest = "sha256:cc72904d778262aac7de3eba5b731c3d83613ed3b9c237878c7a575eca8dec11" # Native runtime image: compiled Rust + Go binaries are copied into a # `debian:bookworm-slim` container. Kept here so the image-builder workflow # pins it alongside the per-lang interpreter images. [[image]] toolchain_id = "native-binary" base = "debian:bookworm-slim" toolchain = "Debian 12 slim (native binary runner)" packages = {} digest = "sha256:60eac759739651111db372c07be67863818726f754804b8707c90979bda511df"