# Pinned-digest catalogue consumed by `nyx-image-builder` and the # `build.rs` codegen that populates `src/dynamic/toolchain.rs::IMAGE_DIGESTS`. # # Each `[[image]]` entry corresponds to one `(lang, toolchain)` cell of the # Docker backend. The `toolchain_id` matches the IDs surfaced by # `src/dynamic/toolchain.rs` (`python-3.11`, `node-20`, `java-21`, …) and is # the lookup key used by `IMAGE_DIGESTS`. # # Fields: # - toolchain_id string Lookup key (see toolchain.rs). # - base string Docker image reference (e.g. "python:3.11-slim"). # The `nyx-image-builder verify` command refuses to # run if this is not pinnable to a digest. # - toolchain string Human-readable interpreter / compiler version. # - packages table Inline pinned package names → versions (apt / # apk pins applied during image build). Empty `{}` # when the upstream image already covers everything. # - digest string `sha256:…` content digest written back by # `nyx-image-builder build`. Empty until the # first successful build. # # The CI workflow runs `nyx-image-builder build --all` daily. When any digest # drifts, the workflow opens a PR updating this file; reviewers approve before # the new digest pin is merged. [[image]] toolchain_id = "python-3.11" base = "python:3.11-slim" toolchain = "Python 3.11" packages = {} digest = "sha256:ae52c5bef62a6bdd42cd1e8dffef86b9cd284bde9427da79839de7a4b983e7ca" [[image]] toolchain_id = "python-3.12" base = "python:3.12-slim" toolchain = "Python 3.12" packages = {} digest = "sha256:d764629ce0ddd8c71fd371e9901efb324a95789d2315a47db7e4d27e78f1b0e9" [[image]] toolchain_id = "python-3.13" base = "python:3.13-slim" toolchain = "Python 3.13" packages = {} digest = "sha256:c33f0bc4364a6881bed1ec0cc2665e6c53c87a43e774aaeab88e6f17af105e4f" [[image]] toolchain_id = "node-18" base = "node:18-slim" toolchain = "Node.js 18" packages = {} digest = "sha256:f9ab18e354e6855ae56ef2b290dd225c1e51a564f87584b9bd21dd651838830e" [[image]] toolchain_id = "node-20" base = "node:20-slim" toolchain = "Node.js 20" packages = {} digest = "sha256:2cf067cfed83d5ea958367df9f966191a942351a2df77d6f0193e162b5febfc0" [[image]] toolchain_id = "node-22" base = "node:22-slim" toolchain = "Node.js 22" packages = {} digest = "sha256:d9f850096136edbc402debdd8729579a288aac64574ada0ff4db26b6ae58b0b2" [[image]] toolchain_id = "java-17" base = "eclipse-temurin:17-jre-jammy" toolchain = "Eclipse Temurin 17 JRE" packages = {} digest = "sha256:47c73dc23524b031bed0a5030410c722af6a8b49d4b25898ea8f4615895065f0" [[image]] toolchain_id = "java-21" base = "eclipse-temurin:21-jre-jammy" toolchain = "Eclipse Temurin 21 JRE" packages = {} digest = "sha256:199aebeb3adcde4910695cdebfe782ada38dadb6cc8013159b58d3724451befd" [[image]] toolchain_id = "php-8.1" base = "php:8.1-cli" toolchain = "PHP 8.1 CLI" packages = {} digest = "sha256:76e563191d1ade120313a8736df24154d21da5155c0756f147c0b01bd19d9087" [[image]] toolchain_id = "php-8.2" base = "php:8.2-cli" toolchain = "PHP 8.2 CLI" packages = {} digest = "sha256:9277667c0fc298de473509dfed37adf969c97a0372338de990491b39bacf99a5" [[image]] toolchain_id = "php-8.3" base = "php:8.3-cli" toolchain = "PHP 8.3 CLI" packages = {} digest = "sha256:22f6151b15f7845352b6e08b85c602f7ea5ac0e52dc8462f2bd69b4d39d587e9" [[image]] toolchain_id = "ruby-3.2" base = "ruby:3.2-slim" toolchain = "Ruby 3.2" packages = {} digest = "sha256:84184c9e2c368885a1d0c93ad1953c33d81081058d274b87b4aa6f3e209e5d16" [[image]] toolchain_id = "ruby-3.3" base = "ruby:3.3-slim" toolchain = "Ruby 3.3" packages = {} digest = "sha256:5340ab7cd6317c45a0a7e2818857b930ff61ee92ffd661dec72738e42dd2cddf" # Native runtime image: compiled Rust + Go binaries are copied into a # `debian:bookworm-slim` container. Kept here so the image-builder workflow # pins it alongside the per-lang interpreter images. [[image]] toolchain_id = "native-binary" base = "debian:bookworm-slim" toolchain = "Debian 12 slim (native binary runner)" packages = {} digest = "sha256:96e378d7e6531ac9a15ad505478fcc2e69f371b10f5cdf87857c4b8188404716"