From 9253e360c40dea5f4b559c4e075246ebf01ee5f4 Mon Sep 17 00:00:00 2001
From: "Peter A. Jonsson" <jonsson.peter.a@gmail.com>
Date: Fri, 16 Jan 2026 10:45:09 +0100
Subject: [PATCH 1/3] Dockerfile: de-duplicate base image name

Declare an internal_base that the other
two images are made from. This ensures
the build image and the force image
use the same base image.
---
 Dockerfile | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 196659cf..ae52e88d 100755
--- a/Dockerfile
+++ b/Dockerfile
@@ -28,7 +28,9 @@
 
 # base installation to speed up build process
 # https://github.com/davidfrantz/base_image
-FROM davidfrantz/base:latest AS force_builder
+FROM davidfrantz/base:latest AS internal_base
+
+FROM internal_base AS force_builder
 
 # Environment variables
 ENV SOURCE_DIR=$HOME/src/force
@@ -47,7 +49,7 @@ RUN echo "building FORCE" && \
   ./debug.sh $debug && \
   make -j$(nproc) $build
 
-FROM davidfrantz/base:latest AS force
+FROM internal_base AS force
 
 ADD --link --chown=root:root --exclude=.github https://github.com/davidfrantz/force-udf.git /usr/local/bin/force/force-udf
 COPY --link --chown=root:root --from=force_builder $HOME/src/force/bin /usr/local/bin/force

From e0629f01fd030051115a4762cbf675d338af3253 Mon Sep 17 00:00:00 2001
From: "Peter A. Jonsson" <jonsson.peter.a@gmail.com>
Date: Fri, 16 Jan 2026 10:51:05 +0100
Subject: [PATCH 2/3] Dockerfile: pin the base image

This makes image builds more
reproducible and reduces the surface
area for supply-chain attacks
against FORCE.

Refs #403
---
 Dockerfile | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index ae52e88d..a4ffbd68 100755
--- a/Dockerfile
+++ b/Dockerfile
@@ -28,7 +28,10 @@
 
 # base installation to speed up build process
 # https://github.com/davidfrantz/base_image
-FROM davidfrantz/base:latest AS internal_base
+#
+# To find sha256: docker pull davidfrantz/base:VERSION followed by
+# docker inspect davidfrantz/base:VERSION and get the sha from RepoDigests.
+FROM davidfrantz/base:1.20260113143410.3.11.3@sha256:16a89ca8ab0702423d7ed13e5c3bbf673db9725c27f77e5bb444132705fb1807 AS internal_base
 
 FROM internal_base AS force_builder
 

From 5f6c53f34cc6cdfa38478fc880fde4d131f7dcc6 Mon Sep 17 00:00:00 2001
From: "Peter A. Jonsson" <jonsson.peter.a@gmail.com>
Date: Fri, 16 Jan 2026 10:57:32 +0100
Subject: [PATCH 3/3] Dockerfile: pin force-udf version

This improves the reproducibility
of the image build.

Refs #403
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index a4ffbd68..41be4f63 100755
--- a/Dockerfile
+++ b/Dockerfile
@@ -54,7 +54,7 @@ RUN echo "building FORCE" && \
 
 FROM internal_base AS force
 
-ADD --link --chown=root:root --exclude=.github https://github.com/davidfrantz/force-udf.git /usr/local/bin/force/force-udf
+ADD --link --chown=root:root --exclude=.github https://github.com/davidfrantz/force-udf.git#1.20260112113534 /usr/local/bin/force/force-udf
 COPY --link --chown=root:root --from=force_builder $HOME/src/force/bin /usr/local/bin/force
 
 ENV PATH="$PATH:/usr/local/bin/force"