fix(k8s): pin container images by sha256 digest (#1436)

[ColinM-sys]

Summary

• Pin the three images in k8s/nemoclaw-k8s.yaml to sha256 digests:
  • docker:24-dind → docker:24-dind@sha256:9b17a9f2...
  • node:22 → node:22@sha256:ecabd1cb...
  • busybox → busybox@sha256:1487d0af...
• Preserve the human-readable tag in a comment above each image: line so maintainers can refresh the digest when bumping versions.

Fixes #1436.

Why

The K8s manifest referenced images by mutable tag. A compromised registry or tag overwrite would inject malicious code into the pod — supply-chain attack vector. The root Dockerfile already pins node:22-slim@sha256:4f77a690... by digest; this extends the same hardening to the K8s manifest.

Test plan

• grep "image:" k8s/nemoclaw-k8s.yaml shows all three images pinned by @sha256:
• YAML is syntactically valid (no indentation/structure changes)
• Manual: kubectl apply -f k8s/nemoclaw-k8s.yaml pulls the pinned digests (verifiable in a dev cluster)

Digests captured from Docker Hub at commit time via authenticated Registry v2 HEAD requests.

Signed-off-by: Colin McDonough cmcdonough@50words.com

[coderabbitai]

📝 Walkthrough

Walkthrough

The Kubernetes manifest pins three container images to specific SHA256 digests, replacing mutable tag references (docker:24-dind, node:22, busybox) with their immutable digest counterparts to mitigate supply chain attack vectors via tag manipulation.

Changes

Cohort / File(s)	Summary
Image Digest Pinning k8s/nemoclaw-k8s.yaml	Three container image references updated from mutable tags to specific SHA256 digests: docker:24-dind, node:22, and busybox (initContainer).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A rabbit hops through registries with glee,
Pinning digests for security!
No mutable tags shall pass our gate,
SHA256 checksums seal our fate. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: pinning container images by sha256 digest in the Kubernetes manifest, directly addressing issue #1436.
Linked Issues check	✅ Passed	The pull request fully addresses issue #1436 by replacing all three mutable tag references (docker:24-dind, node:22, busybox) with immutable sha256 digests in k8s/nemoclaw-k8s.yaml.
Out of Scope Changes check	✅ Passed	All changes are scoped to pinning container images by sha256 digest in the K8s manifest; no unrelated modifications or out-of-scope alterations are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[wscurran]

✨ Thanks for submitting this PR that proposes a fix and dependency enhancement by pinning container images by sha256 digest, which could help improve the security and reproducibility of NemoClaw's deployments.

---

Possibly related open issues:

• #1436 K8s Manifest Images Not Pinned by Digest — Mutable Tag References - IssueFinder - SN 12

[jyaunches]

Thanks for the contribution! The digest-pinning approach here is solid — preserving the human-readable tag in a comment above each image: line is a nice maintainer-friendly pattern.

However, the entire k8s/ directory (including k8s/nemoclaw-k8s.yaml) was removed from main in PR #2107 (chore: remove experimental k8s/ deployment manifests), which merged on April 21. Since the file this PR targets no longer exists, the supply-chain risk it addressed has been eliminated by deletion.

Closing this PR and the parent issue #1436 — both are resolved by #2107. If k8s manifests are reintroduced in the future, digest pinning should definitely be included from the start.