ENG-56250 Pin ghcr.io/willthames/kubernetes-validate Docker tag to b79e243

[skedulo-renovate]

This PR contains the following updates:

Package	Type	Update	Change
ghcr.io/willthames/kubernetes-validate	final	pinDigest	→ b79e243

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated container image reference to use digest pinning for improved immutability and reproducibility.

Walkthrough

Updates the Dockerfile to pin the kubernetes-validate base image reference from a tag (v1.35.0) to a specific digest (sha256) for immutability, replacing the tag-based reference with its corresponding digest hash.

Changes

Cohort / File(s)	Summary
Docker Base Image Pinning Dockerfile	Updated kubernetes-validate base image reference from tag-based (v1.35.0) to digest pin (sha256) for immutable image reference.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related issues

• Dependency Dashboard #11: Addresses the same objective of pinning the kubernetes-validate Docker image dependency to an immutable digest reference for increased supply-chain security.

Possibly related PRs

• ENG-63417 update kubernetes-validate #9: Complements this PR by bumping the kubernetes-validate base image tag to v1.35.0, which this PR then pins to a specific digest for immutability.

Suggested reviewers

• marcoslopes

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title starts with the required ticket number (ENG-56250) and is 74 characters, meeting the 80-character limit.
Description check	✅ Passed	The description is related to the changeset, detailing the Docker image pinning update via a Renovate-generated table.
Linked Issues check	✅ Passed	The PR meets ENG-56250 objectives by pinning the Docker image and providing clear tracking for the Renovate dependency update.
Out of Scope Changes check	✅ Passed	All changes are in scope; only the Dockerfile was modified to pin the container image digest, aligning with ENG-56250 objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch renovate/pin-dependencies

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile (1)

3-7: ⚠️ Potential issue | 🟠 Major

Run the container as a non-root user.

The image runs as root by default, which is a security posture gap. Consider adding a non-root user and switching to it after setup.

🔒 Suggested hardening

 RUN apk add sed
 
+RUN addgroup -S app && adduser -S -G app app
-COPY entrypoint.sh /entrypoint.sh
+COPY --chown=app:app entrypoint.sh /entrypoint.sh
+USER app
+
 ENTRYPOINT ["/entrypoint.sh"]

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 4bc8f5b and d177a88.

📒 Files selected for processing (1)

• Dockerfile

🧰 Additional context used

🪛 Trivy (0.69.1)

Dockerfile

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

🔇 Additional comments (1)

Dockerfile (1)

1-1: Digest pin looks good.

Pinning the base image to a digest improves immutability and repeatability.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}