chore: pin all MCP server and job image tags with SHA digests #253

Merged

Exikle merged 1 commit from chore/pin-mcp-image-tags into main 2026-06-05 17:45:13 +00:00

Conversation 1 Commits 1 Files changed 11 +11 -11

Exikle commented 2026-06-05 17:42:23 +00:00

Owner

Copy link

Pins SHA digests on all image tags in MCPServer manifests and job specs that were missing them, bringing them in line with cluster conventions (version@sha256:...).\n\n| File | Before | After |\n|------|--------|-------|\n| arr-mcp | node:24-alpine | node:24.16.0-alpine@sha256:2bdb65... |\n| agentmemory-mcp | node:24-alpine | node:24.16.0-alpine@sha256:2bdb65... |\n| context7-mcp | node:24-alpine | node:24.16.0-alpine@sha256:2bdb65... |\n| seerr-mcp | node:24-alpine | node:24.16.0-alpine@sha256:2bdb65... |\n| searxng-mcp | mcp-searxng:1.1.0 | mcp-searxng:1.1.0@sha256:89d9e5... |\n| ha-mcp | hass-mcp:latest | hass-mcp:latest@sha256:1028a5... |\n| grafana-mcp | mcp-grafana:latest | mcp-grafana:v0.7.3@sha256:787c47... |\n| k8s-mcp | mcp-server-kubernetes:v3.8.0 | ...v3.8.0@sha256:b78027... |\n| github-mcp | github-mcp-server:v1.1.2 | ...v1.1.2@sha256:301974... |\n| renovate job | renovate:43.213.3 | ...43.213.3@sha256:52bab5... |\n| podspec-dind | docker:29-dind | docker:29.5-dind@sha256:7d85d0... |

Pins SHA digests on all image tags in MCPServer manifests and job specs that were missing them, bringing them in line with cluster conventions (`version@sha256:...`).\n\n| File | Before | After |\n|------|--------|-------|\n| arr-mcp | `node:24-alpine` | `node:24.16.0-alpine@sha256:2bdb65...` |\n| agentmemory-mcp | `node:24-alpine` | `node:24.16.0-alpine@sha256:2bdb65...` |\n| context7-mcp | `node:24-alpine` | `node:24.16.0-alpine@sha256:2bdb65...` |\n| seerr-mcp | `node:24-alpine` | `node:24.16.0-alpine@sha256:2bdb65...` |\n| searxng-mcp | `mcp-searxng:1.1.0` | `mcp-searxng:1.1.0@sha256:89d9e5...` |\n| ha-mcp | `hass-mcp:latest` | `hass-mcp:latest@sha256:1028a5...` |\n| grafana-mcp | `mcp-grafana:latest` | `mcp-grafana:v0.7.3@sha256:787c47...` |\n| k8s-mcp | `mcp-server-kubernetes:v3.8.0` | `...v3.8.0@sha256:b78027...` |\n| github-mcp | `github-mcp-server:v1.1.2` | `...v1.1.2@sha256:301974...` |\n| renovate job | `renovate:43.213.3` | `...43.213.3@sha256:52bab5...` |\n| podspec-dind | `docker:29-dind` | `docker:29.5-dind@sha256:7d85d0...` |

Exikle added 1 commit 2026-06-05 17:42:23 +00:00

chore: pin all MCP server and job image tags with SHA digests 93856c343f

Exikle scheduled this pull request to auto merge when all checks succeed 2026-06-05 17:42:36 +00:00

Exikle added the

area/kubernetes

label 2026-06-05 17:43:00 +00:00

dusk-bot commented 2026-06-05 17:44:46 +00:00

Collaborator

Copy link

Kustomization diff

@@ spec.image @@
# toolhive.stacklok.dev/v1beta1/MCPServer/cortex/mcp-agentmemory
! ± value change
- node:24-alpine
+ node:24.16.0-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14

@@ spec.image @@
# toolhive.stacklok.dev/v1beta1/MCPServer/cortex/mcp-arr
! ± value change
- node:24-alpine
+ node:24.16.0-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14

@@ spec.image @@
# toolhive.stacklok.dev/v1beta1/MCPServer/cortex/mcp-context7
! ± value change
- node:24-alpine
+ node:24.16.0-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14

@@ spec.image @@
# toolhive.stacklok.dev/v1beta1/MCPServer/cortex/mcp-github
! ± value change
- ghcr.io/github/github-mcp-server:v1.1.2
+ ghcr.io/github/github-mcp-server:v1.1.2@sha256:30197479d8036c7811892bc07e06f9a05c9ef3cdd79bc59f256d50647f95788c

@@ spec.image @@
# toolhive.stacklok.dev/v1beta1/MCPServer/cortex/mcp-grafana
! ± value change
- docker.io/grafana/mcp-grafana:latest
+ docker.io/grafana/mcp-grafana:v0.7.3@sha256:787c4774a0eaf08170ff10537570c4a1c881b4f59081de43bf2bbe013a9c0162

@@ spec.image @@
# toolhive.stacklok.dev/v1beta1/MCPServer/cortex/mcp-ha
! ± value change
- docker.io/voska/hass-mcp:latest
+ docker.io/voska/hass-mcp:latest@sha256:1028a5acb279de535d750f1f98a11274538c228bf8ef51cff4c73387859ccc40

@@ spec.image @@
# toolhive.stacklok.dev/v1beta1/MCPServer/cortex/mcp-k8s
! ± value change
- docker.io/flux159/mcp-server-kubernetes:v3.8.0
+ docker.io/flux159/mcp-server-kubernetes:v3.8.0@sha256:b78027cc7bf1741e044345be9edf7471fd161937b7e03479e67b5f6b541c6682

@@ spec.image @@
# toolhive.stacklok.dev/v1beta1/MCPServer/cortex/mcp-searxng
! ± value change
- docker.io/isokoliuk/mcp-searxng:1.1.0
+ docker.io/isokoliuk/mcp-searxng:1.1.0@sha256:89d9e53202c2f6592b796bc3fa65e8a6e530a2e9e8a48ebb4544fb6632a706a2

@@ spec.image @@
# toolhive.stacklok.dev/v1beta1/MCPServer/cortex/mcp-seerr
! ± value change
- node:24-alpine
+ node:24.16.0-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14

@@ data.podspec-dind.yaml @@
# v1/ConfigMap/forgejo/forgejo-runner-config
! ± value change in multiline text (one insert, one deletion)
  ---
  initContainers:
    - name: dind
-     image: docker:29-dind
+     image: docker:29.5-dind@sha256:7d85d0eda291f1a7ab6df4a9d1802b5ad4cf9145a088bd11188c78dcb5c7392b
      securityContext:
        privileged: true
      restartPolicy: Always
      env:
  
  [48 lines unchanged)]
  
      emptyDir: {}
    - name: docker-certs
      emptyDir: {}
  restartPolicy: Never

@@ spec.image @@
# renovate-operator.mogenius.com/v1alpha1/RenovateJob/kube-system/artemis-cluster
! ± value change
- ghcr.io/renovatebot/renovate:43.213.3
+ ghcr.io/renovatebot/renovate:43.213.3@sha256:52bab599acf7f010845cf4064de5b6e02ab5faa71aab7f28b1238fbd430cb878

_{Diff created by flate — Workflow run}

<!-- flate --> <details open><summary>Kustomization diff</summary> ```diff @@ spec.image @@ # toolhive.stacklok.dev/v1beta1/MCPServer/cortex/mcp-agentmemory ! ± value change - node:24-alpine + node:24.16.0-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14 @@ spec.image @@ # toolhive.stacklok.dev/v1beta1/MCPServer/cortex/mcp-arr ! ± value change - node:24-alpine + node:24.16.0-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14 @@ spec.image @@ # toolhive.stacklok.dev/v1beta1/MCPServer/cortex/mcp-context7 ! ± value change - node:24-alpine + node:24.16.0-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14 @@ spec.image @@ # toolhive.stacklok.dev/v1beta1/MCPServer/cortex/mcp-github ! ± value change - ghcr.io/github/github-mcp-server:v1.1.2 + ghcr.io/github/github-mcp-server:v1.1.2@sha256:30197479d8036c7811892bc07e06f9a05c9ef3cdd79bc59f256d50647f95788c @@ spec.image @@ # toolhive.stacklok.dev/v1beta1/MCPServer/cortex/mcp-grafana ! ± value change - docker.io/grafana/mcp-grafana:latest + docker.io/grafana/mcp-grafana:v0.7.3@sha256:787c4774a0eaf08170ff10537570c4a1c881b4f59081de43bf2bbe013a9c0162 @@ spec.image @@ # toolhive.stacklok.dev/v1beta1/MCPServer/cortex/mcp-ha ! ± value change - docker.io/voska/hass-mcp:latest + docker.io/voska/hass-mcp:latest@sha256:1028a5acb279de535d750f1f98a11274538c228bf8ef51cff4c73387859ccc40 @@ spec.image @@ # toolhive.stacklok.dev/v1beta1/MCPServer/cortex/mcp-k8s ! ± value change - docker.io/flux159/mcp-server-kubernetes:v3.8.0 + docker.io/flux159/mcp-server-kubernetes:v3.8.0@sha256:b78027cc7bf1741e044345be9edf7471fd161937b7e03479e67b5f6b541c6682 @@ spec.image @@ # toolhive.stacklok.dev/v1beta1/MCPServer/cortex/mcp-searxng ! ± value change - docker.io/isokoliuk/mcp-searxng:1.1.0 + docker.io/isokoliuk/mcp-searxng:1.1.0@sha256:89d9e53202c2f6592b796bc3fa65e8a6e530a2e9e8a48ebb4544fb6632a706a2 @@ spec.image @@ # toolhive.stacklok.dev/v1beta1/MCPServer/cortex/mcp-seerr ! ± value change - node:24-alpine + node:24.16.0-alpine@sha256:2bdb65ed1dab192432bc31c95f94155ca5ad7fc1392fb7eb7526ab682fa5bf14 @@ data.podspec-dind.yaml @@ # v1/ConfigMap/forgejo/forgejo-runner-config ! ± value change in multiline text (one insert, one deletion) --- initContainers: - name: dind - image: docker:29-dind + image: docker:29.5-dind@sha256:7d85d0eda291f1a7ab6df4a9d1802b5ad4cf9145a088bd11188c78dcb5c7392b securityContext: privileged: true restartPolicy: Always env: [48 lines unchanged)] emptyDir: {} - name: docker-certs emptyDir: {} restartPolicy: Never @@ spec.image @@ # renovate-operator.mogenius.com/v1alpha1/RenovateJob/kube-system/artemis-cluster ! ± value change - ghcr.io/renovatebot/renovate:43.213.3 + ghcr.io/renovatebot/renovate:43.213.3@sha256:52bab599acf7f010845cf4064de5b6e02ab5faa71aab7f28b1238fbd430cb878 ``` </details> _{Diff created by [flate](https://github.com/home-operations/flate) — [Workflow run](https://git.dcunha.io/Exikle/Artemis-Cluster/actions/runs/870)}

Exikle merged commit 95f3c24249 into main 2026-06-05 17:45:13 +00:00

Exikle deleted branch chore/pin-mcp-image-tags 2026-06-05 17:45:13 +00:00

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

area/bootstrap

Issues related to cluster bootstrapping

  

area/ci

Issues related to Forgejo workflows and automation

  

area/flux

Issues related to Flux CD configuration

  

area/kubernetes

Issues related to Kubernetes configuration

  

area/media

Issues related to media stack configuration

  

area/observability

Issues related to observability configuration

  

area/renovate

Issues related to Renovate configuration and automation

  

area/talos

Issues related to TalosOS configuration and operations

  

community

Community contributions and discussions

  

hold

Do not merge - work in progress or blocked

  

hold/upstream

Blocked waiting for upstream fix or update

  

priority/high

High priority issues

  

priority/low

Low priority issues

  

priority/medium

Medium priority issues

  

renovate/container

Container image updates from Renovate

  

renovate/forgejo-action

Forgejo Action updates from Renovate

  

renovate/github-release

GitHub Release updates from Renovate

  

renovate/grafana-dashboard

Grafana dashboard updates from Renovate

  

renovate/helm

Helm chart updates from Renovate

  

type/digest

Container digest updates (same version, new build)

  

type/major

Major version updates (breaking changes)

  

type/minor

Minor version updates (new features, backward compatible)

  

type/patch

Patch version updates (bug fixes)

No labels

area/bootstrap

area/ci

area/flux

area/kubernetes

area/media

area/observability

area/renovate

area/talos

community

hold

hold/upstream

priority/high

priority/low

priority/medium

renovate/container

renovate/forgejo-action

renovate/github-release

renovate/grafana-dashboard

renovate/helm

type/digest

type/major

type/minor

type/patch

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

Exikle/Artemis-Cluster!253

No description provided.