Use docker hardened images

.github/workflows/sdk.yaml

@@ -83,6 +83,13 @@ jobs:
                   username: ${{ secrets.DOCKERHUB_USERNAME }}
                   password: ${{ secrets.DOCKERHUB_TOKEN }}
 
+            - name: Login to Docker Hardened Registry
+              uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+              with:
+                  registry: dhi.io
+                  username: ${{ secrets.DOCKERHUB_USERNAME }}
+                  password: ${{ secrets.DOCKERHUB_TOKEN }}
+
             - name: Build and push
               uses: docker/bake-action@3acf805d94d93a86cce4ca44798a76464a75b88c # v6.9.0
               if: ${{ !startsWith(github.ref, 'refs/tags/sdk@') }}

packages/sdk/Dockerfile

@@ -1,11 +1,12 @@
 # syntax=docker.io/docker/dockerfile:1
 ARG CARTESI_BASE_IMAGE
-ARG POSTGRES_BASE_IMAGE
+ARG POSTGRES_BASE_BUILD_IMAGE
+ARG POSTGRES_BASE_RUNTIME_IMAGE
 ARG NODE_VERSION
 
 ################################################################################
 # base image
 FROM ${CARTESI_BASE_IMAGE} AS base
 SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
 ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
@@ -65,6 +66,7 @@
 ARG TARGETARCH
 ARG TARGETOS
 RUN <<EOF
+mkdir -p /usr/local/bin
 curl -fsSL https://github.com/foundry-rs/foundry/releases/download/v${FOUNDRY_VERSION}/foundry_v${FOUNDRY_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz \
   -o /tmp/foundry.tar.gz
 case "${TARGETARCH}" in
@@ -107,12 +109,10 @@
 apt-get install -y --no-install-recommends \
     libslirp0 \
     lua5.4 \
+    passwd \
     xz-utils
-rm -rf /var/lib/apt/lists/*
-EOF
 
-RUN <<EOF
-set -e
+# create cartesi user
 useradd \
     --comment "cartesi user" \
     --no-create-home \
@@ -122,6 +122,9 @@
     --uid 102 \
     --user-group \
     cartesi
+
+apt-get remove -y --purge passwd
+rm -rf /var/lib/apt/lists/*
 EOF
 
 # Install cartesi-machine emulator
@@ -169,7 +172,7 @@
 
 ################################################################################
 # postgresql initdb
-FROM ${POSTGRES_BASE_IMAGE} AS postgresql-initdb
+FROM ${POSTGRES_BASE_BUILD_IMAGE} AS postgresql-initdb
 
 ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
@@ -182,7 +185,7 @@
 COPY --from=rollups-runtime /usr/bin/cartesi-rollups-cli /usr/bin/
 COPY --from=rollups-runtime /usr/lib/libcartesi* /usr/lib/
 
 ARG POSTGRES_PASSWORD=password
 
 # create rollupsdb databases
 COPY <<EOF /docker-entrypoint-initdb.d/00-createdb.sql
@@ -202,21 +205,23 @@
 
 ################################################################################
 # rollups-database image
-FROM ${POSTGRES_BASE_IMAGE} AS rollups-database
-COPY --from=postgresql-initdb /var/lib/postgresql/data /var/lib/postgresql/data
+FROM ${POSTGRES_BASE_RUNTIME_IMAGE} AS rollups-database
+ARG POSTGRES_MAJOR_VERSION
+COPY --from=postgresql-initdb \
+    --chown=postgres:postgres \
+    --chmod=750 \
+    /var/lib/postgresql/data /var/lib/postgresql/${POSTGRES_MAJOR_VERSION}/data
 
 ################################################################################
 # alto build
 FROM node:${NODE_VERSION} AS alto
 ARG ALTO_VERSION
 ARG NODE_VERSION
-ARG FOUNDRY_VERSION
 ARG TARGETARCH
 ARG TARGETOS
 
 # install foundry, necessary for building alto
-RUN curl -fsSL https://github.com/foundry-rs/foundry/releases/download/v${FOUNDRY_VERSION}/foundry_v${FOUNDRY_VERSION}_${TARGETOS}_${TARGETARCH}.tar.gz \
-    | tar -zx -C /usr/local/bin
+COPY --from=foundry /usr/local/bin/forge /usr/local/bin/forge
 
 WORKDIR /app
 COPY alto.patch /app/alto.patch
@@ -260,9 +265,7 @@
     liblzo2-2 \
     libslirp0 \
     locales \
-    lua5.4 \
-    xxd \
-    xz-utils
+    xxd
 rm -rf /var/lib/apt/lists/*
 EOF
 

packages/sdk/docker-bake.hcl

@@ -8,7 +8,7 @@ target "default" {
   args = {
     ALTO_VERSION                      = "1.2.5"
     ALTO_PACKAGE_VERSION              = "0.0.18"
-    CARTESI_BASE_IMAGE                = "docker.io/library/debian:trixie-20260112-slim@sha256:e9f1b0bda36daad09fcd6779f7af47191dbee4ff52f8903fffd15240eb986bd8"
+    CARTESI_BASE_IMAGE                = "dhi.io/debian-base:trixie@sha256:1244523a2f7b6c096c6f98ce0349df6798c775c57322c51f8a4982daf60c256c"
     CARTESI_DEVNET_VERSION            = "2.0.0-alpha.9"
     CARTESI_IMAGE_KERNEL_VERSION      = "0.20.0"
     CARTESI_LINUX_KERNEL_VERSION      = "6.5.13-ctsi-1-v0.20.0"
@@ -20,7 +20,9 @@ target "default" {
     NITRO_VERSION                     = "8c376d4a5baa7f32999620f9fe3eb51ca8e0dcbc" # v0.5
     NODE_VERSION                      = "24.12.0"
     NVM_VERSION                       = "977563e97ddc66facf3a8e31c6cff01d236f09bd" # 0.40.3
-    POSTGRES_BASE_IMAGE               = "docker.io/library/postgres:17-trixie@sha256:4ad49a4ba70130eab1de69bdd7a212d9c711e7410f10e1a23aae41a325b95093"
+    POSTGRES_MAJOR_VERSION            = "17"
+    POSTGRES_BASE_BUILD_IMAGE         = "docker.io/library/postgres:17-trixie@sha256:4ad49a4ba70130eab1de69bdd7a212d9c711e7410f10e1a23aae41a325b95093"
+    POSTGRES_BASE_RUNTIME_IMAGE       = "dhi.io/postgres:17-debian13@sha256:26f948cfcce91d18beef8193e61fdae529650b462e644916e9ab433261602cef"
     SQUASHFS_TOOLS_VERSION            = "bad1d213ab6df587d6fa0ef7286180fbf7b86167" # 4.7.4
     SU_EXEC_VERSION                   = "0.3"
     XGENEXT2_VERSION                  = "1.5.6"