chore(publish): pin docker base image refs

[NathanFlurry]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[railway-app]

🚅 Deployed to the rivet-pr-4652 environment in rivet-frontend

Service	Status	Web	Updated (UTC)
kitchen-sink	❌ Build Failed (View Logs)	Web	Apr 24, 2026 at 7:34 am
website	😴 Sleeping (View Logs)	Web	Apr 23, 2026 at 11:36 pm
ladle	❌ Build Failed (View Logs)	Web	Apr 14, 2026 at 9:35 pm
frontend-cloud	❌ Build Failed (View Logs)	Web	Apr 14, 2026 at 9:35 pm
frontend-inspector	❌ Build Failed (View Logs)	Web	Apr 14, 2026 at 9:35 pm
mcp-hub	✅ Success (View Logs)	Web	Apr 14, 2026 at 9:34 pm

[NathanFlurry]

• chore: rename sandbox -> kitchen sink #4671 : 2 dependent PRs (#4672 , #4673 )
• chore: configure TLS trust roots for rustls clients #4667
• fix(rivetkit): update config to match envoys & remove manager references #4663
• chore(publish): pin docker base image refs #4652 👈 (View in Graphite)
• chore(engine): publish engine bases in ci #4649 : 2 other dependent PRs (#4650 , #4666 )
• chore: lockfile lefthook #4647
• fix(rivetkit): surface native sqlite kv errors to callers #4645
• fix(rivetkit): prevent sleep races during disconnect and db work #4644
• fix(rivetkit): isolate engine envoys and propagate startup failures #4643
• test(rivetkit): remove wasm sqlite-only fixtures and coverage #4642
• chore(sqlite-vfs): remove wasm sqlite packages and workspace wiring #4641
• chore(rivetkit): remove wasm sqlite runtime #4614
• fix(sqlite-native): restore native startup kv preload #4639
• fix(sqlite-native): delete metadata before chunk range #4638
• fix(sqlite-native): keep truncate cache coherent #4637
• fix(sqlite-vfs): use delete range for truncate cleanup #4636
• fix(sqlite-native): restore kv error hook #4635
• perf(sqlite-native): avoid cloning cached read chunks #4634
• perf(sqlite-native): gate kv operation labels #4633
• perf(sqlite-native): reuse read cache for partial writes #4632
• perf(sqlite-native): remove delete file existence probe #4631
• fix(sqlite-native): gate native read cache behind env var #4630
• fix(pegboard): isolate runner config dc lookup failures #4625 : 1 other dependent PR (#4626 )
• docs(pegboard): note runner config upsert split write risk #4624
• fix(pegboard): unpack global runner config keys correctly #4623
• fix(pegboard-gateway): enforce tunnel message state #4622
• fix(pegboard-runner): clear terminal tunnel routes #4621
• fix(pegboard): skip protocol version keys in runner pool backfill #4620
• fix(pegboard): create missing normal runner configs #4619
• fix(epoxy): reuse cached optimistic value #4618
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

PR #4652 Review: chore(publish): pin docker base image refs

Overview

This PR changes how Docker base image tags are managed for CI builds:

1. Pins base image tags directly in Dockerfiles instead of passing them as build args from the CI environment.
2. Removes the engine-base-images CI job that published engine-specific base images per commit SHA -- engine bases are now also statically pinned.
3. Automates tag pinning in build-push.sh via a new pin_consumer_dockerfiles() function that updates all Dockerfiles on ./scripts/docker-builder-base/build-push.sh all --push.

---

Bug: engine-slim pattern is missing the stage alias

The update_from_line call for engine-base-runtime-slim in build-push.sh is inconsistent with the other engine calls -- it omits the AS engine-slim alias in both the grep pattern and the replacement.

The actual Dockerfile line is:

FROM ghcr.io/rivet-dev/rivet/engine-base-runtime-slim:a36b881 AS engine-slim

The grep check uses pattern ^FROM .*/engine-base-runtime-slim:[^[:space:]]+$ with end-of-line anchor. This fails to match because [^[:space:]]+ stops at the tag, leaving AS engine-slim unmatched before the $ anchor. By contrast, the engine-builder and engine-full calls correctly include the stage alias (AS builder, AS engine-full-base) in both pattern and replacement -- engine-slim inconsistently omits it.

The next run of ./scripts/docker-builder-base/build-push.sh all --push will error on this step and leave the engine Dockerfile partially updated.

Fix -- add the alias to both pattern and replacement for the slim stage.

---

CLAUDE.md is now stale

CLAUDE.md currently says:

Rebuild publish base images with scripts/docker-builder-base/build-push.sh <base-name|all> --push; update BASE_TAG when rebuilding shared builder bases, while engine bases are published per commit in publish.yaml.

Both instructions are outdated: BASE_TAG no longer exists, and engine bases are no longer published per commit. Should update to reflect the new flow (run all --push, the script auto-pins the Dockerfiles).

---

Minor observations

• Differing tags between builder and engine bases (0e33ceb98 vs a36b881) is expected since they have independent publish cadences, but a comment explaining the distinction would help future contributors.
• pin_consumer_dockerfiles cannot be called standalone -- it only runs on all --push, so rebuilding a single base still requires manually updating the Dockerfile. The updated end-of-script message communicates this adequately.

---

Summary

The core approach (pinning directly in Dockerfiles, automating updates via script) is a clear improvement over the previous env-var approach. The engine-slim alias mismatch is a real bug that will break the next all --push run and should be fixed before merge.