security(frontend): digest-pin obol-stack-front-end v0.1.23

[bussyjd]

Summary

• Pins the frontend image by sha256 digest in addition to the v0.1.23 tag.
• New value: obolnetwork/obol-stack-front-end:v0.1.23@sha256:950b887e1cbaca9f928ff7b449b5602ed9777b629b4ee1b9c4c91fac2d74c2f2
• Eliminates the mutable-tag attack surface flagged as a non-blocking follow-up by the supply-chain review of v0.10.0-rc2.

Why

A floating tag (v0.1.23) could be re-pushed in the upstream registry, and the cluster would silently pick up the new content on the next image pull. Digest pinning makes the cluster's image content cryptographically reproducible. The tag is kept for human readability; the digest is authoritative for the runtime.

Multi-arch index digest covers linux/amd64 and linux/arm64. Verified locally with helm template obol/obol-app@0.1.1 — the resulting image: field is a legal OCI reference (name:tag@digest).

Test plan

• Lint and Test Charts CI green
• CodeQL CI green
• After merge, obol stack up should pull obolnetwork/obol-stack-front-end@sha256:950b... on first reconcile and the pod should become Ready
• Roll into the next RC (likely v0.10.0-rc3)

Not self-merging

Per feedback_main_merge_gates.md (in Claude memory): "never merge to main without flows-green AND a second human reviewer." Leaving merge to a maintainer.

[bussyjd]

Maintainer hand-off

This PR is staged at the merge gate set by feedback_main_merge_gates.md and cannot be auto-merged from an autonomous session. Everything before the gate is done:

Pre-merge artifacts

• Integration branch: integration/frontend-bumps-2026-05-12 (HEAD 8a897f1) — a --no-ff merge of this PR onto current main (2cb0462). Pushed to origin.
• Local build/tests on integration branch:
  • go build ./... — clean
  • go test ./internal/embed/... — pass (includes embed_image_pin_test.go allow-list)
• CI on PR HEAD: lint-test pass; CodeQL Analyze (actions/javascript-typescript/python) pass; CodeQL Analyze (go) running — see top of the PR for live status.

Supply-chain verification

• Digest sha256:950b887e1cbaca9f928ff7b449b5602ed9777b629b4ee1b9c4c91fac2d74c2f2 independently fetched from Docker Hub (registry-1.docker.io/v2/obolnetwork/obol-stack-front-end/manifests/v0.1.23), confirmed as the OCI image index.
• Manifests inside the index:
  • linux/amd64 → sha256:66ad578dddfc097e90fd0c60219b486cce467c38c4dd9704e95e42a0b4548042
  • linux/arm64 → sha256:d6cbe996407ef5cb9ae825df65b2af605a710e843ccd2acf712fa831405f15d9
• Helm render of obol/obol-app@0.1.1 with the new value produces a valid OCI reference: obolnetwork/obol-stack-front-end:v0.1.23@sha256:950b…74c2f2 (tag informational, digest authoritative).

Two gates left (per feedback_main_merge_gates.md)

1. Flows-green receipts (at minimum flow-11 USDC Base Sepolia + flow-14 live OBOL Permit2) on this PR HEAD or on the integration branch.
2. Second human reviewer approval.

Once both gates are satisfied, this PR can be merged and a new RC cut. Suggested next tag: v0.10.0-rc3 at the resulting main commit. The release workflow (.github/workflows/release.yml) will auto-create a draft; rewrite the body per .github/release-template.md before publishing.

Why digest-pin specifically

Mutable tags allow a registry-credential compromise to silently swap image contents under the same v0.1.23 tag on the next pull. Digest pinning makes the cluster's image content cryptographically reproducible. This was the only non-blocking follow-up flagged GREEN by the supply-chain review of v0.10.0-rc2.

[bussyjd]

Superseded by #482, which bumps the frontend to v0.1.24-rc2 AND applies the same digest-pin pattern in one commit. Closing this stale-at-v0.1.23 PR.