fix(k8s): document image digest pinning for production deployments

[dknos]

Summary

• Adds guidance for pinning container images by SHA256 digest in production K8s deployments
• Mutable tags like :latest, :24-dind, :22 can drift unexpectedly, creating supply chain risk

Test plan

• Verify K8s manifest still applies cleanly with kubectl apply --dry-run=client
• Review comments for accuracy

Fixes #1436

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated container image references to use immutable, digest-pinned versions for enhanced stability and security in deployments.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2cd9b54c-9735-4e82-9b70-e2186e244bb9

📥 Commits

Reviewing files that changed from the base of the PR and between 60fb97f and d24731e.

📒 Files selected for processing (1)

• k8s/nemoclaw-k8s.yaml

✅ Files skipped from review due to trivial changes (1)

• k8s/nemoclaw-k8s.yaml

---

📝 Walkthrough

Walkthrough

The Kubernetes manifest was updated to pin container images by SHA256 digest instead of mutable tags. Three container image references (dind, workspace, and init-docker-config) were replaced with fully qualified, digest-pinned versions to eliminate tag mutability risks.

Changes

Cohort / File(s)	Summary
Image Digest Pinning k8s/nemoclaw-k8s.yaml	Replaced mutable image tags (docker:24-dind, node:22, busybox) with @sha256: digest-pinned equivalents for all three container specifications (dind, workspace, init-docker-config). No other Pod spec fields modified.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 Three images once roamed wild and free,
With mutable tags for all to see.
Now pinned by digest, safe and sound,
No supply chain tricks can be found.
Kubernetes pods sleep securely tonight! 📦✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding image digest pinning for production deployments, which aligns with the PR's objective to pin container images by SHA256 digest.
Linked Issues check	✅ Passed	The pull request updates all three container images (docker:24-dind, node:22, busybox) to use SHA256 digest pinning, directly addressing issue #1436's requirement to eliminate mutable tag references.
Out of Scope Changes check	✅ Passed	All changes are in-scope: only three container image references were updated to add SHA256 digests, with no modifications to other Pod spec fields, directly aligning with issue #1436.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@k8s/nemoclaw-k8s.yaml`:
- Line 29: Replace the mutable image tags in the k8s/nemoclaw-k8s.yaml manifest
with immutable image digests: locate the image: fields currently set to
docker:24-dind and the other two mutable tags and change them to fully qualified
references using the tag plus `@sha256`:<digest> (e.g. name:tag@sha256:...) or
split dev/prod manifests and pin only the production overlay; ensure the three
occurrences (the image: entries referenced in the comment) are updated so
deployments use the pinned digests rather than mutable tags.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 38afd286-483f-4169-8c73-eb06f57d5362

📥 Commits

Reviewing files that changed from the base of the PR and between c99e3e8 and 60fb97f.

📒 Files selected for processing (2)

• k8s/nemoclaw-k8s.yaml
• nemoclaw-blueprint/policies/presets/huggingface.yaml

[dknos]

Updated — images are now pinned by SHA256 digest. Removed out-of-scope huggingface.yaml change.

[dknos]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[dknos]

Confirmed resolved: all three container image references in k8s/nemoclaw-k8s.yaml now use @sha256: digest pinning (docker:24-dind, node:22, busybox). Comments about digest pinning have been replaced with actual pinned image fields. CodeRabbit's latest re-review marked the file as trivially changed with no actionable comments.

[dknos]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.