feat: add context-hash to image tags for TAD traceability\n\nEach image is now tagged with both:\n - <version> (mutable, used by deps.yaml)\n - <version>-<hash> (immutable, for audit trail)\n\nThe hash is the first 8 chars of the git tree SHA of the build\ncontext directory. It changes if and only if any file in that\ndirectory changes, providing deterministic, traceable tags."

Author: benzekrimaha

.github/workflows/build-mongodb-images.yaml

@@ -71,14 +71,29 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Compute context hash
+        id: context_hash
+        run: |
+          # Compute a short hash of the build-context directory tree.
+          # This changes if and only if any file inside the context changes,
+          # giving each image an immutable, traceable tag per TAD requirement.
+          TREE_HASH=$(git rev-parse HEAD:${{ matrix.context }})
+          SHORT_HASH=${TREE_HASH:0:8}
+          echo "hash=${SHORT_HASH}" >> "$GITHUB_OUTPUT"
+          echo "Context tree hash for ${{ matrix.name }}: ${TREE_HASH} (short: ${SHORT_HASH})"
+
       - name: Build tags
         id: tags
         run: |
+          # Mutable version tag (used by deps.yaml / deploy scripts)
           TAGS="${{ env.REGISTRY }}/${{ matrix.image }}:${{ matrix.semver_tag }}"
+          # Immutable version-context-hash tag (TAD traceability)
+          TAGS="${TAGS},${{ env.REGISTRY }}/${{ matrix.image }}:${{ matrix.semver_tag }}-${{ steps.context_hash.outputs.hash }}"
           if [[ -n "${{ matrix.minor_tag }}" ]]; then
             TAGS="${TAGS},${{ env.REGISTRY }}/${{ matrix.image }}:${{ matrix.minor_tag }}"
           fi
           echo "tags=${TAGS}" >> "$GITHUB_OUTPUT"
+          echo "Image tags: ${TAGS}"
 
       - name: Build and push (${{ matrix.name }})
         uses: docker/build-push-action@v5