Promote v4-beta to v4: ubuntu 24.04 LTS hook image bump

[xnacly]

Promotes v4-beta into v4. Current delta is the MILAB-6435 hook image base bump (#185).

Contents

• docker/hook/Dockerfile: integration-tests hook image base ubuntu:20.04 -> ubuntu:24.04 (both stages).

Verification (local)

• Image builds clean on 24.04.
• aws --version -> aws-cli/2.35.5 ... exe/x86_64.ubuntu.24.
• shasum --version -> 6.04.
• Entrypoint unchanged: missing script skips with exit 0, real script executes.

Follow-up

After merge, 0-build-docker.yaml (push to master / manual dispatch) rebuilds the image to a new :<sha> tag. Consuming repos must repin the hook-image hash for the bump to take effect there.

Greptile Summary

This PR promotes the v4-beta branch into v4 by bumping the hook image base from ubuntu:20.04 to ubuntu:24.04 LTS in both stages of the multi-stage Dockerfile.

• The builder stage (AWS CLI installer) and the final runtime stage are both updated to ubuntu:24.04; no other logic, packages, or entrypoint behavior changes.
• The build workflow (0-build-docker.yaml) only triggers on pushes to master, so a manual workflow dispatch will be needed after merge to produce a new tagged image for consumers to repin — the PR description acknowledges this explicitly.

Confidence Score: 5/5

Safe to merge — the change is a two-line base image bump with no logic alterations, and the author verified the build locally including AWS CLI and shasum functionality.

The only finding is that both stages use a floating ubuntu:24.04 tag rather than a digest-pinned reference, which was already true of ubuntu:20.04 before this change. The Dockerfile structure, installed packages, and entrypoint are all unchanged.

No files require special attention. The sole changed file (docker/hook/Dockerfile) makes a minimal, well-scoped update.

Important Files Changed

Filename	Overview
docker/hook/Dockerfile	Both builder and final stages bumped from ubuntu:20.04 to ubuntu:24.04; no other logic changes. libdigest-sha-perl and AWS CLI install remain identical. Base image uses a floating (non-digest-pinned) tag, which was already true before this change.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[PR merged into v4] --> B[0-build-docker.yaml\nmanual dispatch triggered]
    B --> C[Docker build\nubuntu:24.04 builder stage\nDownload + unzip AWS CLI]
    C --> D[Docker build\nubuntu:24.04 final stage\nInstall AWS CLI + libdigest-sha-perl]
    D --> E[Push image\nghcr.io/repo/hook:sha]
    E --> F[Consuming repos\nrepin hook-image hash]

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[PR merged into v4] --> B[0-build-docker.yaml\nmanual dispatch triggered]
    B --> C[Docker build\nubuntu:24.04 builder stage\nDownload + unzip AWS CLI]
    C --> D[Docker build\nubuntu:24.04 final stage\nInstall AWS CLI + libdigest-sha-perl]
    D --> E[Push image\nghcr.io/repo/hook:sha]
    E --> F[Consuming repos\nrepin hook-image hash]

Loading

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
docker/hook/Dockerfile:1-11
**Floating base image tag — non-reproducible builds**

Both stages use `ubuntu:24.04`, a mutable floating tag. Docker will pull whatever that tag resolves to at build time, so two builds from the same commit can produce different images (e.g. if Canonical pushes a security update between builds). Pinning by digest (e.g. `ubuntu:24.04@sha256:<digest>`) would make builds fully reproducible. This was true for `ubuntu:20.04` as well, so it's a pre-existing pattern rather than a regression introduced here.

_{Reviews (1): Last reviewed commit: "Merge pull request #185 from milaborator..." | Re-trigger Greptile}

Greptile also left 1 inline comment on this PR.

[greptile-apps]

Floating base image tag — non-reproducible builds

Both stages use ubuntu:24.04, a mutable floating tag. Docker will pull whatever that tag resolves to at build time, so two builds from the same commit can produce different images (e.g. if Canonical pushes a security update between builds). Pinning by digest (e.g. ubuntu:24.04@sha256:<digest>) would make builds fully reproducible. This was true for ubuntu:20.04 as well, so it's a pre-existing pattern rather than a regression introduced here.

Prompt To Fix With AI

This is a comment left during a code review.
Path: docker/hook/Dockerfile
Line: 1-11

Comment:
**Floating base image tag — non-reproducible builds**

Both stages use `ubuntu:24.04`, a mutable floating tag. Docker will pull whatever that tag resolves to at build time, so two builds from the same commit can produce different images (e.g. if Canonical pushes a security update between builds). Pinning by digest (e.g. `ubuntu:24.04@sha256:<digest>`) would make builds fully reproducible. This was true for `ubuntu:20.04` as well, so it's a pre-existing pattern rather than a regression introduced here.

How can I resolve this? If you propose a fix, please make it concise.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!