From 674e7a4075df845e4d9a97670d4031917ce8a1bd Mon Sep 17 00:00:00 2001 From: Aiden Grossman Date: Sat, 25 Oct 2025 03:12:50 +0000 Subject: [PATCH] [CI][Github] Add Fully Qualified Container Names to Best Practices Based on some recent discussion in #162007. Documenting this in the best practices page so we have something easy to point to in code review/reference for ourselves now that the repository has been cleaned up. --- llvm/docs/CIBestPractices.rst | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/llvm/docs/CIBestPractices.rst b/llvm/docs/CIBestPractices.rst index da92ed3660e55..855e2ccac8ece 100644 --- a/llvm/docs/CIBestPractices.rst +++ b/llvm/docs/CIBestPractices.rst @@ -136,3 +136,20 @@ branches as follows: branches: - main - releases/* + +Container Best Practices +======================== + +This section contains best practices/guidelines when working with containers +for LLVM infrastructure. + +Using Fully Qualified Container Names +------------------------------------- + +When referencing container images from a registry, such as in Github Actions +workflows, or in ``Dockerfile`` files used for building images, prefer fully +qualified names (i.e., including the registry domain) over just the image. +For example, prefer ``docker.io/ubuntu:24.04`` over ``ubuntu:24.04``. This +ensures portability across systems where a different default registry might +be specified and also prevents attackers from changing the default registry +to pull in a malicious image instead of the intended one.