ci/release: Add test for distroless non-root and fix hash (#44097)

phlax · phlax · commit f729cb7a6f43 · 2026-03-31T15:09:21.000+01:00
Signed-off-by: Ryan Northey &lt;ryan@synca.io&gt;
diff --git a/ci/do_ci.sh b/ci/do_ci.sh
@@ -861,6 +861,12 @@ case $CI_TARGET in
         ;;
 
     verify-distroless)
+        DISTROLESS_TEST_TARGET="${DISTROLESS_TEST_TARGET:-distroless-dev}"
+        distroless_user="$(docker inspect --format '{{.Config.User}}' envoyproxy/envoy:"${DISTROLESS_TEST_TARGET}")"
+        if [[ "$distroless_user" == 0 ]]; then
+            echo "FAIL: Distroless container uses the root user" >&2
+            exit 1
+        fi
         docker build -f ci/Dockerfile-distroless-testing --target=envoy-distroless -t distroless-testing .
         docker run --rm distroless-testing
         docker build -f ci/Dockerfile-distroless-testing --target=envoy-contrib-distroless -t distroless-contrib-testing .
diff --git a/distribution/docker/Dockerfile-envoy b/distribution/docker/Dockerfile-envoy
@@ -59,7 +59,7 @@ COPY --chown=0:0 --chmod=755 \
 
 
 # STAGE: envoy-distroless
-FROM gcr.io/distroless/base-nossl-debian12:nonroot@sha256:c8430558b9a8688298c060ddc5e6f2993c8a092dee8a6b7058139ac8472e8ad0 AS envoy-distroless
+FROM gcr.io/distroless/base-nossl-debian12:nonroot@sha256:177f4df07b055157cc1114033c1e531b251c8f7ef5ef17e1248dc3a52ec4de60 AS envoy-distroless
 EXPOSE 10000
 ENTRYPOINT ["/usr/local/bin/envoy"]
 CMD ["-c", "/etc/envoy/envoy.yaml"]
