Fail image build if composer checksum does not match.

[marji]

This change ensures the image build fails when the downloaded composer does not match the SHA256 hash.

The current syntax does not actually check whether the hash is correct and always passes, even if the hash does not match. It can be proven by changing a digit in the COMPOSER_HASH_SHA256 variable and building the image.

[tobybellwood]

nice pickup - thanks @marji, I'll roll these in!

Whilst you're here - any thoughts on whether it makes sense to use the same method here we currently do for PHP8/Composer 2 - i.e. copy the binary across from the official docker images?

[marji]

nice pickup - thanks @marji, I'll roll these in!

Nice :)

Whilst you're here - any thoughts on whether it makes sense to use the same method here we currently do for PHP8/Composer 2 - i.e. copy the binary across from the official docker images?

@tobybellwood I'm afraid I don't have any real-world experience with this to provide a valid opinion here.
One thing I'd consider is caching - I suspect the composer docker image might get cached on the CI where the lagoon docker image gets built, while the composer binary gets downloaded via curl on every single build. So if the image is cached, then using the copy method might be faster and greener ;) Though I know Docker hub has rate limits in place for image downloads, while I believe github has no rate-limits in place for public projects. What a hard decision :)

[tobybellwood]

Thanks! I suppose my question is really "if having the verified hash for composer is important for a user/customer, does downloading the tag from an official dockerhub repository meet the same criteria".

We could also implement the same hashing idea for dockerhub image downloads
e.g FROM composer:1.10.22@sha256:1a23190ba2a9906aba20bb29079c7c231d4838a3944f93e2c5e5d91b93ceb636 - but that does limit us for multi-arch builds (as each arch has a different hash)