From 3c1ed0a78b88bb2d212924aaa1f85c2b6305545e Mon Sep 17 00:00:00 2001
From: Bill Ballou <bill@bballou.com>
Date: Tue, 30 Dec 2025 16:50:32 -0500
Subject: [PATCH] Use pinned version tags, remove SHA256 digests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

SHA256 digests are managed automatically by Renovate bot.
Images should use pinned version tags (never `latest`).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 SKILL.md               |  8 +++++---
 references/examples.md | 12 ++++++------
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/SKILL.md b/SKILL.md
index 276c3a9..f5d9039 100644
--- a/SKILL.md
+++ b/SKILL.md
@@ -33,7 +33,7 @@ name: <project-name>
 services:
   <service-name>:
     container_name: <service_container>
-    image: <registry>/<image>:<version>@sha256:<digest>
+    image: <registry>/<image>:<version>
     environment:
       PUID: ${UID}
       PGID: ${GID}
@@ -57,10 +57,12 @@ networks:
 
 ### Key Patterns
 
-1. **Image pinning**: Use SHA256 digests for reproducibility
+1. **Image versioning**: Always use pinned version tags (never `latest`)
    ```yaml
-   image: ghcr.io/org/image:v1.0.0@sha256:abc123...
+   image: ghcr.io/org/image:v1.0.0
+   image: lscr.io/linuxserver/app:2.5.1
    ```
+   Note: SHA256 digests are managed automatically by Renovate bot and should not be added manually.
 
 2. **Port defaults**: Always provide defaults for ports
    ```yaml
diff --git a/references/examples.md b/references/examples.md
index 577a5a4..1414b99 100644
--- a/references/examples.md
+++ b/references/examples.md
@@ -42,7 +42,7 @@ services:
 
   redis:
     container_name: immich_redis
-    image: registry.redict.io/redict:7.3.6@sha256:2a99f322eed7...
+    image: registry.redict.io/redict:7.3.6
     restart: always
     volumes:
       - redis-data:/data
@@ -51,7 +51,7 @@ services:
 
   database:
     container_name: immich_postgres
-    image: ghcr.io/immich-app/postgres:16-vectorchord0.3.0@sha256:5b434f184ec...
+    image: ghcr.io/immich-app/postgres:16-vectorchord0.3.0
     environment:
       POSTGRES_PASSWORD: ${DB_PASSWORD}
       POSTGRES_USER: ${DB_USERNAME}
@@ -78,7 +78,7 @@ networks:
 ```yaml
 services:
   swag:
-    image: lscr.io/linuxserver/swag:5.2.2@sha256:c8afbd137c2f...
+    image: lscr.io/linuxserver/swag:5.2.2
     container_name: swag
     cap_add:
       - NET_ADMIN
@@ -116,7 +116,7 @@ networks:
 ```yaml
 services:
   jellyfin:
-    image: lscr.io/linuxserver/jellyfin:10.11.4@sha256:234ea8d508b2...
+    image: lscr.io/linuxserver/jellyfin:10.11.4
     container_name: jellyfin
     runtime: nvidia
     environment:
@@ -146,7 +146,7 @@ services:
 ```yaml
 services:
   deluge:
-    image: binhex/arch-delugevpn:latest@sha256:2ff474cba3af...
+    image: binhex/arch-delugevpn:2.1.2-2-01
     container_name: deluge
     cap_add:
       - NET_ADMIN
@@ -171,7 +171,7 @@ services:
 ```yaml
 services:
   database:
-    image: postgres:18.1@sha256:5ec39c188013...
+    image: postgres:18.1
     container_name: app-db
     restart: unless-stopped
     environment: