Overview 

If you're using the Docker executor, your image contents may change if you specify an image tag, such as cimg/ruby:3.2.2 or node:latest.

Pinning the Docker image to a specific version is generally recommended, as this will prevent newer versions from being pulled and potentially causing issues, or security compromises, without any code change from the development side.

If you believe one of these images changed between two of your jobs, you can confirm this by comparing the image Secure Hashing Algorithm ID (SHA-256) in the two jobs.

This is printed in output during the Spin up environment build step - pictured below:

CircleCI and other image maintainers may introduce changes that change the contents of a tag like 3.2.2-browsersor latest. Usually, this is done to fix bugs or introduce newer versions of essential software, like git and package managers for a language.

How to Pin your image to use a specific SHA

You can pin your job to run with a specific image SHA-256, which will guarantee the image won't change unless you update it yourself. This is done by removing the tag (e.g latest) and replacing it with the SHA-256 of the image, prefixed with @sha256: rather than the image tag seen in our Developer Hub

docker:
  - image: cimg/ruby@sha256:fa15234a551a1777d9e63d036bf1305679f7a2c0d5882810598831b0550d81aa

Additional Resources:

• Troubleshooting "docker image targets wrong architecture" error
• Manifest not found when building a Docker Image