Pinning a Docker Image to a Specific Version

 If you're using the Docker executor, your image contents may change if you specify an image tag, such as `circleci/ruby:2.4-node` or `node:latest`. If you believe one of these images changed between two of your jobs, you can confirm this by comparing the image Secure Hashing Algorithm ID (SHA-256) in the two jobs. This is printed in the "spin up environment" section.

CircleCI and other image maintainers may introduce changes that change the contents of a tag like `2.4-node` or `latest`. Usually, this is done to fix bugs or introduce newer versions of essential software, like git and package managers for a language.

You can pin your job to run with a specific image SHA-256, which will guarantee the image won't change unless you update it yourself. This is done by removing the tag (e.g `latest`) and replacing it with the SHA-256 of the image, prefixed with `@sha256:`

docker:  - imagecircleci/ruby@sha256:4be65b406f7402b5c4fd5df7173d2fd7ea3fdaa74d9c43b6ebd896197a45c448