[llvm] [CI][Github] Add Fully Qualified Container Names to Best Practices (PR #165067)

[Aiden Grossman via llvm-commits]

https://github.com/boomanaiden154 created https://github.com/llvm/llvm-project/pull/165067

Based on some recent discussion in #162007. Documenting this in the best practices page so we have something easy to point to in code review/reference for ourselves now that the repository has been cleaned up.

>From 674e7a4075df845e4d9a97670d4031917ce8a1bd Mon Sep 17 00:00:00 2001
From: Aiden Grossman <aidengrossman at google.com>
Date: Sat, 25 Oct 2025 03:12:50 +0000
Subject: [PATCH] [CI][Github] Add Fully Qualified Container Names to Best
 Practices

Based on some recent discussion in #162007. Documenting this in the best
practices page so we have something easy to point to in code
review/reference for ourselves now that the repository has been cleaned
up.
---
 llvm/docs/CIBestPractices.rst | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/llvm/docs/CIBestPractices.rst b/llvm/docs/CIBestPractices.rst
index da92ed3660e55..855e2ccac8ece 100644
--- a/llvm/docs/CIBestPractices.rst
+++ b/llvm/docs/CIBestPractices.rst
@@ -136,3 +136,20 @@ branches as follows:
     branches:
       - main
       - releases/*
+
+Container Best Practices
+========================
+
+This section contains best practices/guidelines when working with containers
+for LLVM infrastructure.
+
+Using Fully Qualified Container Names
+-------------------------------------
+
+When referencing container images from a registry, such as in Github Actions
+workflows, or in ``Dockerfile`` files used for building images, prefer fully
+qualified names (i.e., including the registry domain) over just the image.
+For example, prefer ``docker.io/ubuntu:24.04`` over ``ubuntu:24.04``. This
+ensures portability across systems where a different default registry might
+be specified and also prevents attackers from changing the default registry
+to pull in a malicious image instead of the intended one.