[llvm] fd804f0 - [CI][Github] Add Fully Qualified Container Names to Best Practices (#165067)

[via llvm-commits]

Author: Aiden Grossman
Date: 2025-10-25T10:06:30-07:00
New Revision: fd804f076d117bc1d0a8751ef7ad44132a03453e

URL: https://github.com/llvm/llvm-project/commit/fd804f076d117bc1d0a8751ef7ad44132a03453e
DIFF: https://github.com/llvm/llvm-project/commit/fd804f076d117bc1d0a8751ef7ad44132a03453e.diff

LOG: [CI][Github] Add Fully Qualified Container Names to Best Practices (#165067)

Based on some recent discussion in #162007. Documenting this in the best
practices page so we have something easy to point to in code
review/reference for ourselves now that the repository has been cleaned
up.

Added: 
    

Modified: 
    llvm/docs/CIBestPractices.rst

Removed: 
    


################################################################################
diff  --git a/llvm/docs/CIBestPractices.rst b/llvm/docs/CIBestPractices.rst
index da92ed3660e55..855e2ccac8ece 100644
--- a/llvm/docs/CIBestPractices.rst
+++ b/llvm/docs/CIBestPractices.rst
@@ -136,3 +136,20 @@ branches as follows:
     branches:
       - main
       - releases/*
+
+Container Best Practices
+========================
+
+This section contains best practices/guidelines when working with containers
+for LLVM infrastructure.
+
+Using Fully Qualified Container Names
+-------------------------------------
+
+When referencing container images from a registry, such as in Github Actions
+workflows, or in ``Dockerfile`` files used for building images, prefer fully
+qualified names (i.e., including the registry domain) over just the image.
+For example, prefer ``docker.io/ubuntu:24.04`` over ``ubuntu:24.04``. This
+ensures portability across systems where a 
diff erent default registry might
+be specified and also prevents attackers from changing the default registry
+to pull in a malicious image instead of the intended one.