No pull request is created if a digest SHA is used to identify a docker-image

[ingogriebsch]

Package ecosystem
docker

Package manager version
n/a

Language version
n/a

Manifest location and content prior to update
Dockerfile.txt

FROM openjdk:11-jre-slim@sha256:9223f8e5033f47c86323d31aa98a3779c4edd89d92194287f04e2f5391fd9ac1

ENV JAVA_TOOL_OPTIONS=""
ENV SERVER_PORT=8080

COPY ${project.build.finalName}.jar /${project.build.finalName}.jar

EXPOSE 8080

RUN adduser --system exec

USER exec

ENTRYPOINT ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/${project.build.finalName}.jar"]

dependabot.yml content
dependabot.yml.txt

version: 2
updates:
- package-ecosystem: docker
directory: "/src/assembly/docker"
schedule:
interval: daily
time: "01:00"
open-pull-requests-limit: 10

Updated dependency
Based on the information on hub.docker-com from Nov 16, 2021

openjdk:11-jre-slim@sha256:5352ab50afd260ab429b2debf82b3a5ba52b0785acff983f0f847798463871ab

What you expected to see, versus what you actually saw
I would expect that a pull request is created which is changing the SHA digest to the version that is available through hub.docker.com.

Native package manager behavior
n/a

Images of the diff or a link to the PR, issue or logs

proxy | time="2021-11-16T01:08:56Z" level=info msg="proxy starting" commit=d5f262668736016da1a91e42cb4fba36a081bddf
proxy | 2021/11/16 01:08:56 Listening (:1080)
updater | 2021-11-16T01:08:56.459542996 [anonymous-instance:main:WARN:src/firecracker/src/main.rs:370] You are using a deprecated parameter: --seccomp-level 2, that will be removed in a future version.
updater | 2021-11-16T01:08:56.482486950 [233159402:main:WARN:src/devices/src/legacy/serial.rs:432] Detached the serial input due to peer close/error.
updater | time="2021-11-16T01:08:58Z" level=info msg="guest starting" commit=aca5609d0a3f160d4065a3c391d9a0e3c36b620d
updater | time="2021-11-16T01:08:58Z" level=info msg="starting job..." fetcher_timeout=5m0s job_id=233159402 updater_timeout=45m0s updater_version=0.166.0-6eea28a15de585bcd28ef1877265e46598e3a339
updater | I, [2021-11-16T01:08:59.451688 #7] INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | warning: parser/current is loading parser/ruby27, which recognizes
updater | warning: 2.7.4-compliant syntax, but you are running 2.7.1.
updater | warning: please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
updater | INFO <job_233159402> Starting job processing
proxy | 2021/11/16 01:09:01 [002] GET https://api.github.com:443/repos/some-org/some-repo
proxy | 2021/11/16 01:09:01 [002] * authenticating github api request
proxy | 2021/11/16 01:09:02 [002] 200 https://api.github.com:443/repos/some-org/some-repo
proxy | 2021/11/16 01:09:02 [004] GET https://api.github.com:443/repos/some-org/some-repo/git/refs/heads/development
proxy | 2021/11/16 01:09:02 [004] * authenticating github api request
proxy | 2021/11/16 01:09:02 [004] 200 https://api.github.com:443/repos/some-org/some-repo/git/refs/heads/development
proxy | 2021/11/16 01:09:02 [006] GET https://api.github.com:443/repos/some-org/some-repo/contents/src/assembly/docker?ref=5940b0c8c19679a7f65db392be25b5d87791a25e
proxy | 2021/11/16 01:09:02 [006] * authenticating github api request
proxy | 2021/11/16 01:09:02 [006] 200 https://api.github.com:443/repos/some-org/some-repo/contents/src/assembly/docker?ref=5940b0c8c19679a7f65db392be25b5d87791a25e
proxy | 2021/11/16 01:09:02 [008] GET https://api.github.com:443/repos/some-org/some-repo/contents/src/assembly/docker/Dockerfile?ref=5940b0c8c19679a7f65db392be25b5d87791a25e
proxy | 2021/11/16 01:09:02 [008] * authenticating github api request
proxy | 2021/11/16 01:09:03 [008] 200 https://api.github.com:443/repos/some-org/some-repo/contents/src/assembly/docker/Dockerfile?ref=5940b0c8c19679a7f65db392be25b5d87791a25e
updater | INFO <job_233159402> Finished job processing
updater | time="2021-11-16T01:09:03Z" level=info msg="task complete" container_id=job-233159402-file-fetcher exit_code=0 job_id=233159402 step=fetcher
updater | I, [2021-11-16T01:09:04.161896 #9] INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | warning: parser/current is loading parser/ruby27, which recognizes
updater | warning: 2.7.4-compliant syntax, but you are running 2.7.1.
updater | warning: please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
updater | INFO <job_233159402> Starting job processing
updater | INFO <job_233159402> Starting update job for some-org/some-repo
updater | INFO <job_233159402> Checking if openjdk 11-jre-slim needs updating
proxy | 2021/11/16 01:09:06 [012] GET https://registry.hub.docker.com:443/v2/library/openjdk/tags/list
proxy | 2021/11/16 01:09:06 [012] 401 https://registry.hub.docker.com:443/v2/library/openjdk/tags/list
proxy | 2021/11/16 01:09:06 [014] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fopenjdk%3Apull
proxy | 2021/11/16 01:09:06 [014] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fopenjdk%3Apull
proxy | 2021/11/16 01:09:06 [016] GET https://registry.hub.docker.com:443/v2/library/openjdk/tags/list
proxy | 2021/11/16 01:09:08 [016] 200 https://registry.hub.docker.com:443/v2/library/openjdk/tags/list
proxy | 2021/11/16 01:09:08 [018] HEAD https://registry.hub.docker.com:443/v2/library/openjdk/manifests/latest
proxy | 2021/11/16 01:09:08 [018] 401 https://registry.hub.docker.com:443/v2/library/openjdk/manifests/latest
proxy | 2021/11/16 01:09:08 [020] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fopenjdk%3Apull
proxy | 2021/11/16 01:09:08 [020] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fopenjdk%3Apull
proxy | 2021/11/16 01:09:08 [022] HEAD https://registry.hub.docker.com:443/v2/library/openjdk/manifests/latest
proxy | 2021/11/16 01:09:08 [022] 200 https://registry.hub.docker.com:443/v2/library/openjdk/manifests/latest
proxy | 2021/11/16 01:09:08 [024] HEAD https://registry.hub.docker.com:443/v2/library/openjdk/manifests/18
proxy | 2021/11/16 01:09:08 [024] 401 https://registry.hub.docker.com:443/v2/library/openjdk/manifests/18
proxy | 2021/11/16 01:09:08 [026] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fopenjdk%3Apull
proxy | 2021/11/16 01:09:08 [026] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fopenjdk%3Apull
proxy | 2021/11/16 01:09:08 [028] HEAD https://registry.hub.docker.com:443/v2/library/openjdk/manifests/18
proxy | 2021/11/16 01:09:08 [028] 200 https://registry.hub.docker.com:443/v2/library/openjdk/manifests/18
proxy | 2021/11/16 01:09:08 [030] HEAD https://registry.hub.docker.com:443/v2/library/openjdk/manifests/17.0.1
proxy | 2021/11/16 01:09:08 [030] 401 https://registry.hub.docker.com:443/v2/library/openjdk/manifests/17.0.1
proxy | 2021/11/16 01:09:08 [032] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fopenjdk%3Apull
proxy | 2021/11/16 01:09:08 [032] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fopenjdk%3Apull
proxy | 2021/11/16 01:09:08 [034] HEAD https://registry.hub.docker.com:443/v2/library/openjdk/manifests/17.0.1
proxy | 2021/11/16 01:09:08 [034] 200 https://registry.hub.docker.com:443/v2/library/openjdk/manifests/17.0.1
updater | INFO <job_233159402> Latest version is 11-jre-slim
proxy | 2021/11/16 01:09:08 [036] HEAD https://registry.hub.docker.com:443/v2/library/openjdk/manifests/11-jre-slim
proxy | 2021/11/16 01:09:08 [036] 401 https://registry.hub.docker.com:443/v2/library/openjdk/manifests/11-jre-slim
proxy | 2021/11/16 01:09:08 [038] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fopenjdk%3Apull
proxy | 2021/11/16 01:09:08 [038] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fopenjdk%3Apull
proxy | 2021/11/16 01:09:09 [040] HEAD https://registry.hub.docker.com:443/v2/library/openjdk/manifests/11-jre-slim
proxy | 2021/11/16 01:09:09 [040] 200 https://registry.hub.docker.com:443/v2/library/openjdk/manifests/11-jre-slim
updater | INFO <job_233159402> No update needed for openjdk 11-jre-slim
updater | INFO <job_233159402> Finished job processing
updater | time="2021-11-16T01:09:09Z" level=info msg="task complete" container_id=job-233159402-updater exit_code=0 job_id=233159402 step=updater

🕹 Bonus points: Smallest manifest that reproduces the issue
https://github.com/gbtec-ag/dependabot-docker-sha-digest-issue

[alexrashed]

I am experiencing the same issue. My code to reproduce the issue can be found here: https://github.com/alexrashed/dependabot-sha-digest-update.

My Dockerfile pins an an outdated sha digest of the manifest-list for python:3.8.12-slim-buster:

FROM python:3.8.12-slim-buster@sha256:d328c165606db4773f8242972ae82c2f7312478a5071090a768d0e9fc63fab51

At the time of writing the digest is as follows:

$ docker buildx imagetools inspect docker.io/library/python:3.8.12-slim-buster
Name:      docker.io/library/python:3.8.12-slim-buster
MediaType: application/vnd.docker.distribution.manifest.list.v2+json
Digest:    sha256:7f35e171f098e3c3560db36aa68f0b3370ded7417d3473268deffd34090f8ac8
...

My config disables minor and major updates, but it should still update patch versions:

DependaBot config

version: 2
updates:
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "daily"
    ignore:
      - dependency-name: "python"
        update-types: ["version-update:semver-major", "version-update:semver-minor"]
    schedule:
      interval: "weekly"
      day: "monday"
      time: "09:00"

Unfortunately, no PR (to update the sha digest to the newest version while keeping the python version untouched) is created:

DependaBot logs

  proxy | time="2021-11-25T10:10:04Z" level=info msg="proxy starting" commit=d5f262668736016da1a91e42cb4fba36a081bddf
  proxy | 2021/11/25 10:10:04 Listening (:1080)
updater | 2021-11-25T10:10:04.618141764 [anonymous-instance:main:WARN:src/firecracker/src/main.rs:370] You are using a deprecated parameter: --seccomp-level 2, that will be removed in a future version.
updater | 2021-11-25T10:10:04.711316461 [236843067:main:WARN:src/devices/src/legacy/serial.rs:432] Detached the serial input due to peer close/error.
updater | time="2021-11-25T10:10:08Z" level=info msg="guest starting" commit=8e918e4cf121d74a5b43e170ec4a717c1df98819
updater | time="2021-11-25T10:10:08Z" level=info msg="starting job..." fetcher_timeout=5m0s job_id=236843067 updater_timeout=45m0s updater_version=0.169.0-7f07eb9e9cd5f416ce3f1811197c67c9e914b2ce
updater | I, [2021-11-25T10:10:11.756674 #7]  INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | warning: parser/current is loading parser/ruby27, which recognizes
updater | warning: 2.7.4-compliant syntax, but you are running 2.7.1.
updater | warning: please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
updater | INFO <job_236843067> Starting job processing
  proxy | 2021/11/25 10:10:18 [002] GET https://api.github.com:443/repos/alexrashed/dependabot-sha-digest-update
  proxy | 2021/11/25 10:10:18 [002] * authenticating github api request
  proxy | 2021/11/25 10:10:18 [002] 200 https://api.github.com:443/repos/alexrashed/dependabot-sha-digest-update
  proxy | 2021/11/25 10:10:18 [004] GET https://api.github.com:443/repos/alexrashed/dependabot-sha-digest-update/git/refs/heads/main
  proxy | 2021/11/25 10:10:18 [004] * authenticating github api request
  proxy | 2021/11/25 10:10:19 [004] 200 https://api.github.com:443/repos/alexrashed/dependabot-sha-digest-update/git/refs/heads/main
  proxy | 2021/11/25 10:10:19 [006] GET https://api.github.com:443/repos/alexrashed/dependabot-sha-digest-update/contents/?ref=1bf53ca3cc35842c98dd67409c38d555e341d2b2
  proxy | 2021/11/25 10:10:19 [006] * authenticating github api request
  proxy | 2021/11/25 10:10:19 [006] 200 https://api.github.com:443/repos/alexrashed/dependabot-sha-digest-update/contents/?ref=1bf53ca3cc35842c98dd67409c38d555e341d2b2
  proxy | 2021/11/25 10:10:19 [008] GET https://api.github.com:443/repos/alexrashed/dependabot-sha-digest-update/contents/Dockerfile?ref=1bf53ca3cc35842c98dd67409c38d555e341d2b2
  proxy | 2021/11/25 10:10:19 [008] * authenticating github api request
  proxy | 2021/11/25 10:10:19 [008] 200 https://api.github.com:443/repos/alexrashed/dependabot-sha-digest-update/contents/Dockerfile?ref=1bf53ca3cc35842c98dd67409c38d555e341d2b2
updater | INFO <job_236843067> Finished job processing
updater | time="2021-11-25T10:10:19Z" level=info msg="task complete" container_id=job-236843067-file-fetcher exit_code=0 job_id=236843067 step=fetcher
updater | I, [2021-11-25T10:10:21.539134 #6]  INFO -- sentry: ** [Raven] Raven 3.1.2 ready to catch errors
updater | warning: parser/current is loading parser/ruby27, which recognizes
updater | warning: 2.7.4-compliant syntax, but you are running 2.7.1.
updater | warning: please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
updater | INFO <job_236843067> Starting job processing
updater | INFO <job_236843067> Starting update job for alexrashed/dependabot-sha-digest-update
updater | INFO <job_236843067> Checking if python 3.8.12-slim-buster needs updating
updater | INFO <job_236843067> Ignored versions:
updater | INFO <job_236843067>   version-update:semver-major - from .github/dependabot.yml
updater | INFO <job_236843067>   version-update:semver-minor - from .github/dependabot.yml
  proxy | 2021/11/25 10:10:24 [012] GET https://registry.hub.docker.com:443/v2/library/python/tags/list
  proxy | 2021/11/25 10:10:24 [012] 401 https://registry.hub.docker.com:443/v2/library/python/tags/list
  proxy | 2021/11/25 10:10:24 [014] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fpython%3Apull
  proxy | 2021/11/25 10:10:24 [014] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fpython%3Apull
  proxy | 2021/11/25 10:10:24 [016] GET https://registry.hub.docker.com:443/v2/library/python/tags/list
  proxy | 2021/11/25 10:10:25 [016] 200 https://registry.hub.docker.com:443/v2/library/python/tags/list
  proxy | 2021/11/25 10:10:25 [018] HEAD https://registry.hub.docker.com:443/v2/library/python/manifests/latest
  proxy | 2021/11/25 10:10:25 [018] 401 https://registry.hub.docker.com:443/v2/library/python/manifests/latest
  proxy | 2021/11/25 10:10:25 [020] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fpython%3Apull
  proxy | 2021/11/25 10:10:25 [020] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fpython%3Apull
  proxy | 2021/11/25 10:10:25 [022] HEAD https://registry.hub.docker.com:443/v2/library/python/manifests/latest
  proxy | 2021/11/25 10:10:25 [022] 200 https://registry.hub.docker.com:443/v2/library/python/manifests/latest
  proxy | 2021/11/25 10:10:25 [024] HEAD https://registry.hub.docker.com:443/v2/library/python/manifests/3.11.0a2
  proxy | 2021/11/25 10:10:25 [024] 401 https://registry.hub.docker.com:443/v2/library/python/manifests/3.11.0a2
  proxy | 2021/11/25 10:10:25 [026] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fpython%3Apull
  proxy | 2021/11/25 10:10:25 [026] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fpython%3Apull
  proxy | 2021/11/25 10:10:25 [028] HEAD https://registry.hub.docker.com:443/v2/library/python/manifests/3.11.0a2
  proxy | 2021/11/25 10:10:25 [028] 200 https://registry.hub.docker.com:443/v2/library/python/manifests/3.11.0a2
  proxy | 2021/11/25 10:10:25 [030] HEAD https://registry.hub.docker.com:443/v2/library/python/manifests/3.11.0a1
  proxy | 2021/11/25 10:10:25 [030] 401 https://registry.hub.docker.com:443/v2/library/python/manifests/3.11.0a1
  proxy | 2021/11/25 10:10:25 [032] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fpython%3Apull
  proxy | 2021/11/25 10:10:25 [032] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fpython%3Apull
  proxy | 2021/11/25 10:10:25 [034] HEAD https://registry.hub.docker.com:443/v2/library/python/manifests/3.11.0a1
  proxy | 2021/11/25 10:10:26 [034] 200 https://registry.hub.docker.com:443/v2/library/python/manifests/3.11.0a1
  proxy | 2021/11/25 10:10:26 [036] HEAD https://registry.hub.docker.com:443/v2/library/python/manifests/3.10.0
  proxy | 2021/11/25 10:10:26 [036] 401 https://registry.hub.docker.com:443/v2/library/python/manifests/3.10.0
  proxy | 2021/11/25 10:10:26 [038] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fpython%3Apull
  proxy | 2021/11/25 10:10:26 [038] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Alibrary%2Fpython%3Apull
  proxy | 2021/11/25 10:10:26 [040] HEAD https://registry.hub.docker.com:443/v2/library/python/manifests/3.10.0
  proxy | 2021/11/25 10:10:26 [040] 200 https://registry.hub.docker.com:443/v2/library/python/manifests/3.10.0
updater | INFO <job_236843067> All updates for python were ignored
updater | INFO <job_236843067> Finished job processing
updater | time="2021-11-25T10:10:29Z" level=info msg="task complete" container_id=job-236843067-updater exit_code=0 job_id=236843067 step=updater

[dmivankov]

Another datapoint is it was working up to at least Sep 30 2021,
images identified by FROM ..imagename:sometag@digest were receiving dependabot updates when sometag remained same in container registry but newer image was pushed there with new digest.

For example distroless java images have :11 tag for java-11-based images in https://github.com/GoogleContainerTools/distroless
The tag should be treated about same as :latest and receive updates from dependabot.

[dmivankov]

Dependabot logs contain

updater | INFO <job_...> Latest version is 11
updater | INFO <job_...> Pull request already exists for distroless/java with latest version 11
updater | INFO <job_...> Finished job processing

[dmivankov]

I seems that the issue has been resolved now

[ingogriebsch]

I seems that the issue has been resolved now

How do you come to that conclusion?

[dmivankov]

started receiving dependabot updates for a moving tag image. There was tag change (moved to other image), first update to that PR causing dependabot update might have been just luck (being the first dependabot PR for that tag), but then more updates for that tag followed. Maybe it got resolved only for newly added image-tag settings?

[ingogriebsch]

@dmivankov Thanks for the info. I will check on our side as well if it is working (again). :)

[yeikel]

Hi team,

Do you have any update about this?

[jeffwidman]

@ingogriebsch are you still seeing problems here or can this be closed?

[alxgomz]

still seeing similar behavior here with a tag which was updated upstream 3 month ago.

[JensMadsen]

I see same behaviour as well

[deivid-rodriguez]

I just tried this and it seems to be working as expected.

For example, I created a Dockerfile using

# Sha of 8.1.11, second-last release
FROM php:8.1@sha256:c5dcd377b75ca89f40a7b4284c05c58be4cd43d089f83af1333e56bde33d579f

And it properly upgraded it to

# Sha of 8.1.12, latest release
FROM php:8.1@sha256:68661bd9a3e149bd6c0d8a8c04b49d115165f3233cb8d4c30ae4ccd2b952446f

Maybe I'm misunderstanding the issue reported here?

[dhirschfeld]

Maybe I'm misunderstanding the issue reported here?

Does it work if you don't include the tag at all?

FROM php@sha256:c5dcd377b75ca89f40a7b4284c05c58be4cd43d089f83af1333e56bde33d579f

[deivid-rodriguez]

No, that hangs actually, so that must be the issue!

[dhirschfeld]

Good to know there's a workaround to include a tag alongside the sha - will have to try that out...

[JensMadsen]

I saw missing update with FROM node:16-alpine@sha256:8569c8f07454ec42501e5e40a680e49d3f9aabab91a6c149e309bac63a3c8d54

[deivid-rodriguez]

Just tried that and I got a proper update, maybe it was some transient issue. I'll keep this issue for the sha256 without tag case, but if you can reproduce the other issue reliably, please reach out!

[esuarez-n26]

I still see this issue as well for FROM library/python:3.9.15-slim-bullseye@sha256:abae63851cda52addbf1efa19b8e6eec4a61724f0bb9ea1363d56791b5be59cb

Current Digest SHA:

$ docker pull library/python:3.9.15-slim-bullseye
3.9.15-slim-bullseye: Pulling from library/python
f3ac85625e76: Pull complete
edbd8719487c: Pull complete
59d075b8f678: Pull complete
d98dc5cb025b: Pull complete
194f8b51ed63: Pull complete
Digest: sha256:9ef969a374118f28a61261e2b018a7f9debcc0dc1342481bd8b8693c1457f46d
Status: Downloaded newer image for python:3.9.15-slim-bullseye
docker.io/library/python:3.9.15-slim-bullseye

[deivid-rodriguez]

I tried that and I got an update to FROM library/python:3.11.0-slim-bullseye@sha256:1cd45c5dad845af18d71745c017325725dc979571c1bbe625b67e6051533716c, which seems correct to me.

Are you using any ignore conditions to not bump the minor and patch versions? If that's the case, you're looking for #6115.

[esuarez-n26]

Yes, I have this ignore rule:

    ignore:
      - dependency-name: "library/python"
        versions: [ ">=3.10.0" ]

I've tried also with semver ignore rule for major and minor, same result

[deivid-rodriguez]

Right, I will also verify ignoring specific version ranges too when I wrap up the fix at #6115.

[esuarez-n26]

@deivid-rodriguez , not sure if we are talking about the same issue. The problem here is that if an image with the same tag is republished to the Docker registry, Dependabot should open a PR updating the Dockerfile with the new hash (this can help to keep the OS packages updated, etc...), but that's not happening. Not sure if your proposed PRs tackle that particular problem. I might be missing something, but they seem more related to be able to adapt to different version strategies. Could be?

[deivid-rodriguez]

I think my PR should tackle that particular problem, yes. But I will double check when I'm able to get back to it.

[dhirschfeld]

Good to know there's a workaround to include a tag alongside the sha - will have to try that out...

I tried including the tag in my FROM statement, alongside the digest but I still can't get dependabot to issue an update. My config:

ARG BASE_IMAGE=ubuntu
ARG BASE_TAG=22.04
ARG BASE_DIGEST=sha256:817cfe4672284dcbfee885b1a66094fd907630d610cab329114d036716be49ba

FROM $BASE_IMAGE:$BASE_TAG@$BASE_DIGEST

I'm using variables as they're reused for multiple stages. I suspect that it may be that indirection confusing dependabot but it would be good to have confirmation, and if so, it can perhaps serve as a test case to support for any future fix.

[abdulapopoola]

@deivid-rodriguez ; did the PR resolve this issue please?

[deivid-rodriguez]

The PR is not yet merged, but it does resolve the issue. There's still some feedback to be addressed in there, and I also found some new spec failures after rebasing it. So it still needs some work.