Support explicitly specifying an image by SHA digest, not just tag

[baronfel]

Currently users cannot specify a ContainerBaseImage just by SHA digest. This means there is no real workaround for cases when our inference can't decipher a manifest list, or when an image doesn't provide individually-tagged OS/arch variants. We should unblock this and let users specify a digest. When a digest is specified we would skip right to blob download of the manifest json instead of pulling the tag config in order to find that same manifest. Every other part of image building should remain the same from that point onwards.

[BeyondEvil]

It really bothers me that 1) this isn't already supported as it's a best practice for production images to use SHA and 2) that this only has two thumbs up (one is mine). 😱

We have a workaround. Basically a oneliner that creates a base image based on the SHA, but this really should be supported.

[baronfel]

As you mentioned, this hasn't been especially requested either by the community or our internal users (who prefer the 'float to latest' approach of the tooling today). I'd definitely love to take a PR implementing this feature, though!

[BeyondEvil]

As you mentioned, this hasn't been especially requested either by the community or our internal users (who prefer the 'float to latest' approach of the tooling today).

ooof, that makes me 😬

But maybe they don't use this in production? 🤷‍♂

I'd definitely love to take a PR implementing this feature, though!

Where would I add that PR, seeing how this repo only seems to be documentation 😅

[baronfel]

The code for all of this is in the .NET SDK - though the MSBuild logic is in a subdirectory.

I think the core thing missing to enable this is around the parsing and validation that happens in the ParseContainerProperties Task.

I think we are already capable of recognizing the digest syntax for an image - but we need to provide that information to the rest of the Tasks, making it an Output of the ParseContainerProperties Task and making the CreateNewImage task take it as an input.

[BeyondEvil]

The code for all of this is in the .NET SDK - though the MSBuild logic is in a subdirectory.

I think the core thing missing to enable this is around the parsing and validation that happens in the ParseContainerProperties Task.

I think we are already capable of recognizing the digest syntax for an image - but we need to provide that information to the rest of the Tasks, making it an Output of the ParseContainerProperties Task and making the CreateNewImage task take it as an input.

Yeah, the SHA is prefixed with @, so if not already fixed it should be trivial to add it.

[BeyondEvil]

It's a start @baronfel

dotnet/sdk#44461

But I'm going to need guidance. I'm not a dotnet:er.

[scrocquesel-ml150]

Hi, I upvote this issue too. Having a floating to latest doesn't allow for a repeatable predictive CI process we had with dockerfile.
I also want to be able to use dependabot/renovate tools to automatically update the base image digest and keep my container image up-to-date without using complex solution or having to build my app every night just in case.