Bug: renovate is unable to track image updates (unsupported/unversioned value)

[auriaave]

Renovate is unable to track image updates. The startup-script image uses sha256 digests that seem unsupported. Versioning needs to be amended for renovate to take care of automatic updates.

Details

1. Mar 26th: Image update scripts were replaced by renovate

   • Note the intention to switch to pinned digests
   • Note tracking package names (line 102 of renovate.json5)

2. Mar 26th: Alpine image needed manual update

3. June 26th: Alpine image needed manual update

4. nodeinit image also needed manual update in cilium/cilium repo

When running LOG_LEVEL=debug renovate --platform=local on a local copy of the repository,

DEBUG: Dependency quay.io/cilium/image-compilers has unsupported/unversioned value 5569a29cea6b3ad50aeb03102aaf3dc03841197c (versioning=docker) (repository=local)
DEBUG: Dependency quay.io/cilium/image-tester has unsupported/unversioned value dd09c8d3ef349a909fbcdc99279516baef153f22 (versioning=docker) (repository=local)
DEBUG: Dependency quay.io/cilium/image-tester has unsupported/unversioned value dd09c8d3ef349a909fbcdc99279516baef153f22 (versioning=docker) (repository=local)
DEBUG: Dependency quay.io/cilium/image-compilers has unsupported/unversioned value 5569a29cea6b3ad50aeb03102aaf3dc03841197c (versioning=docker) (repository=local)
DEBUG: Dependency quay.io/cilium/image-tester has unsupported/unversioned value dd09c8d3ef349a909fbcdc99279516baef153f22 (versioning=docker) (repository=local)
DEBUG: Dependency gcr.io/go-containerregistry/crane has unsupported/unversioned value latest (versioning=docker) (repository=local)

Note: the repetition of debug messages is because multiple Dockerfiles contain the same images (e.g. images bpftool, compilers and llvm).

According to the docker versioning documentation for renovate,

Are commit hashes supported? No, Renovate ignores Docker image tags that look like a Git commit hash.

References

1. https://github.com/cilium/cilium/pull/33427/files
2. https://quay.io/repository/cilium/startup-script?tab=tags

[Artyop]

Since a unique repository is used to managed multiple different images, using the identifier (sha1) of a commit will force the update of every image every time one (or more) images need a tag bump.
That is why the first solution (used before renovate) was actually using the tree hash of the image's directory(sha256).

Renovate doesn't know how to sort SHA as stated in this github discussion https://github.com/renovatebot/renovate/discussions/23459
More informations on the way renovate reads SHA tags were found here : https://github.com/renovatebot/renovate/discussions/25849

Multiple approach have been tested so far :
Using latest tag in order to bypass the need for renovate to sort any SHA tag.
Unfortunately, and contrary to what discussion 23459 states, Renovate doesn't seem to be able to read latest tags (tested locally, message was the same as the SHAs error message but with latest).

Setup a proper semver mechanic would take a long time and add more maintenance to ensure the proper bumping of versions.

Fetching the last commit per directory using git log, and extract its timestamp could be the right way to go :

• The git log command, when given a specific directory in parameter, retrieve the last commit were changes were made in said directory.
  This means that we can ensure different image versions same as used to be with git-tree.
• Renovate easily sort versions from left to right, which means using a timestamp as a tag value would allow renovate to retrieve the latest version deployed with ease. (Tested locally and it worked fine)
• Few code would be needed to perform this action and would need the same amount of maintenance as the old solution.

[Artyop]

Had issue with auto-update of runtime and builder images in cilium/cilium, finally managed to fix those by changing the already existing workflows to update those in this PR : https://github.com/cilium/cilium/pull/34372

[auriaave]

I think this issue can be closed? Thank you for the fix!