Support dependabot updates of docker images referencing cypress-docker-images

[anscfrisson]

I have configured dependabot updates of cypress-docker-images in a private repository:

• .github/dependabot.yml:

  version: 2
  updates:
  - package-ecosystem: "docker" # See documentation for possible values
    directories:
      - "/docker/chrome/"
      - "/docker/firefox/"
    schedule:
      interval: daily
    commit-message:
      prefix: "build(deps): browser"
    labels:
      - "dependabot"

• docker/chrome/Dockerfile

  FROM cypress/browsers:node-22.11.0-chrome-130.0.6723.116-1-ff-132.0.1-edge-130.0.2849.68-1

• docker/firefox/Dockerfile

  FROM cypress/browsers:node-22.11.0-chrome-130.0.6723.69-1-ff-132.0-edge-130.0.2849.56-1

  (browsers with separate docker files each with separate cypress/browsers tags as our cypress tests may break independently with web browser version updates even if these versions are supported by cypress, but that's not the issue here)

Dependabot runs include:

• for docker/chrome/Dockerfile

  updater | 2024/11/19 16:37:01 INFO <job_919438816> Checking if cypress/browsers node-22.11.0-chrome-130.0.6723.116-1-ff-132.0.1-edge-130.0.2849.68-1 needs updating
  ...
  updater | 2024/11/19 16:37:02 INFO <job_919438816> Latest version is 
  node-22.11.0-chrome-130.0.6723.116-1-ff-132.0.1-edge-130.0.2849.68-1
  updater | 2024/11/19 16:37:02 INFO <job_919438816> No update needed for cypress/browsers 
  node-22.11.0-chrome-130.0.6723.116-1-ff-132.0.1-edge-130.0.2849.68-1

• for docker/firefox/Dockerfile

  updater | 2024/11/19 16:37:02 INFO <job_919438816> Checking if cypress/browsers 
  node-22.11.0-chrome-130.0.6723.69-1-ff-132.0-edge-130.0.2849.56-1 needs updating
  ...
  updater | 2024/11/19 16:37:03 INFO <job_919438816> Latest version is 
  node-22.11.0-chrome-130.0.6723.69-1-ff-132.0-edge-130.0.2849.56-1
  updater | 2024/11/19 16:37:03 INFO <job_919438816> No update needed for cypress/browsers 
  node-22.11.0-chrome-130.0.6723.69-1-ff-132.0-edge-130.0.2849.56-1

  Dependabot should have proposed to update node-22.11.0-chrome-130.0.6723.69-1-ff-132.0-edge- 30.0.2849.56-1 to node-22.11.0-chrome-130.0.6723.116-1-ff-132.0.1-edge-130.0.2849.68-1 for docker/firefox/Dockerfile.

From https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#docker

In order for Dependabot to fetch Docker metadata, maintainers of Docker images must add the org.opencontainers.image.source label to their Dockerfile, and include the URL of the source repository. Additionally, maintainers must tag the repository with the same tags as the published Docker images. For an example, see the dependabot-fixtures/docker-with-source repository. For more information on Docker labels, see Extension image labels and BUILDX_GIT_LABELS in the Docker documentation.

Would it be possible to support dependabot updates of cypress-docker-images, by, as in dependabot-fixtures/docker-with-source, 1) adding org.opencontainers.image.source labels to Dockerfiles and 2) tagging the repository with the same tags as the published Docker images?

[MikeMcC399]

@anscfrisson

Would it be possible to support dependabot updates of cypress-docker-images, by, as in dependabot-fixtures/docker-with-source, 1) adding org.opencontainers.image.source labels to Dockerfiles and 2) tagging the repository with the same tags as the published Docker images?

For Cypress Docker images to support GitHub Dependabot version updates would require a re-design of the whole Cypress Docker image creation and publication process as far as I can see.

1) adding org.opencontainers.image.source labels to Dockerfiles

Cypress Docker images do not have a 1:1 relationship to a specific Dockerfile.

2) tagging the repository with the same tags as the published Docker images?

Reading the Dependabot documentation it seems that tags would need to be semver compliant and I assume it would mean creating separate GitHub repos to correspond to each of the Docker Hub repos factory, base, browsers and included, which are currently fed from this one GitHub repo.

[anscfrisson]

Thanks @MikeMcC399 for the update!

I understand that supporting dependabot for cypress-docker-images might then not be planned soon as it requires a re-design?

Would there be other opportunities from the list of dependabot package-ecosystem to auto-update browsers supported by cypress?

For instance:

• relying on a npm/yarn package that would at minimum reference browsers versions?
• referencing web browsers tags as git submodules?

Then to fetch browsers there are options:

• https://github.com/browser-actions/ for chrome and firefox and edge but https://github.com/browser-actions/setup-edge does not support semver for edge-version parameter
• https://github.com/puppeteer/puppeteer/tree/main/packages/browsers for chrome and firefox only
• both solutions above install chrome for testing compatible with cypress once https://github.com/cypress-io/cypress/issues/28554 is resolved

[MikeMcC399]

@anscfrisson

I understand that supporting dependabot for cypress-docker-images might then not be planned soon as it requires a re-design?

You can assume that there are no major enhancements planned unless the Cypress.io team announces them.

Would there be other opportunities from the list of dependabot package-ecosystem to auto-update browsers supported by cypress?

I don't see any simple way to use Dependabot. If you are not tied to Dependabot, you may want to look at https://docs.renovatebot.com/docker/ which is able to update cypress/factory, cypress/base and cypress/included (short-form tag only) as these tags use semver formats.

[MikeMcC399]

It would be possible to extend this scheme also to cypress/browsers. This would be similar to the way that CircleCI handles tagging. I will submit a separate enhancement request to describe this so that it could be used with Renovate.

[anscfrisson]

Thanks @MikeMcC399 for the tip, I'll look into renovatebot, and for the opportunity to extends its support to cypress/browsers.

[MikeMcC399]

@anscfrisson

It seems I was too optimistic in thinking that the Renovate Docker implementation would help in GitHub Actions. Reading the docs, GitHub Actions aren't listed. CircleCI is listed however, so it would have some benefit.