Docker Image locking

[boukeversteegh]

Lock default versions to specific image hashes, to make command upgrades explicit.

Why:

Last week all major official dockerhub images were updated and existing tags replaced. This has broken the --shell integration tests for several commands.

For example, golang:1.16 now uses alpine3.15, whereas before, it may have been 3.14 or even a different linux distro (it's not actually possible to know what was used before).

This reveals that specifying versions (or even tags) is not enough to guarantee reproducibility, i.e. dockerized may work well one day, and be broken another. Differences between systems may occur, depending on which image was present locally for a specific tag.

Functional requirements

• Commands that are included with dockerized are locked to specific image digests
• The .env file is still readable and intuitive, i.e. GO_VERSION=1.17.8 and not GO_VERSION=f837w389875t0438r
• The versions are locked to the same digest for all users (so not determined upon first use, but included in the release)
• A way for maintainers to upgrade the digest of a version

Technical implementation

Todo.

• A lock file will probably make the most sense

Out of scope

These features can be considered for a future iteration:

• Per user and per project locked versions.
• Version locking of ad-hoch specified versions (e.g. dockerized go:1.16 will then lock go 1.16 to a particular digest, 'forever')