Bump `docker` image references in GitHub Actions workflow

[APN-Pucky]

Instead of running github workflows or gitlab-ci on a :latest docker image, using fixed versions provides better stability. It would therefore be awesome if dependabot could create pull requests with a bumped (but not :latest) image for a ci-setup.

I guess getting the versions of docker images from dockerhub is already implemented for the "docker" mode which bumps Dockerfiles.

Cheers APN

[jeffwidman]

If I understand correctly, you're saying that:

1. you've got a dockerfile that you use in your CI setup.
2. you'd like to pin that dockerfile to a specific version rather than latest.
3. you'd like Dependabot to watch for newer versions of that dockerfile and then open PR's to bump the version.

If so, then yes, Dependabot already does this... you just have to configure the docker ecosystem in your dependabot.yml file: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem

Closing as I think we already do what you want, but if I misunderstood please clarify and I can re-open.

[APN-Pucky]

Maybe I am misunderstanding but the docker ecosystem only bumps Dockerfiles, right?

Maybe I can clarify my idea with an example. In this workflow I use my own image from dockerhub: apnpucky/ubuntu-pip:20220726175949 https://github.com/APN-Pucky/smpl/blob/2d71c838f6c223101cebb95eb88530c318f8ae6a/.github/workflows/devel.yml#L15

And I'd like to get a PR to bump to the current version apnpucky/ubuntu-pip:20220822235034

I guess an easy workaround would be to have a actual Dockerfile in the repository that is used and gets bumped via the docker ecosystem.

[jeffwidman]

Ah, I see what you're looking for... yeah, adding a placeholder Dockerfile is probably the easiest workaround right now.

[APN-Pucky]

I tried my workaround, but I can't get github workflows to use a local Dockerfile and it seems to be impossible (cf. https://stackoverflow.com/questions/61154750/use-local-dockerfile-in-a-github-action). I confused github workflows (no Dockerfile) with github container actions (Dockerfile, but only for the action), therefore I'd suggest reopening the feature request, unless there are other ways?

[APN-Pucky]

This is also linked to the following TODOs

https://github.com/dependabot/dependabot-core/blob/69f01216272caf466775d3391ed981795e2aa9d7/github_actions/lib/dependabot/github_actions/file_updater.rb#L59 https://github.com/dependabot/dependabot-core/blob/69f01216272caf466775d3391ed981795e2aa9d7/github_actions/lib/dependabot/github_actions/file_parser.rb#L46

though they refer to steps with uses: docker://... and not image containers for all steps (https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsuses).

[jeffwidman]

Related, as almost but not quite a duplicate:

• https://github.com/dependabot/dependabot-core/issues/5819