search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.72k stars 1.02k forks source link

Docker image with multiple architectures is updated to the same `hash` #7144

Open yeikel opened 1 year ago

yeikel commented 1 year ago

Is there an existing issue for this?

Package ecosystem

docker

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update


# https://github.com/zulu-openjdk/zulu-openjdk/blob/7e5fcfad3a22416db51719e4d80ca07004ac2f91/17-jre-headless-latest/Dockerfile
# https://hub.docker.com/r/azul/zulu-openjdk/tags?page=1&name=17-jre-headless

FROM azul/zulu-openjdk@sha256:59fe77a0432aa1393d3b8c8d0cf39b551c2516e899508fa809346b1fe9966d13 as zulu-amd64
FROM azul/zulu-openjdk@sha256:6292231e5fb042c01caa573f6ffeeb5da1b9c82586bff6086770b8ea42575cc7 as zulu-arm64

dependabot.yml content


version: 2
updates:
  - package-ecosystem: "maven"
    directory: "/"
    schedule:
      interval: "daily"
  - package-ecosystem: "npm"
    directory: "/"
    schedule: 
      interval: "daily"
  - package-ecosystem: "gradle"
    directory: "/"
    schedule: 
      interval: "daily"     
  - package-ecosystem: "docker"
    directory: "/"
    schedule: 
      interval: "daily"

Updated dependency

azul/zulu-openjdk

What you expected to see, versus what you actually saw

Expected:

I was hoping that dependabot would be able to filter the updates based on the architecture

What I saw:

A single pull request updating both architectures to the same version e63e4ba2e7d3fdc47bcc67c64a854914887f9c5fc3b3208ebc03d5c4f2d955bc 


diff --git a/Dockerfile b/Dockerfile
index df1fcae..fdd24ab 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
 # https://github.com/zulu-openjdk/zulu-openjdk/blob/7e5fcfad3a22416db51719e4d80ca07004ac2f91/17-jre-headless-latest/Dockerfile
 # https://hub.docker.com/r/azul/zulu-openjdk/tags?page=1&name=17-jre-headless

-FROM azul/zulu-openjdk@sha256:59fe77a0432aa1393d3b8c8d0cf39b551c2516e899508fa809346b1fe9966d13 as zulu-amd64
-FROM azul/zulu-openjdk@sha256:6292231e5fb042c01caa573f6ffeeb5da1b9c82586bff6086770b8ea42575cc7 as zulu-arm64
+FROM azul/zulu-openjdk@sha256:e63e4ba2e7d3fdc47bcc67c64a854914887f9c5fc3b3208ebc03d5c4f2d955bc as zulu-amd64
+FROM azul/zulu-openjdk@sha256:e63e4ba2e7d3fdc47bcc67c64a854914887f9c5fc3b3208ebc03d5c4f2d955bc as zulu-arm64

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

Pull request

https://github.com/yeikel/dependabot-playground/pull/66/files

Smallest manifest that reproduces the issue


# https://github.com/zulu-openjdk/zulu-openjdk/blob/7e5fcfad3a22416db51719e4d80ca07004ac2f91/17-jre-headless-latest/Dockerfile
# https://hub.docker.com/r/azul/zulu-openjdk/tags?page=1&name=17-jre-headless

FROM azul/zulu-openjdk@sha256:59fe77a0432aa1393d3b8c8d0cf39b551c2516e899508fa809346b1fe9966d13 as zulu-amd64
FROM azul/zulu-openjdk@sha256:6292231e5fb042c01caa573f6ffeeb5da1b9c82586bff6086770b8ea42575cc7 as zulu-arm64
yeikel commented 1 year ago

I just noticed that this is the same as https://github.com/dependabot/dependabot-core/issues/6700

The only difference is that this is using a hash instead of tagged version

Is it worth leaving this open? @deivid-rodriguez

Otherwise feel free to close it