search

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PRs.
https://docs.github.com/en/code-security/dependabot
MIT License
4.53k stars 944 forks source link

If a digest SHA is used in a Dockerfile, PRs are not superseded when newer SHAs are created #7387

Open cp-fabian-pittroff opened 1 year ago

cp-fabian-pittroff commented 1 year ago

Is there an existing issue for this?

Package ecosystem

Docker

Package manager version

n/a

Language version

n/a

Manifest location and content before the Dependabot update

FROM steamcmd/steamcmd:ubuntu-22@sha256:091eb51de70e22deacb316671f90d526e253721d391138df82c5541ced75c2f9

dependabot.yml content

version: 2
updates:
    # Keep Docker dependencies up to date
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "daily"

Updated dependency

FROM steamcmd/steamcmd:ubuntu-22@sha256:04e690a1c1b15e808967a0a7f243f0ce3833df872a2cbb45efb2b980edf4aaaa

What you expected to see, versus what you actually saw

I would expect that the previous pr gets updated with the new SHA-digest of the newest available docker image.

The pr doesn't get an update. If the pr gets created, it works (fixed with this issue: #6150)

Note: the steamcmd/steamcmd image gets an update every 6 hours.

Native package manager behavior

n/a

Images of the diff or a link to the PR, issue, or logs

Dependabot Output:

  proxy | 2023/06/02 18:51:12 proxy starting, commit: d719b9b9871e853c5fd63bf3552f3f857d979f3c
  proxy | 2023/06/02 18:51:12 Listening (:1080)
updater | 2023-06-02T18:51:13.089443171 [672606741:main:WARN:src/devices/src/legacy/serial.rs:222] Detached the serial input due to peer close/error.
updater | time="2023-06-02T18:51:15Z" level=info msg="guest starting" commit=8ab4a20db815b67034070152643b9878c12b051d
updater | time="2023-06-02T18:51:15Z" level=info msg="starting job..." fetcher_timeout=10m0s job_id=672606741 updater_timeout=45m0s updater_version=49704c16cb0893c0ab8c5f884471c324baf39b83-docker
updater | 2023/06/02 18:51:17 INFO Raven 3.1.2 ready to catch errors
updater | 2023/06/02 18:51:19 INFO <job_672606741> Starting job processing
  proxy | 2023/06/02 18:51:19 [002] GET https://api.github.com:443/repos/cp-fabian-pittroff/dependabot-docker-sha-digest-pr-update-issue
  proxy | 2023/06/02 18:51:19 [002] * authenticating github api request with token for api.github.com
  proxy | 2023/06/02 18:51:20 [002] 200 https://api.github.com:443/repos/cp-fabian-pittroff/dependabot-docker-sha-digest-pr-update-issue
  proxy | 2023/06/02 18:51:20 [004] GET https://api.github.com:443/repos/cp-fabian-pittroff/dependabot-docker-sha-digest-pr-update-issue/git/refs/heads/main
  proxy | 2023/06/02 18:51:20 [004] * authenticating github api request with token for api.github.com
  proxy | 2023/06/02 18:51:20 [004] 200 https://api.github.com:443/repos/cp-fabian-pittroff/dependabot-docker-sha-digest-pr-update-issue/git/refs/heads/main
  proxy | 2023/06/02 18:51:20 [006] GET https://api.github.com:443/repos/cp-fabian-pittroff/dependabot-docker-sha-digest-pr-update-issue/contents/?ref=babfbeddaa2bb039cef523b825544e050da59885
  proxy | 2023/06/02 18:51:20 [006] * authenticating github api request with token for api.github.com
  proxy | 2023/06/02 18:51:20 [006] 200 https://api.github.com:443/repos/cp-fabian-pittroff/dependabot-docker-sha-digest-pr-update-issue/contents/?ref=babfbeddaa2bb039cef523b825544e050da59885
  proxy | 2023/06/02 18:51:20 [008] GET https://api.github.com:443/repos/cp-fabian-pittroff/dependabot-docker-sha-digest-pr-update-issue/contents/Dockerfile?ref=babfbeddaa2bb039cef523b825544e050da59885
  proxy | 2023/06/02 18:51:20 [008] * authenticating github api request with token for api.github.com
  proxy | 2023/06/02 18:51:20 [008] 200 https://api.github.com:443/repos/cp-fabian-pittroff/dependabot-docker-sha-digest-pr-update-issue/contents/Dockerfile?ref=babfbeddaa2bb039cef523b825544e050da59885
updater | 2023/06/02 18:51:20 INFO <job_672606741> Finished job processing
updater | time="2023-06-02T18:51:20Z" level=info msg="task complete" container_id=job-672606741-file-fetcher exit_code=0 job_id=672606741 step=fetcher
updater | 2023/06/02 18:51:22 INFO Raven 3.1.2 ready to catch errors
updater | 2023/06/02 18:51:24 INFO <job_672606741> Starting job processing
updater | 2023/06/02 18:51:24 INFO <job_672606741> Starting update job for cp-fabian-pittroff/dependabot-docker-sha-digest-pr-update-issue
updater | 2023/06/02 18:51:24 INFO <job_672606741> Checking all dependencies for version updates...
updater | 2023/06/02 18:51:24 INFO <job_672606741> Checking if steamcmd/steamcmd ubuntu-22 needs updating
  proxy | 2023/06/02 18:51:24 [014] GET https://registry.hub.docker.com:443/v2/steamcmd/steamcmd/tags/list
  proxy | 2023/06/02 18:51:24 [014] 401 https://registry.hub.docker.com:443/v2/steamcmd/steamcmd/tags/list
  proxy | 2023/06/02 18:51:24 [016] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Asteamcmd%2Fsteamcmd%3Apull&account
  proxy | 2023/06/02 18:51:25 [016] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Asteamcmd%2Fsteamcmd%3Apull&account
  proxy | 2023/06/02 18:51:25 [018] GET https://registry.hub.docker.com:443/v2/steamcmd/steamcmd/tags/list
  proxy | 2023/06/02 18:51:25 [018] 200 https://registry.hub.docker.com:443/v2/steamcmd/steamcmd/tags/list
  proxy | 2023/06/02 18:51:25 [020] HEAD https://registry.hub.docker.com:443/v2/steamcmd/steamcmd/manifests/latest
  proxy | 2023/06/02 18:51:25 [020] 401 https://registry.hub.docker.com:443/v2/steamcmd/steamcmd/manifests/latest
  proxy | 2023/06/02 18:51:25 [022] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Asteamcmd%2Fsteamcmd%3Apull&account
  proxy | 2023/06/02 18:51:25 [022] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Asteamcmd%2Fsteamcmd%3Apull&account
  proxy | 2023/06/02 18:51:25 [024] HEAD https://registry.hub.docker.com:443/v2/steamcmd/steamcmd/manifests/latest
  proxy | 2023/06/02 18:51:25 [024] 200 https://registry.hub.docker.com:443/v2/steamcmd/steamcmd/manifests/latest
updater | 2023/06/02 18:51:25 INFO <job_672606741> Latest version is ubuntu-22
  proxy | 2023/06/02 18:51:25 [026] HEAD https://registry.hub.docker.com:443/v2/steamcmd/steamcmd/manifests/ubuntu-22
  proxy | 2023/06/02 18:51:25 [026] 401 https://registry.hub.docker.com:443/v2/steamcmd/steamcmd/manifests/ubuntu-22
  proxy | 2023/06/02 18:51:25 [028] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Asteamcmd%2Fsteamcmd%3Apull&account
  proxy | 2023/06/02 18:51:25 [028] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Asteamcmd%2Fsteamcmd%3Apull&account
  proxy | 2023/06/02 18:51:25 [030] HEAD https://registry.hub.docker.com:443/v2/steamcmd/steamcmd/manifests/ubuntu-22
  proxy | 2023/06/02 18:51:25 [030] 200 https://registry.hub.docker.com:443/v2/steamcmd/steamcmd/manifests/ubuntu-22
updater | 2023/06/02 18:51:25 INFO <job_672606741> Pull request already exists for steamcmd/steamcmd with latest version ubuntu-22
updater | 2023/06/02 18:51:25 INFO <job_672606741> Finished job processing
updater | time="2023-06-02T18:51:25Z" level=info msg="task complete" container_id=job-672606741-updater exit_code=0 job_id=672606741 step=updater

Smallest manifest that reproduces the issue

https://github.com/cp-fabian-pittroff/dependabot-docker-sha-digest-pr-update-issue

AlexanderYastrebov commented 10 months ago

We observed the same problem. After removal of the tag dependabot even fails with error (see https://github.com/zalando/skipper/pull/2546)

updater | 2023/08/29 13:52:01 INFO <job_715278877> Checking if library/alpine-3 2213d4d74c39af5313b631cbde2630b4007755b280f0f6b98867f66103b76113 needs updating
  proxy | 2023/08/29 13:52:01 [030] GET https://registry.opensource.zalan.do:443/v2/library/alpine-3/tags/list
  proxy | 2023/08/29 13:52:02 [030] 200 https://registry.opensource.zalan.do:443/v2/library/alpine-3/tags/list
  proxy | 2023/08/29 13:52:02 [032] GET https://registry.opensource.zalan.do:443/v2/library/alpine-3/tags/list?last=3-20230828
  proxy | 2023/08/29 13:52:02 [032] 200 https://registry.opensource.zalan.do:443/v2/library/alpine-3/tags/list?last=3-20230828
updater | 2023/08/29 13:52:02 INFO <job_715278877> Latest version is 
updater | 2023/08/29 13:52:02 INFO <job_715278877> Sending event e767ddc58ce84841ba7cb7c0cc6fd880 to Sentry
  proxy | 2023/08/29 13:52:03 [034] POST https://sentry.io:443/api/1451818/store/
  proxy | 2023/08/29 13:52:03 [034] 200 https://sentry.io:443/api/1451818/store/
updater | 2023/08/29 13:52:03 ERROR <job_715278877> Error processing library/alpine-3 (NoMethodError)
updater | 2023/08/29 13:52:03 ERROR <job_715278877> undefined method `match?' for nil:NilClass
updater | 
updater |         name.match?(FileParser::DIGEST)
updater |             ^^^^^^^
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/docker/lib/dependabot/docker/tag.rb:31:in `digest?'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/docker/lib/dependabot/docker/update_checker.rb:185:in `updated_digest'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/docker/lib/dependabot/docker/update_checker.rb:90:in `block in digest_up_to_date?'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/docker/lib/dependabot/docker/update_checker.rb:89:in `all?'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/docker/lib/dependabot/docker/update_checker.rb:89:in `digest_up_to_date?'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/docker/lib/dependabot/docker/update_checker.rb:71:in `version_up_to_date?'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/common/lib/dependabot/update_checkers/base.rb:34:in `up_to_date?'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:79:in `check_and_create_pull_request'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:59:in `check_and_create_pr_with_error_handling'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:34:in `block in perform'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:34:in `each'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:34:in `perform'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:63:in `run'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/dependabot-updater/lib/dependabot/update_files_command.rb:38:in `perform_job'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/dependabot-updater/lib/dependabot/base_command.rb:52:in `run'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> bin/update_files.rb:23:in `<main>'
updater | 2023/08/29 13:52:03 INFO <job_715278877> Finished job processing
updater | 2023/08/29 13:52:03 INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +----------------------------------+
updater | |  Dependencies failed to update   |
updater | +------------------+---------------+
updater | | library/alpine-3 | unknown_error |
updater | +------------------+---------------+
updater | time="2023-08-29T13:52:03Z" level=info msg="task complete" container_id=job-715278877-updater exit_code=0 job_id=715278877 step=updater

The Dockerfile docs https://docs.docker.com/engine/reference/builder/#from allow:

FROM [--platform=<platform>] <image> [AS <name>]
# or
FROM [--platform=<platform>] <image>[:<tag>] [AS <name>]
# or
FROM [--platform=<platform>] <image>[@<digest>] [AS <name>]

forms.

Dependabot neither supports undocumented (see https://github.com/moby/moby/issues/37866) FROM foo:atag@sha256:112233... nor documented FROM foo@sha256:112233... forms with digest.

jurre commented 10 months ago

@cp-fabian-pittroff when attempting to run Dependabot on your sample repo, it seems to update correctly for me:

 => bump steamcmd/steamcmd from `091eb51` to `6681332`

    ± Dockerfile
    ~~~
    --- /tmp/original20230905-11-7gl513 2023-09-05 12:25:57.250082000 +0000
    +++ /tmp/updated20230905-11-bpm2ze  2023-09-05 12:25:57.250082000 +0000
    @@ -1 +1 @@
    -FROM steamcmd/steamcmd:ubuntu-22@sha256:091eb51de70e22deacb316671f90d526e253721d391138df82c5541ced75c2f9
    +FROM steamcmd/steamcmd:ubuntu-22@sha256:6681332e3f616b2610f582ef8ec345d116d914c0deb76a8e419d9e970aacea15
    ~~~
    2 insertions (+), 2 deletions (-)

Could it maybe have been resolved since this issue was opened?

@AlexanderYastrebov what's the best way to reproduce the issue you were running into, is there a specific sha in the repo you referenced that I can check?

AlexanderYastrebov commented 10 months ago

@jurre Hello. It failed on 

FROM registry.opensource.zalan.do/library/alpine-3@sha256:2213d4d74c39af5313b631cbde2630b4007755b280f0f6b98867f66103b76113 AS default

https://github.com/zalando/skipper/blob/43e1dcafbfa8cf545b21a99daf756939f1c44d5d/packaging/Dockerfile

Note that we attempted to remove tag (and only use hash) within https://github.com/zalando/skipper/pull/2546 because dependabot stopped updating hash and said that "Pull request already exists for library/alpine-3 with latest version latest":

updater | 2023/08/29 00:21:53 INFO <job_714994438> Checking if library/alpine-3 latest needs updating
updater | 2023/08/29 00:21:53 INFO <job_714994438> Latest version is latest
  proxy | 2023/08/29 00:21:53 [018] HEAD https://registry.opensource.zalan.do:443/v2/library/alpine-3/manifests/latest
  proxy | 2023/08/29 00:21:53 [018] 200 https://registry.opensource.zalan.do:443/v2/library/alpine-3/manifests/latest
updater | 2023/08/29 00:21:53 INFO <job_714994438> Pull request already exists for library/alpine-3 with latest version latest
cp-fabian-pittroff commented 10 months ago

Hello @jurre

I manually triggered a dependabot rebase and the sha got updated. But the scheduled update with dependabot doesn't update the pr:

updater | 2023/09/04 15:32:30 INFO <job_717694753> Pull request already exists for steamcmd/steamcmd with latest version ubuntu-22
updater | 2023/09/04 15:32:30 INFO <job_717694753> Finished job processing

Now the current latest sha is: 6681332e3f616b2610f582ef8ec345d116d914c0deb76a8e419d9e970aacea15

image

In 2-3 hours the docker sha should be changed again and also the pr should update with the next dependabot schedule.

I'll report back after the next docker sha change.

cp-fabian-pittroff commented 10 months ago

Hello,

sha changed to 044c5c03c0d8aeb0a9e510dd4c57e6392409cb45a0ded6734fe9d8ac540b36f7. Triggered dependabot schedule update, same log and no updated pr.

deivid-rodriguez commented 9 months ago

Any updates on a potential repro for this?

szuecs commented 9 months ago

@deivid-rodriguez I think https://github.com/dependabot/dependabot-core/issues/7387#issuecomment-1706640918 has all information and references a PR that shows the problem. If you need more let us know.

deivid-rodriguez commented 9 months ago

Oh, right, thanks @szuecs. #8070 should fix this!

deivid-rodriguez commented 9 months ago

After a closer look, my PR only fixes the last error you mentioned, but I don't think it will fix the original issue.

My understanding is that the original issue is that, when pinned to a SHA reference, Dependabot is able to create an initial PR, but then subsequent scheduled runs won't update the initial PR with newer SHAs like it happens with regular version updates. I think that's still an issue. You can workaround it as mentioned above with @dependabot recreate or by merging the PR and letting a fresh one be created.

Something I'm not clear about is that, according to my investigation, the last error mentioned happened due to registry.opensource.zalan.do/library/alpine-3 not providing a "latest" tag. However the previous error about a PR already being opened mentions the "latest" tag. So I'm confused about that. Is it expected that your image does not provide a rolling latest tag?

cp-fabian-pittroff commented 9 months ago

Would it help if I update the provided repository with a ci workflow, to manually update a docker image? So something like a nginx container with the github_run_id for the index.html?

Recreating the PR or merging it works.

szuecs commented 9 months ago

@deivid-rodriguez I am not sure if you can access https://github.com/zalando/skipper/security/code-scanning/117 , but if so the reason why not to use "latest" tag is because OpenSSF scorecard says we should "pin by hash" and not use "latest" tag.

Here a picture of the recommendation: image

deivid-rodriguez commented 9 months ago

I can't access that but my point was not to advice not using "latest" as the consumer of the image, but that under my testing, the "latest" label for the registry.opensource.zalan.do/library/alpine-3 did not exist. I think I'm missing something since I can pull that tag just fine, so let me double check.

deivid-rodriguez commented 9 months ago

So, to try better explain the problem.

While https://registry.opensource.zalan.do/v2/library/alpine-3/tags/list does not list "latest", the "latest" tag does exist as per https://registry.opensource.zalan.do/v2/library/alpine-3/manifests/latest. This confuses dependabot.

If I completely remove the line that checks whether the "latest" tag is listed:

diff --git a/docker/lib/dependabot/docker/update_checker.rb b/docker/lib/dependabot/docker/update_checker.rb
index 91fddf714..e831bca37 100644
--- a/docker/lib/dependabot/docker/update_checker.rb
+++ b/docker/lib/dependabot/docker/update_checker.rb
@@ -214,8 +214,6 @@ module Dependabot
       end

       def latest_digest
-        return unless tags_from_registry.map(&:name).include?("latest")
-
         digest_of("latest")
       end

then the update succeeds just fine.

Regardless of this, I suspect the issue original reported here (and the one the title currently describes) is a separate issue, independent from the registry implementation.

szuecs commented 9 months ago

@deivid-rodriguez my and @AlexanderYastrebov problem is that we would like to use pinned hash, not latest. this sha256 version is not recognized by dependabot. So the same as reported by @cp-fabian-pittroff

deivid-rodriguez commented 9 months ago

Are you able to get a PR bumping the pinned hash at all? I assume not for the registry.opensource.zalan.do/library/alpine-3 image as I explained.

@cp-fabian-pittroff can get PRs bumping pinned hashes, but once a PR is created is not updated or superseded with newer hashes.

cp-fabian-pittroff commented 9 months ago

@cp-fabian-pittroff can get PRs bumping pinned hashes, but once a PR is created is not updated or superseded with newer hashes.

That is correct.

I have a combination of tag and pinned hash (nginx:stable-alpine@sha256:fc9b8c25953467e406a95ab7b65cbfa9f56b6f24cffcd5ba07b30c2d388490b6). With the example, I would expect dependabot to search for stable-alpine and figure out if there is another sha associated with it.

Without a tag, dependabot can't really decide what the desired update target should be, can it? So from my point of view, there are only two options:

  1. error out with an explanation (something like without a tag information, dependabot can't check for updates)
  2. fallback to latest tag (but that might be confusing)

Unfortunately docker doesn't provide more information about a pinned image (RepoTags are empty).

docker inspect...

```bash docker image inspect nginx@sha256:fc9b8c25953467e406a95ab7b65cbfa9f56b6f24cffcd5ba07b30c2d388490b6 [ { "Id": "sha256:6dae3976ee053bb83177d82f6d05d91d669423bab48a9db94805e0b7808065c5", "RepoTags": [], "RepoDigests": [ "nginx@sha256:fc9b8c25953467e406a95ab7b65cbfa9f56b6f24cffcd5ba07b30c2d388490b6" ], "Parent": "", "Comment": "", "Created": "2023-08-09T02:16:04.742143271Z", "Container": "2c525ecdd2ce275fc8fcbb28650a821965558907fee45bae682fffb7bb0c4594", "ContainerConfig": { "Hostname": "", "Domainname": "", "User": "", "AttachStdin": false, "AttachStdout": false, "AttachStderr": false, "ExposedPorts": { "80/tcp": {} }, "Tty": false, "OpenStdin": false, "StdinOnce": false, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "NGINX_VERSION=1.24.0", "PKG_RELEASE=1", "NJS_VERSION=0.7.12" ], "Cmd": [ "/bin/sh", "-c", "set -x && apkArch=\"$(cat /etc/apk/arch)\" && nginxPackages=\" nginx=${NGINX_VERSION}-r${PKG_RELEASE} nginx-module-xslt=${NGINX_VERSION}-r${PKG_RELEASE} nginx-module-geoip=${NGINX_VERSION}-r${PKG_RELEASE} nginx-module-image-filter=${NGINX_VERSION}-r${PKG_RELEASE} nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${PKG_RELEASE} \" && apk add --no-cache --virtual .checksum-deps openssl && case \"$apkArch\" in x86_64|aarch64) set -x && KEY_SHA512=\"e09fa32f0a0eab2b879ccbbc4d0e4fb9751486eedda75e35fac65802cc9faa266425edf83e261137a2f4d16281ce2c1a5f4502930fe75154723da014214f0655\" && wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub && if echo \"$KEY_SHA512 */tmp/nginx_signing.rsa.pub\" | sha512sum -c -; then echo \"key verification succeeded!\"; mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; else echo \"key verification failed!\"; exit 1; fi && apk add -X \"https://nginx.org/packages/alpine/v$(egrep -o '^[0-9]+\\.[0-9]+' /etc/alpine-release)/main\" --no-cache $nginxPackages ;; *) set -x && tempDir=\"$(mktemp -d)\" && chown nobody:nobody $tempDir && apk add --no-cache --virtual .build-deps gcc libc-dev make openssl-dev pcre2-dev zlib-dev linux-headers libxslt-dev gd-dev geoip-dev libedit-dev bash alpine-sdk findutils && su nobody -s /bin/sh -c \" export HOME=${tempDir} && cd ${tempDir} && curl -f -O https://hg.nginx.org/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz && PKGOSSCHECKSUM=\\\"dc47dbaeb1c0874b264d34ddfec40e7d2b814e7db48d144e12d5991c743ef5fcf780ecbab72324e562dd84bb9c0e4dd71d14850b20ceaf470c46f8fe7510275b *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\\\" && if [ \\\"\\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\\\" = \\\"\\$PKGOSSCHECKSUM\\\" ]; then echo \\\"pkg-oss tarball checksum verification succeeded!\\\"; else echo \\\"pkg-oss tarball checksum verification failed!\\\"; exit 1; fi && tar xzvf ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} && cd alpine && make module-geoip module-image-filter module-njs module-xslt && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \" && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ && apk del .build-deps && apk add -X ${tempDir}/packages/alpine/ --no-cache $nginxPackages ;; esac && apk del .checksum-deps && if [ -n \"$tempDir\" ]; then rm -rf \"$tempDir\"; fi && if [ -n \"/etc/apk/keys/abuild-key.rsa.pub\" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi && if [ -n \"/etc/apk/keys/nginx_signing.rsa.pub\" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi && apk add --no-cache curl ca-certificates" ], "Image": "sha256:90751f73663d6fc8df8afc448d7d65eaddd4c815176a4738891ad948fa4d5f62", "Volumes": null, "WorkingDir": "", "Entrypoint": null, "OnBuild": null, "Labels": { "maintainer": "NGINX Docker Maintainers " }, "StopSignal": "SIGQUIT" }, "DockerVersion": "20.10.23", "Author": "", "Config": { "Hostname": "", "Domainname": "", "User": "", "AttachStdin": false, "AttachStdout": false, "AttachStderr": false, "ExposedPorts": { "80/tcp": {} }, "Tty": false, "OpenStdin": false, "StdinOnce": false, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "NGINX_VERSION=1.24.0", "PKG_RELEASE=1", "NJS_VERSION=0.7.12" ], "Cmd": [ "nginx", "-g", "daemon off;" ], "Image": "sha256:90751f73663d6fc8df8afc448d7d65eaddd4c815176a4738891ad948fa4d5f62", "Volumes": null, "WorkingDir": "", "Entrypoint": [ "/docker-entrypoint.sh" ], "OnBuild": null, "Labels": { "maintainer": "NGINX Docker Maintainers " }, "StopSignal": "SIGQUIT" }, "Architecture": "amd64", "Os": "linux", "Size": 41111276, "VirtualSize": 41111276, "GraphDriver": { "Data": { "LowerDir": "/var/lib/docker/overlay2/25e5b92b8de9804d2ee5e5b20149bd6baa6ad225614cbc22a535d75c98220543/diff:/var/lib/docker/overlay2/e0bcb5fb8198eb72cb27e9d48e8d1dce0796a769c2a5f21453ecea9091497866/diff:/var/lib/docker/overlay2/0eefeec894cc90d2ba5e030bca61f188806c71415b6f1c41b20095054c8f4817/diff:/var/lib/docker/overlay2/e00b71a2a5d74a8ddac531808b8fe41dab094314619e0bbedc92125f312c23be/diff:/var/lib/docker/overlay2/648c56736d8f9c1ccea7d8bb1cb911665125a00c3642aa61d63fc41d10c7e6ea/diff:/var/lib/docker/overlay2/a860c0e9e194db3c4f049bea0e3387e2f1f707eea2aae71c9e8cd3677772bfc2/diff", "MergedDir": "/var/lib/docker/overlay2/c69f82298e2d2efdb8653a6beff36879fe8c357bddb8429f4fc92203d58886c6/merged", "UpperDir": "/var/lib/docker/overlay2/c69f82298e2d2efdb8653a6beff36879fe8c357bddb8429f4fc92203d58886c6/diff", "WorkDir": "/var/lib/docker/overlay2/c69f82298e2d2efdb8653a6beff36879fe8c357bddb8429f4fc92203d58886c6/work" }, "Name": "overlay2" }, "RootFS": { "Type": "layers", "Layers": [ "sha256:36b50b131297b8860da51b2d2b24bb4c08dfbdf2789b08e3cc0f187c98637a19", "sha256:57b608dd7b54de578dfd642a64f3fdd97382b9e6f64048f2e2d2f2f0b5fba106", "sha256:9c01e5b3bd66a2fa68d3fc86561e62bee7ac4ba0d48cca885118946ba066d21f", "sha256:bb0903fd6f90dc5fa5718236a89f8df7a415a61a595254bb266691c3b1a6d25c", "sha256:4c6a1307a10bbd3f947505ba405d43a04e97f1fe5fd23c01a36534cc4f5ca3b0", "sha256:2b60bbe779e0616bf50d09b65ce80914ced19ea227d90c81b73bd4d63d3b227b", "sha256:194b12cb5e855dd336c7aacf8cb6e9475d9795676ef37b589a62bccc50c757fe" ] }, "Metadata": { "LastTagTime": "0001-01-01T00:00:00Z" } } ] ```

deivid-rodriguez commented 9 months ago

Yes, we currently fallback to the latest tag. The problem is that when checking if a PR is already opened for the latest version, we don't seem to consider SHAs, that's why you won't get the PR superseded with another PR when there's a newer SHA available.

AlexanderYastrebov commented 9 months ago

I have a combination of tag and pinned hash

In such case tag is ignored, see https://github.com/moby/moby/issues/37866

szuecs commented 9 months ago

FYI: we got an update https://github.com/zalando/skipper/pull/2635

deivid-rodriguez commented 9 months ago

Yes. Your problem is specific to the alpine-3 image as I explained at https://github.com/dependabot/dependabot-core/issues/7387#issuecomment-1728176715. The other images shouldn't be having any issues.