tianon
commented
2 years ago Unfortunately, if you want an immutable image, you need to pull it by the (content addressable) digest instead of by tag (tags by their nature are immutable, but the content addressable digest is a cryptographic hash of the exact registry contents).
The main trigger that will cause the digest of a given tag to change besides the published OpenJDK artifacts changing (for explicit releases or otherwise) is generally going to be things like base image updates (which are almost always going to come with many distribution package security updates). We also have a little bit of "settling" behavior as different architectures build and push where the Docker manifest list digest will change as architectures get updated/rebuilt/published.
Another resource which the project maintains that you might find useful is the https://github.com/docker-library/repo-info repository. In the specific case of the openjdk:17.0.1 tag, what you're looking for is https://github.com/docker-library/repo-info/blob/master/repos/openjdk/remote/17.0.1.md, which is more interesting via https://github.com/docker-library/repo-info/commits/master/repos/openjdk/remote/17.0.1.md (IMO that's admittedly easier to browse from a checked out copy and something like git log -p on the specific file, but it does pretty OK through the web interface).
Peeking into that history a little, https://github.com/docker-library/official-images/pulls?q=is%3Apr+label%3Alibrary%2Foraclelinux+is%3Amerged appears to contain the most likely culprits for all recent updates to this tag.
Hi, I am seeing a lot of pull requests where just the image hash is changing. I would have expected tags specific to the patch version (like 17.0.1) to be immutable.
For example: https://github.com/tenjaa/concourse-github-app-token/pull/151/files