Enhancement idea: lockfile

[lunik1]

Currently, one advantage of using NixOS containers over DockerHub (or other image repository) is that NixOS containers can be more easily rolled back to a previous state (especially when using flakes). When pulling a from latest container tag, it becomes more difficult to trace what versions of images have been used and recreate the previous state of a project. Of course, you can pin to specific image versions, but this is less ergonomic. A solution could be that arion could track the current external image versions used in a lockfile, which could be automatically updated to point to the latest versions of an image tag, and, when managed with version control, allow easy rollbacks to previously used images.

[roberth]

This could either pin with pullImage or the docker way with an image digest sha. The prior could be used as a base image, whereas the latter aligns with https://github.com/safe-waters/docker-lock, which might be usable for implementing this.

This being a Nix-centric project, I'd give preference to a pullImage based solution.

[crabdancing]

This is an awesome idea! I would love to see it implemented