Closed tkatila closed 1 month ago
eero-t
commented
1 month ago I'd also like some documentation on the update process, e.g. how often these SHAs will be updated after this?
I mean, unstable distros (like Debian one) gets updates constantly, even 20.04 LTS tag gets security updates [1] fairly often...
[1] last one seems to have been 19 days ago: https://hub.docker.com/layers/amd64/ubuntu/20.04/images/sha256-cc9cc8169c9517ae035cf293b15f06922cb8c6c864d625a72b7b18667f264b70
mythi
commented
1 month ago I'd also like some documentation on the update process, e.g. how often these SHAs will be updated after this?
automatically by dependabot using the interval set in this PR.
tkatila
commented
1 month ago I ran some tests on my personal project: https://github.com/tkatila/intel-device-plugins-for-kubernetes/pull/9
If one adds full version details in the comment (x.y.z) dependabot will also update the comment.
I haven't tested the dockerfile update. I should test that before this is merged.
tkatila
commented
1 month ago I haven't tested the dockerfile update. I should test that before this is merged.
Well. It doesn't work. Dependabot scanned a purposefully downgraded Dockerfile and deemed it ok. Looking closer at it, the documentation says that in order for dependabot to work:
In order for Dependabot to fetch Docker metadata, maintainers of Docker images must add the org.opencontainers.image.source label to their Dockerfile, and include the URL of the source repository.
That doesn't seem to be true for ubuntu or debian images: https://hub.docker.com/layers/library/debian/unstable-slim/images/sha256-93f700ccfb363bf77c05dc71945a6a2a25abf9a1eb502b0afd2168c2eec463bd?context=explore https://hub.docker.com/layers/library/ubuntu/22.04/images/sha256-2af372c1e2645779643284c7dc38775e3dbbc417b2d784a27c5a9eb784014fb8?context=explore
I'll see if there's some other way to update the sha's.
tkatila
commented
1 month ago One way to achieve updates for demo SHAs: I wrote a small script that uses frizbee to check for latest versions. That script is then used in a workload that updates the SHAs and creates a pull request: https://github.com/tkatila/intel-device-plugins-for-kubernetes/actions/runs/9174022590 https://github.com/tkatila/intel-device-plugins-for-kubernetes/pull/17 https://github.com/tkatila/intel-device-plugins-for-kubernetes/blob/main/.github/workflows/demo-img-update.yaml
Comments?
mythi
commented
1 month ago My 2 cents is that we could start with the actions pinning only and let the image sha support to evolve a bit (however, it looks the dependabot solution sets a lot of expectations for the image maintainers which may or may not happen anytime soon for the images we depend on).
tkatila
commented
1 month ago My 2 cents is that we could start with the actions pinning only and let the image sha support to evolve a bit (however, it looks the dependabot solution sets a lot of expectations for the image maintainers which may or may not happen anytime soon for the images we depend on).
Sure. I'll modify this PR to only pin GH actions. We can re-evaluate Dockerfile pinning at a later date.
Fix issues generated by the scorecard.