Go back to using Dockerfile

[banesullivan]

Option 2

This goes back using the Dockerfile to build the image on-the-fly so that using a tag in downstream actions will work

[banesullivan]

I'm in favor of reverting back to this for simplicity

[marcoroth]

Yeah, I'm also in favor of this option. But I guess we also need to update the Dockerfile in order to pull down the right tag.

[banesullivan]

But I guess we also need to update the Dockerfile in order to pull down the right tag.

I don't think that is needed. The Dockerfile pulls the latest dependabot/dependabot-core and this PR would render the container registry for this repo useless (in production)

[marcoroth]

Oh right, but then we also don't need the container registry anymore

[banesullivan]

but then we also don't need the container registry anymore

Yep... 🤷🏻 I've been pretty excited about ghcr.io and using all over the place. My bad introducing it here when it really isn't all that needed.

[marcoroth]

I mean it would make sense to speed it up.

But if you compare the run times it doesn't seem to make much of a difference. The two runs today are using the pre-built Docker image and the two from two days ago are building it on-the-fly.

[banesullivan]

Exactly... I was hoping that pulling from ghcr.io would speed it up but considering that the base dependabot/dependabot-core image is 4GB, that's always going to be the limiting factor:

REPOSITORY                                       TAG          IMAGE ID       CREATED         SIZE
dependabot/dependabot-core                       latest       c611f4026e2b   9 days ago      4.1GB

And we need that image for all of the different packaging runtimes (npm, pip, etc.)

[marcoroth]

Yeah, so it really comes down to the network/download speed.