Alpine tag index digests differ depending on the Node version being present in the tag name

Environment

Platform: Linux 5.15.146.1-microsoft-standard-WSL2 #1 SMP Thu Jan 11 04:09:03 UTC 2024 x86_64 GNU/Linux
Docker Version: Docker version 26.0.0, build 2ae903e
Node.js Version: N/a
Image Tag: N/a

Expected Behavior

Tags sharing the same bullet on Docker Hub should resolve to the same index digest.

Current Behavior

Alpine tags have different index digests depending on if the Node version is included in the tag.

Tag	Index Digest
`22-alpine`	`487dc5d5122d578e13f2231aa4ac0f63068becd921099c4c677c850df93bede8`
`22-alpine3.19`	`487dc5d5122d578e13f2231aa4ac0f63068becd921099c4c677c850df93bede8`
`22.1-alpine`	`487dc5d5122d578e13f2231aa4ac0f63068becd921099c4c677c850df93bede8`
`22.1-alpine3.19`	`487dc5d5122d578e13f2231aa4ac0f63068becd921099c4c677c850df93bede8`
`22.1.0-alpine`	`487dc5d5122d578e13f2231aa4ac0f63068becd921099c4c677c850df93bede8`
`22.1.0-alpine3.19`	`487dc5d5122d578e13f2231aa4ac0f63068becd921099c4c677c850df93bede8`
`alpine`	`916b42f9e83466eb17d60a441a96f5cd57033bbfee6a80eae8e3249f34cf8dbe`
`alpine3.19`	`916b42f9e83466eb17d60a441a96f5cd57033bbfee6a80eae8e3249f34cf8dbe`
`current-alpine`	`916b42f9e83466eb17d60a441a96f5cd57033bbfee6a80eae8e3249f34cf8dbe`
`current-alpine3.19`	`916b42f9e83466eb17d60a441a96f5cd57033bbfee6a80eae8e3249f34cf8dbe`

Tag	Index Digest
`22-alpine3.18`	`5a4751fb2e95bb0a0ad5ac1f92fd36076c7337b89667e396dbbabf36fa5b1d6f`
`22.1-alpine3.18`	`5a4751fb2e95bb0a0ad5ac1f92fd36076c7337b89667e396dbbabf36fa5b1d6f`
`22.1.0-alpine3.18`	`5a4751fb2e95bb0a0ad5ac1f92fd36076c7337b89667e396dbbabf36fa5b1d6f`
`alpine3.18`	`16045923d173e53160ee2daa7cd980df38e5a567d8bf9aa62620537393c40a0a`
`current-alpine3.18`	`16045923d173e53160ee2daa7cd980df38e5a567d8bf9aa62620537393c40a0a`

This split doesn't appear in the bookworm tags.

Tag	Index Digest
`22`	`64c46a664eccedec63941dab4027c178a36debe08a232d4f9d7da5aca91cff3d`
`22-bookworm`	`64c46a664eccedec63941dab4027c178a36debe08a232d4f9d7da5aca91cff3d`
`22.1`	`64c46a664eccedec63941dab4027c178a36debe08a232d4f9d7da5aca91cff3d`
`22.1-bookworm`	`64c46a664eccedec63941dab4027c178a36debe08a232d4f9d7da5aca91cff3d`
`22.1.0`	`64c46a664eccedec63941dab4027c178a36debe08a232d4f9d7da5aca91cff3d`
`22.1.0-bookworm`	`64c46a664eccedec63941dab4027c178a36debe08a232d4f9d7da5aca91cff3d`
`bookworm`	`64c46a664eccedec63941dab4027c178a36debe08a232d4f9d7da5aca91cff3d`
`current`	`64c46a664eccedec63941dab4027c178a36debe08a232d4f9d7da5aca91cff3d`
`current-bookworm`	`64c46a664eccedec63941dab4027c178a36debe08a232d4f9d7da5aca91cff3d`
`latest`	`64c46a664eccedec63941dab4027c178a36debe08a232d4f9d7da5aca91cff3d`

The split also doesn't appear in the manifest digests.	OS/ARCH	`22.1.0-alpine` Manifest Digest
linux/amd64	`321a52b9fccde74c532796f832046124af1dd997a65410d6155accd40fbe6ab8`	`321a52b9fccde74c532796f832046124af1dd997a65410d6155accd40fbe6ab8`
linux/arm/v6	`c17e937e8e79dc0a5630221cfb8bbef536def6ea5b0c6dfc3779c1d41eb2637a`	`c17e937e8e79dc0a5630221cfb8bbef536def6ea5b0c6dfc3779c1d41eb2637a`
linux/arm/v7	`602f019dd6f03eb5e2196972a98b4f7bcda792e44be2f29ddea01e79ceda4c6e`	`602f019dd6f03eb5e2196972a98b4f7bcda792e44be2f29ddea01e79ceda4c6e`
linux/arm64/v8	`2e2092b651047bb52aa815beec42d72a07d46f8b13ff45c57195602062e52fa2`	`2e2092b651047bb52aa815beec42d72a07d46f8b13ff45c57195602062e52fa2`
linux/s390x	`6865bbc0e18da7faba554ca807e8bee075995682450a81ac6f2aca7b45a64c58`	`6865bbc0e18da7faba554ca807e8bee075995682450a81ac6f2aca7b45a64c58`

Possible Solution

Rebuild latest Alpine tags?

Steps to Reproduce

SHA's generated by running

docker buildx imagetools inspect --format='{{json .Manifest.Digest}}' node:<tag>

Additional Information

I've previously observed current-alpine matching <current-version>-alpine over a handful of versions, which is why this discrepancy popped out to me.

I'm not aware of this breaking anything. It just seemed like an odd thing the team would be interested in being aware of.

The reason for the difference is that more generic tags (like node:alpine) are a combination of each arch-specific node:alpine available (see the arch-specific repos listed in the Docker Official Images readme). Each build architecture pushes images to its respective namespace. A separate job periodically combines those architecture-specific images into the image index under library/ on Docker Hub. Because not all architectures build at the same speed (or one could fail indefinitely), it uses whatever is available under the specific tag for the given architecture. What this means is that for a generic tag (node:alpine), it can be a combination of old (like nodejs 21 on alpine) and new (nodejs 22 on alpine) builds. This helps to ensure that architectures don't just randomly disappear on every version update on the less specific tags when some architectures build faster/slower than others (or fail to build at all).

For example:

ppc64le/node:alpine is still the same as ppc64le/node:21-alpine
ppc64le/node:22-alpine currently fails to build, so ppc64le/node:alpine is not pushed or updated (https://github.com/docker-library/official-images/pull/16714#issuecomment-2096455085)
the resulting node:alpine has a ppc64le entry (with nodejs 21, but the other architectures are nodejs 22) while node:22-alpine does not have a ppc64le entry

nodejs / docker-node