Closed dependabot[bot] closed 1 year ago
Interestingly, this is the same image:
docker inspect centos:centos7.9.2009@sha256:c73f515d06b0fa07bb18d8202035e739a494ce760aa73129f60f4bf2bd22b407
[
{
"Id": "sha256:eeb6ee3f44bd0b5103bb561b4c16bcb82328cfe5809ab675bb17ab3a16c517c9",
"RepoTags": [],
"RepoDigests": [
"centos@sha256:c73f515d06b0fa07bb18d8202035e739a494ce760aa73129f60f4bf2bd22b407",
"centos@sha256:dead07b4d8ed7e29e98de0f4504d87e8880d4347859d839686a31da35a3b532f"
],
"Parent": "",
"Comment": "",
"Created": "2021-09-15T18:20:23.99863383Z",
It looks like a multi-arch manifest (useful if you ever want to also build an arm64 image): docker manifest inspect docker.io/library/centos@sha256:c73f515d06b0fa07bb18d8202035e739a494ce760aa73129f60f4bf2bd22b407
Thanks, @manics. But any idea why this bump occurred and not @JulianHn's in https://github.com/JulianHn/omero-server-docker/pull/3#issuecomment-1162180189?
Hey @joshmoore, my test image only has the amd64 arch probably, since I pushed from a amd64 machine.
I have created a test repository to check the behaviour of dependabot for this multi-architecture manifest setup: https://github.com/JulianHn/multiarch-test
I created a simple multiarchitecture Dockerfile (docker.io/julianhn/multiarch-test) with linux/amd64 and linux/arm64 images and inside my test git repo I created a simple Dockerfile that builds from this manifest.
I tested the following things:
docker.io/julianhn/multiarch-test:1.0
tag --> Dependabot will open a PR (https://github.com/JulianHn/multiarch-test/pull/2) to update the sha256 reference to the new manifest sha256. docker build
will now pull the updated image embedded in the new manifest. ✔️ docker.io/julianhn/multiarch-test:1.1
--> Dependabot will open a PR (https://github.com/JulianHn/multiarch-test/pull/3) to update to the new tag and the respective manifest sha256. docker build
will once again pull the new image. ✔️ From these tests, I conclude that dependabot will behave in the way we want it after this inital "upgrade" from single image sha256 reference to manifest sha256 reference. @joshmoore @manics
Let's go ahead and get this in with the other recent fix and see how the scheme works for us.
Bumps centos from
dead07b
toc73f515
.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)