Skip to content

Pin and update docker shas #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bloodearnest merged 3 commits into from
Jan 27, 2026
Merged

Pin and update docker shas #43

bloodearnest merged 3 commits into from
Jan 27, 2026

Conversation

@bloodearnest
Copy link
Member

@bloodearnest bloodearnest commented Jan 19, 2026
edited
Loading

Took advantage of moment of inspiration to try tackle this issue again.

Dependabot can update shas in dockerfiles, which is nice, as we can then manage
them in our regular update process.

Additionally, they help solve another problem. Currently, our weekly rebuilds
do not make commits to repo, so they deactivate after 3 months. However, merging
a dependabot PR will update the repo, and the weekly publish will no longer be
deactivated.

The issue has been that we use single parametrised Dockerfile, in order to keep
the images identical. This had previously precluded pinning the sha. However,
explicit pinned layers per version, and some tweaks to parameterisation,
I think we can do it.

We won't 100% know if this will work as intended until we merge it, but its
worth a shot.

@bloodearnest
Remove previous attempts at pinned updates
5c4b5b6
@bloodearnest
Support pinned dependabot updates.
8fedc2c 
By explicitly adding shas for all 3 versions of ubuntu, we should be
able to get dependabot to create PRs to update them to new versions as
part of our regular update process.
@bloodearnest
add dependabot updates for docker ecosystem
3785da1
evansd
evansd approved these changes Jan 26, 2026
View reviewed changes
Copy link

@evansd evansd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Definitely seems worth a go 🤞

@bloodearnest bloodearnest merged commit b541b63 into main Jan 27, 2026
3 checks passed
@bloodearnest bloodearnest deleted the pinned-shas branch January 27, 2026 16:16
@bloodearnest
Copy link
Member Author

bloodearnest commented Jan 27, 2026

Hmm, seems it didn't like it, dependabot errored

https://github.com/opensafely-core/base-docker/actions/runs/21404899658/job/61625912545

@bloodearnest bloodearnest mentioned this pull request Jan 27, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@evansd evansd evansd approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bloodearnest @evansd