From 5c4b5b6603c6a779ca2994ca7ceafa5f0b862e0c Mon Sep 17 00:00:00 2001 From: bloodearnest Date: Mon, 19 Jan 2026 12:46:30 +0000 Subject: [PATCH 1/3] Remove previous attempts at pinned updates --- .github/workflows/update-ubuntu-sha.yaml | 32 ------------------------ Justfile | 12 +-------- ubuntu:20.04.sha | 1 - ubuntu:22.04.sha | 1 - 4 files changed, 1 insertion(+), 45 deletions(-) delete mode 100644 .github/workflows/update-ubuntu-sha.yaml delete mode 100644 ubuntu:20.04.sha delete mode 100644 ubuntu:22.04.sha diff --git a/.github/workflows/update-ubuntu-sha.yaml b/.github/workflows/update-ubuntu-sha.yaml deleted file mode 100644 index 0f41a2b..0000000 --- a/.github/workflows/update-ubuntu-sha.yaml +++ /dev/null @@ -1,32 +0,0 @@ -name: Update SHA of latest ubuntu images -# This is to workaround the 3mo timeout for GHA scheduled actions on repos with -# no new commits, by automatically creating new commits. -on: - schedule: - # check for a new ubuntu image every week at 04:17am on mondays - - cron: "17 04 * * 1" - # let us manually trigger a build - workflow_dispatch: -env: - BASE_IMAGE_NAME: base-docker - ACTION_IMAGE_NAME: base-action -jobs: - update: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@master - - uses: extractions/setup-just@69d82fb0233557aec017ef13706851d0694e0f1d - - name: update SHAs - run: just update-docker-shas - - name: Commit file - run: | - git status - git add "*.sha" - if git diff-index --quiet HEAD; then - exit - fi - git config --local user.email "action@github.com" - git config --local user.name "GitHub Action" - git commit -m "Update base image SHA files" - git push origin diff --git a/Justfile b/Justfile index 7490aae..a254a2d 100644 --- a/Justfile +++ b/Justfile @@ -51,17 +51,7 @@ test: build docker run $RUN_ARGS --rm -v {{justfile_directory()}}:/tests -w /tests $ACTION_IMAGE_NAME:24.04 ./tests.sh ./check.sh -# Update the files tracking the SHAs of ubuntu docker image -update-docker-shas: - @just _update-sha "ubuntu:20.04" - @just _update-sha "ubuntu:22.04" - -_update-sha os: - echo {{ os }} - docker image pull {{ os }} - docker inspect --format='{{{{index .RepoDigests 0}}' {{ os }} > {{ os }}.sha - - +# publish the images to ghcr.io publish-images: #!/bin/bash set -euo pipefail diff --git a/ubuntu:20.04.sha b/ubuntu:20.04.sha deleted file mode 100644 index 7563a52..0000000 --- a/ubuntu:20.04.sha +++ /dev/null @@ -1 +0,0 @@ -ubuntu@sha256:33a5cc25d22c45900796a1aca487ad7a7cb09f09ea00b779e3b2026b4fc2faba diff --git a/ubuntu:22.04.sha b/ubuntu:22.04.sha deleted file mode 100644 index e052622..0000000 --- a/ubuntu:22.04.sha +++ /dev/null @@ -1 +0,0 @@ -ubuntu@sha256:aabed3296a3d45cede1dc866a24476c4d7e093aa806263c27ddaadbdce3c1054 From 8fedc2c769913dbf8716095ad88e0b319039751d Mon Sep 17 00:00:00 2001 From: bloodearnest Date: Mon, 19 Jan 2026 12:46:45 +0000 Subject: [PATCH 2/3] Support pinned dependabot updates. By explicitly adding shas for all 3 versions of ubuntu, we should be able to get dependabot to create PRs to update them to new versions as part of our regular update process. --- Dockerfile | 14 ++++++++++---- docker-compose.yaml | 12 ++++++------ 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/Dockerfile b/Dockerfile index 91ec2a1..1822776 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,16 @@ # syntax=docker/dockerfile:1.10 # enable docker linting # check=error=true -ARG UBUNTU_VERSION=ubuntu:20.04 -# we are parameterizing the base image, so we can't be explicit like DL3006 wants us to be -# hadolint ignore=DL3006 -FROM $UBUNTU_VERSION as base-docker + +# this must come before FROM lines +ARG UBUNTU_VERSION=ubuntu-20.04 + +# Include each version with sha so that dependabot can update them +FROM ubuntu:20.04@sha256:8feb4d8ca5354def3d8fce243717141ce31e2c428701f6682bd2fafe15388214 AS ubuntu-20.04 +FROM ubuntu:22.04@sha256:c7eb020043d8fc2ae0793fb35a37bff1cf33f156d4d4b12ccc7f3ef8706c38b1 AS ubuntu-22.04 +FROM ubuntu:24.04@sha256:cd1dba651b3080c3686ecf4e3c4220f026b521fb76978881737d24f200828b2b AS ubuntu-24.04 + +FROM $UBUNTU_VERSION AS base-docker # default env vars ENV container=docker DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 LC_ALL=C.UTF-8 diff --git a/docker-compose.yaml b/docker-compose.yaml index dad7657..99a6462 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -20,28 +20,28 @@ services: image: "base-docker:20.04" build: args: - - UBUNTU_VERSION=ubuntu:20.04 + - UBUNTU_VERSION=ubuntu-20.04 base-docker-22.04: extends: base-docker image: "base-docker:22.04" build: args: - - UBUNTU_VERSION=ubuntu:22.04 + - UBUNTU_VERSION=ubuntu-22.04 base-docker-24.04: extends: base-docker image: "base-docker:24.04" build: args: - - UBUNTU_VERSION=ubuntu:24.04 + - UBUNTU_VERSION=ubuntu-24.04 base-action-20.04: extends: base-docker image: "base-action:20.04" build: args: - - UBUNTU_VERSION=ubuntu:20.04 + - UBUNTU_VERSION=ubuntu-20.04 target: base-action base-action-22.04: @@ -49,7 +49,7 @@ services: image: "base-action:22.04" build: args: - - UBUNTU_VERSION=ubuntu:22.04 + - UBUNTU_VERSION=ubuntu-22.04 target: base-action base-action-24.04: @@ -57,7 +57,7 @@ services: image: "base-action:24.04" build: args: - - UBUNTU_VERSION=ubuntu:24.04 + - UBUNTU_VERSION=ubuntu-24.04 target: base-action secrets: From 3785da15e35898ff104a811e17b3154d66c2ee08 Mon Sep 17 00:00:00 2001 From: bloodearnest Date: Mon, 19 Jan 2026 12:52:05 +0000 Subject: [PATCH 3/3] add dependabot updates for docker ecosystem --- .github/dependabot.yml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..84c87d6 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: "docker" + directory: "/" + schedule: + interval: "weekly"