Revert "Pin and update docker shas"

.github/workflows/update-ubuntu-sha.yaml

@@ -0,0 +1,32 @@
+name: Update SHA of latest ubuntu images
+# This is to workaround the 3mo timeout for GHA scheduled actions on repos with 
+# no new commits, by automatically creating new commits.
+on:
+  schedule:
+    # check for a new ubuntu image every week at 04:17am on mondays
+    - cron: "17 04 * * 1"
+  # let us manually trigger a build
+  workflow_dispatch:
+env:
+  BASE_IMAGE_NAME: base-docker
+  ACTION_IMAGE_NAME: base-action
+jobs:
+  update:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@master
+    - uses: extractions/setup-just@69d82fb0233557aec017ef13706851d0694e0f1d
+    - name: update SHAs
+      run: just update-docker-shas
+    - name: Commit file
+      run: |
+        git status
+        git add "*.sha"
+        if git diff-index --quiet HEAD; then
+          exit
+        fi
+        git config --local user.email "action@github.com"
+        git config --local user.name "GitHub Action"
+        git commit -m "Update base image SHA files"
+        git push origin

Dockerfile

@@ -1,16 +1,10 @@
 # syntax=docker/dockerfile:1.10
 # enable docker linting
 # check=error=true
-
-# this must come before FROM lines
-ARG UBUNTU_VERSION=ubuntu-20.04
-
-# Include each version with sha so that dependabot can update them
-FROM ubuntu:20.04@sha256:8feb4d8ca5354def3d8fce243717141ce31e2c428701f6682bd2fafe15388214 AS ubuntu-20.04
-FROM ubuntu:22.04@sha256:c7eb020043d8fc2ae0793fb35a37bff1cf33f156d4d4b12ccc7f3ef8706c38b1 AS ubuntu-22.04
-FROM ubuntu:24.04@sha256:cd1dba651b3080c3686ecf4e3c4220f026b521fb76978881737d24f200828b2b AS ubuntu-24.04
-
-FROM $UBUNTU_VERSION AS base-docker
+ARG UBUNTU_VERSION=ubuntu:20.04
+# we are parameterizing the base image, so we can't be explicit like DL3006 wants us to be
+# hadolint ignore=DL3006
+FROM $UBUNTU_VERSION as base-docker
 
 # default env vars
 ENV container=docker DEBIAN_FRONTEND=noninteractive LANG=C.UTF-8 LC_ALL=C.UTF-8

Justfile

@@ -52,7 +52,17 @@ test: build
   docker compose run $RUN_ARGS --rm -v {{justfile_directory()}}:/tests -w /tests "$ACTION_IMAGE_NAME-24.04" ./tests.sh
   ./check.sh
 
-# publish the images to ghcr.io
+# Update the files tracking the SHAs of ubuntu docker image
+update-docker-shas:
+  @just _update-sha "ubuntu:20.04"
+  @just _update-sha "ubuntu:22.04"
+
+_update-sha os:
+  echo {{ os }}
+  docker image pull {{ os }}
+  docker inspect --format='{{{{index .RepoDigests 0}}' {{ os }} > {{ os }}.sha
+
+
 publish-images:
   #!/bin/bash
   set -euo pipefail

docker-compose.yaml

@@ -23,44 +23,44 @@ services:
     image: "base-docker:20.04"
     build:
       args:
-        - UBUNTU_VERSION=ubuntu-20.04
+        - UBUNTU_VERSION=ubuntu:20.04
 
   base-docker-22.04:
     extends: base-docker
     image: "base-docker:22.04"
     build:
       args:
-        - UBUNTU_VERSION=ubuntu-22.04
+        - UBUNTU_VERSION=ubuntu:22.04
 
   base-docker-24.04:
     extends: base-docker
     image: "base-docker:24.04"
     build:
       args:
-        - UBUNTU_VERSION=ubuntu-24.04
+        - UBUNTU_VERSION=ubuntu:24.04
 
   base-action-20.04:
     extends: base-docker
     image: "base-action:20.04"
     build:
       args:
-        - UBUNTU_VERSION=ubuntu-20.04
+        - UBUNTU_VERSION=ubuntu:20.04
       target: base-action
 
   base-action-22.04:
     extends: base-docker
     image: "base-action:22.04"
     build:
       args:
-        - UBUNTU_VERSION=ubuntu-22.04
+        - UBUNTU_VERSION=ubuntu:22.04
       target: base-action
 
   base-action-24.04:
     extends: base-docker
     image: "base-action:24.04"
     build:
       args:
-        - UBUNTU_VERSION=ubuntu-24.04
+        - UBUNTU_VERSION=ubuntu:24.04
       target: base-action
 
 secrets:

ubuntu:20.04.sha

@@ -0,0 +1 @@
+ubuntu@sha256:33a5cc25d22c45900796a1aca487ad7a7cb09f09ea00b779e3b2026b4fc2faba

ubuntu:22.04.sha

@@ -0,0 +1 @@
+ubuntu@sha256:aabed3296a3d45cede1dc866a24476c4d7e093aa806263c27ddaadbdce3c1054