If a digest SHA is used in a Dockerfile, PRs are not superseded when newer SHAs are created

[cp-fabian-pittroff]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

Docker

Package manager version

n/a

Language version

n/a

Manifest location and content before the Dependabot update

FROM steamcmd/steamcmd:ubuntu-22@sha256:091eb51de70e22deacb316671f90d526e253721d391138df82c5541ced75c2f9

dependabot.yml content

version: 2
updates:
    # Keep Docker dependencies up to date
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "daily"

Updated dependency

FROM steamcmd/steamcmd:ubuntu-22@sha256:04e690a1c1b15e808967a0a7f243f0ce3833df872a2cbb45efb2b980edf4aaaa

What you expected to see, versus what you actually saw

I would expect that the previous pr gets updated with the new SHA-digest of the newest available docker image.

The pr doesn't get an update. If the pr gets created, it works (fixed with this issue: #6150)

Note: the steamcmd/steamcmd image gets an update every 6 hours.

Native package manager behavior

n/a

Images of the diff or a link to the PR, issue, or logs

Dependabot Output:

  proxy | 2023/06/02 18:51:12 proxy starting, commit: d719b9b9871e853c5fd63bf3552f3f857d979f3c
  proxy | 2023/06/02 18:51:12 Listening (:1080)
updater | 2023-06-02T18:51:13.089443171 [672606741:main:WARN:src/devices/src/legacy/serial.rs:222] Detached the serial input due to peer close/error.
updater | time="2023-06-02T18:51:15Z" level=info msg="guest starting" commit=8ab4a20db815b67034070152643b9878c12b051d
updater | time="2023-06-02T18:51:15Z" level=info msg="starting job..." fetcher_timeout=10m0s job_id=672606741 updater_timeout=45m0s updater_version=49704c16cb0893c0ab8c5f884471c324baf39b83-docker
updater | 2023/06/02 18:51:17 INFO Raven 3.1.2 ready to catch errors
updater | 2023/06/02 18:51:19 INFO <job_672606741> Starting job processing
  proxy | 2023/06/02 18:51:19 [002] GET https://api.github.com:443/repos/cp-fabian-pittroff/dependabot-docker-sha-digest-pr-update-issue
  proxy | 2023/06/02 18:51:19 [002] * authenticating github api request with token for api.github.com
  proxy | 2023/06/02 18:51:20 [002] 200 https://api.github.com:443/repos/cp-fabian-pittroff/dependabot-docker-sha-digest-pr-update-issue
  proxy | 2023/06/02 18:51:20 [004] GET https://api.github.com:443/repos/cp-fabian-pittroff/dependabot-docker-sha-digest-pr-update-issue/git/refs/heads/main
  proxy | 2023/06/02 18:51:20 [004] * authenticating github api request with token for api.github.com
  proxy | 2023/06/02 18:51:20 [004] 200 https://api.github.com:443/repos/cp-fabian-pittroff/dependabot-docker-sha-digest-pr-update-issue/git/refs/heads/main
  proxy | 2023/06/02 18:51:20 [006] GET https://api.github.com:443/repos/cp-fabian-pittroff/dependabot-docker-sha-digest-pr-update-issue/contents/?ref=babfbeddaa2bb039cef523b825544e050da59885
  proxy | 2023/06/02 18:51:20 [006] * authenticating github api request with token for api.github.com
  proxy | 2023/06/02 18:51:20 [006] 200 https://api.github.com:443/repos/cp-fabian-pittroff/dependabot-docker-sha-digest-pr-update-issue/contents/?ref=babfbeddaa2bb039cef523b825544e050da59885
  proxy | 2023/06/02 18:51:20 [008] GET https://api.github.com:443/repos/cp-fabian-pittroff/dependabot-docker-sha-digest-pr-update-issue/contents/Dockerfile?ref=babfbeddaa2bb039cef523b825544e050da59885
  proxy | 2023/06/02 18:51:20 [008] * authenticating github api request with token for api.github.com
  proxy | 2023/06/02 18:51:20 [008] 200 https://api.github.com:443/repos/cp-fabian-pittroff/dependabot-docker-sha-digest-pr-update-issue/contents/Dockerfile?ref=babfbeddaa2bb039cef523b825544e050da59885
updater | 2023/06/02 18:51:20 INFO <job_672606741> Finished job processing
updater | time="2023-06-02T18:51:20Z" level=info msg="task complete" container_id=job-672606741-file-fetcher exit_code=0 job_id=672606741 step=fetcher
updater | 2023/06/02 18:51:22 INFO Raven 3.1.2 ready to catch errors
updater | 2023/06/02 18:51:24 INFO <job_672606741> Starting job processing
updater | 2023/06/02 18:51:24 INFO <job_672606741> Starting update job for cp-fabian-pittroff/dependabot-docker-sha-digest-pr-update-issue
updater | 2023/06/02 18:51:24 INFO <job_672606741> Checking all dependencies for version updates...
updater | 2023/06/02 18:51:24 INFO <job_672606741> Checking if steamcmd/steamcmd ubuntu-22 needs updating
  proxy | 2023/06/02 18:51:24 [014] GET https://registry.hub.docker.com:443/v2/steamcmd/steamcmd/tags/list
  proxy | 2023/06/02 18:51:24 [014] 401 https://registry.hub.docker.com:443/v2/steamcmd/steamcmd/tags/list
  proxy | 2023/06/02 18:51:24 [016] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Asteamcmd%2Fsteamcmd%3Apull&account
  proxy | 2023/06/02 18:51:25 [016] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Asteamcmd%2Fsteamcmd%3Apull&account
  proxy | 2023/06/02 18:51:25 [018] GET https://registry.hub.docker.com:443/v2/steamcmd/steamcmd/tags/list
  proxy | 2023/06/02 18:51:25 [018] 200 https://registry.hub.docker.com:443/v2/steamcmd/steamcmd/tags/list
  proxy | 2023/06/02 18:51:25 [020] HEAD https://registry.hub.docker.com:443/v2/steamcmd/steamcmd/manifests/latest
  proxy | 2023/06/02 18:51:25 [020] 401 https://registry.hub.docker.com:443/v2/steamcmd/steamcmd/manifests/latest
  proxy | 2023/06/02 18:51:25 [022] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Asteamcmd%2Fsteamcmd%3Apull&account
  proxy | 2023/06/02 18:51:25 [022] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Asteamcmd%2Fsteamcmd%3Apull&account
  proxy | 2023/06/02 18:51:25 [024] HEAD https://registry.hub.docker.com:443/v2/steamcmd/steamcmd/manifests/latest
  proxy | 2023/06/02 18:51:25 [024] 200 https://registry.hub.docker.com:443/v2/steamcmd/steamcmd/manifests/latest
updater | 2023/06/02 18:51:25 INFO <job_672606741> Latest version is ubuntu-22
  proxy | 2023/06/02 18:51:25 [026] HEAD https://registry.hub.docker.com:443/v2/steamcmd/steamcmd/manifests/ubuntu-22
  proxy | 2023/06/02 18:51:25 [026] 401 https://registry.hub.docker.com:443/v2/steamcmd/steamcmd/manifests/ubuntu-22
  proxy | 2023/06/02 18:51:25 [028] GET https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Asteamcmd%2Fsteamcmd%3Apull&account
  proxy | 2023/06/02 18:51:25 [028] 200 https://auth.docker.io:443/token?service=registry.docker.io&scope=repository%3Asteamcmd%2Fsteamcmd%3Apull&account
  proxy | 2023/06/02 18:51:25 [030] HEAD https://registry.hub.docker.com:443/v2/steamcmd/steamcmd/manifests/ubuntu-22
  proxy | 2023/06/02 18:51:25 [030] 200 https://registry.hub.docker.com:443/v2/steamcmd/steamcmd/manifests/ubuntu-22
updater | 2023/06/02 18:51:25 INFO <job_672606741> Pull request already exists for steamcmd/steamcmd with latest version ubuntu-22
updater | 2023/06/02 18:51:25 INFO <job_672606741> Finished job processing
updater | time="2023-06-02T18:51:25Z" level=info msg="task complete" container_id=job-672606741-updater exit_code=0 job_id=672606741 step=updater

Smallest manifest that reproduces the issue

https://github.com/cp-fabian-pittroff/dependabot-docker-sha-digest-pr-update-issue

[AlexanderYastrebov]

We observed the same problem. After removal of the tag dependabot even fails with error (see zalando/skipper#2546)

updater | 2023/08/29 13:52:01 INFO <job_715278877> Checking if library/alpine-3 2213d4d74c39af5313b631cbde2630b4007755b280f0f6b98867f66103b76113 needs updating
  proxy | 2023/08/29 13:52:01 [030] GET https://registry.opensource.zalan.do:443/v2/library/alpine-3/tags/list
  proxy | 2023/08/29 13:52:02 [030] 200 https://registry.opensource.zalan.do:443/v2/library/alpine-3/tags/list
  proxy | 2023/08/29 13:52:02 [032] GET https://registry.opensource.zalan.do:443/v2/library/alpine-3/tags/list?last=3-20230828
  proxy | 2023/08/29 13:52:02 [032] 200 https://registry.opensource.zalan.do:443/v2/library/alpine-3/tags/list?last=3-20230828
updater | 2023/08/29 13:52:02 INFO <job_715278877> Latest version is 
updater | 2023/08/29 13:52:02 INFO <job_715278877> Sending event e767ddc58ce84841ba7cb7c0cc6fd880 to Sentry
  proxy | 2023/08/29 13:52:03 [034] POST https://sentry.io:443/api/1451818/store/
  proxy | 2023/08/29 13:52:03 [034] 200 https://sentry.io:443/api/1451818/store/
updater | 2023/08/29 13:52:03 ERROR <job_715278877> Error processing library/alpine-3 (NoMethodError)
updater | 2023/08/29 13:52:03 ERROR <job_715278877> undefined method `match?' for nil:NilClass
updater | 
updater |         name.match?(FileParser::DIGEST)
updater |             ^^^^^^^
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/docker/lib/dependabot/docker/tag.rb:31:in `digest?'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/docker/lib/dependabot/docker/update_checker.rb:185:in `updated_digest'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/docker/lib/dependabot/docker/update_checker.rb:90:in `block in digest_up_to_date?'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/docker/lib/dependabot/docker/update_checker.rb:89:in `all?'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/docker/lib/dependabot/docker/update_checker.rb:89:in `digest_up_to_date?'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/docker/lib/dependabot/docker/update_checker.rb:71:in `version_up_to_date?'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/common/lib/dependabot/update_checkers/base.rb:34:in `up_to_date?'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:79:in `check_and_create_pull_request'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:59:in `check_and_create_pr_with_error_handling'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:34:in `block in perform'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:34:in `each'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/dependabot-updater/lib/dependabot/updater/operations/update_all_versions.rb:34:in `perform'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/dependabot-updater/lib/dependabot/updater.rb:63:in `run'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/dependabot-updater/lib/dependabot/update_files_command.rb:38:in `perform_job'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> /home/dependabot/dependabot-updater/lib/dependabot/base_command.rb:52:in `run'
updater | 2023/08/29 13:52:03 ERROR <job_715278877> bin/update_files.rb:23:in `<main>'
updater | 2023/08/29 13:52:03 INFO <job_715278877> Finished job processing
updater | 2023/08/29 13:52:03 INFO Results:
updater | Dependabot encountered '1' error(s) during execution, please check the logs for more details.
updater | +----------------------------------+
updater | |  Dependencies failed to update   |
updater | +------------------+---------------+
updater | | library/alpine-3 | unknown_error |
updater | +------------------+---------------+
updater | time="2023-08-29T13:52:03Z" level=info msg="task complete" container_id=job-715278877-updater exit_code=0 job_id=715278877 step=updater

The Dockerfile docs https://docs.docker.com/engine/reference/builder/#from allow:

FROM [--platform=<platform>] <image> [AS <name>]
# or
FROM [--platform=<platform>] <image>[:<tag>] [AS <name>]
# or
FROM [--platform=<platform>] <image>[@<digest>] [AS <name>]

forms.

Dependabot neither supports undocumented (see moby/moby#37866) FROM foo:atag@sha256:112233... nor documented FROM foo@sha256:112233... forms with digest.

[jurre]

@cp-fabian-pittroff when attempting to run Dependabot on your sample repo, it seems to update correctly for me:

 => bump steamcmd/steamcmd from `091eb51` to `6681332`

    ± Dockerfile
    ~~~
    --- /tmp/original20230905-11-7gl513	2023-09-05 12:25:57.250082000 +0000
    +++ /tmp/updated20230905-11-bpm2ze	2023-09-05 12:25:57.250082000 +0000
    @@ -1 +1 @@
    -FROM steamcmd/steamcmd:ubuntu-22@sha256:091eb51de70e22deacb316671f90d526e253721d391138df82c5541ced75c2f9
    +FROM steamcmd/steamcmd:ubuntu-22@sha256:6681332e3f616b2610f582ef8ec345d116d914c0deb76a8e419d9e970aacea15
    ~~~
    2 insertions (+), 2 deletions (-)

Could it maybe have been resolved since this issue was opened?

@AlexanderYastrebov what's the best way to reproduce the issue you were running into, is there a specific sha in the repo you referenced that I can check?

[AlexanderYastrebov]

@jurre Hello. It failed on

FROM registry.opensource.zalan.do/library/alpine-3@sha256:2213d4d74c39af5313b631cbde2630b4007755b280f0f6b98867f66103b76113 AS default

https://github.com/zalando/skipper/blob/43e1dcafbfa8cf545b21a99daf756939f1c44d5d/packaging/Dockerfile

Note that we attempted to remove tag (and only use hash) within zalando/skipper#2546 because dependabot stopped updating hash and said that "Pull request already exists for library/alpine-3 with latest version latest":

updater | 2023/08/29 00:21:53 INFO <job_714994438> Checking if library/alpine-3 latest needs updating
updater | 2023/08/29 00:21:53 INFO <job_714994438> Latest version is latest
  proxy | 2023/08/29 00:21:53 [018] HEAD https://registry.opensource.zalan.do:443/v2/library/alpine-3/manifests/latest
  proxy | 2023/08/29 00:21:53 [018] 200 https://registry.opensource.zalan.do:443/v2/library/alpine-3/manifests/latest
updater | 2023/08/29 00:21:53 INFO <job_714994438> Pull request already exists for library/alpine-3 with latest version latest

[cp-fabian-pittroff]

Hello @jurre

I manually triggered a dependabot rebase and the sha got updated. But the scheduled update with dependabot doesn't update the pr:

updater | 2023/09/04 15:32:30 INFO <job_717694753> Pull request already exists for steamcmd/steamcmd with latest version ubuntu-22
updater | 2023/09/04 15:32:30 INFO <job_717694753> Finished job processing

Now the current latest sha is: 6681332e3f616b2610f582ef8ec345d116d914c0deb76a8e419d9e970aacea15

In 2-3 hours the docker sha should be changed again and also the pr should update with the next dependabot schedule.

I'll report back after the next docker sha change.

[cp-fabian-pittroff]

Hello,

sha changed to 044c5c03c0d8aeb0a9e510dd4c57e6392409cb45a0ded6734fe9d8ac540b36f7. Triggered dependabot schedule update, same log and no updated pr.

[deivid-rodriguez]

Any updates on a potential repro for this?

[szuecs]

@deivid-rodriguez I think #7387 (comment) has all information and references a PR that shows the problem. If you need more let us know.

[deivid-rodriguez]

Oh, right, thanks @szuecs. #8070 should fix this!

[deivid-rodriguez]

After a closer look, my PR only fixes the last error you mentioned, but I don't think it will fix the original issue.

My understanding is that the original issue is that, when pinned to a SHA reference, Dependabot is able to create an initial PR, but then subsequent scheduled runs won't update the initial PR with newer SHAs like it happens with regular version updates. I think that's still an issue. You can workaround it as mentioned above with @dependabot recreate or by merging the PR and letting a fresh one be created.

Something I'm not clear about is that, according to my investigation, the last error mentioned happened due to registry.opensource.zalan.do/library/alpine-3 not providing a "latest" tag. However the previous error about a PR already being opened mentions the "latest" tag. So I'm confused about that. Is it expected that your image does not provide a rolling latest tag?

[cp-fabian-pittroff]

Would it help if I update the provided repository with a ci workflow, to manually update a docker image?
So something like a nginx container with the github_run_id for the index.html?

Recreating the PR or merging it works.

[szuecs]

@deivid-rodriguez I am not sure if you can access https://github.com/zalando/skipper/security/code-scanning/117 , but if so the reason why not to use "latest" tag is because OpenSSF scorecard says we should "pin by hash" and not use "latest" tag.

Here a picture of the recommendation:

[deivid-rodriguez]

I can't access that but my point was not to advice not using "latest" as the consumer of the image, but that under my testing, the "latest" label for the registry.opensource.zalan.do/library/alpine-3 did not exist. I think I'm missing something since I can pull that tag just fine, so let me double check.

[deivid-rodriguez]

So, to try better explain the problem.

While https://registry.opensource.zalan.do/v2/library/alpine-3/tags/list does not list "latest", the "latest" tag does exist as per https://registry.opensource.zalan.do/v2/library/alpine-3/manifests/latest. This confuses dependabot.

If I completely remove the line that checks whether the "latest" tag is listed:

diff --git a/docker/lib/dependabot/docker/update_checker.rb b/docker/lib/dependabot/docker/update_checker.rb
index 91fddf714..e831bca37 100644
--- a/docker/lib/dependabot/docker/update_checker.rb
+++ b/docker/lib/dependabot/docker/update_checker.rb
@@ -214,8 +214,6 @@ module Dependabot
       end
 
       def latest_digest
-        return unless tags_from_registry.map(&:name).include?("latest")
-
         digest_of("latest")
       end

then the update succeeds just fine.

Regardless of this, I suspect the issue original reported here (and the one the title currently describes) is a separate issue, independent from the registry implementation.

[szuecs]

@deivid-rodriguez my and @AlexanderYastrebov problem is that we would like to use pinned hash, not latest.
this sha256 version is not recognized by dependabot. So the same as reported by @cp-fabian-pittroff

[deivid-rodriguez]

Are you able to get a PR bumping the pinned hash at all? I assume not for the registry.opensource.zalan.do/library/alpine-3 image as I explained.

@cp-fabian-pittroff can get PRs bumping pinned hashes, but once a PR is created is not updated or superseded with newer hashes.

[cp-fabian-pittroff]

@cp-fabian-pittroff can get PRs bumping pinned hashes, but once a PR is created is not updated or superseded with newer hashes.

That is correct.

I have a combination of tag and pinned hash (nginx:stable-alpine@sha256:fc9b8c25953467e406a95ab7b65cbfa9f56b6f24cffcd5ba07b30c2d388490b6). With the example, I would expect dependabot to search for stable-alpine and figure out if there is another sha associated with it.

Without a tag, dependabot can't really decide what the desired update target should be, can it? So from my point of view, there are only two options:

1. error out with an explanation (something like without a tag information, dependabot can't check for updates)
2. fallback to latest tag (but that might be confusing)

Unfortunately docker doesn't provide more information about a pinned image (RepoTags are empty).

docker inspect...

docker image inspect nginx@sha256:fc9b8c25953467e406a95ab7b65cbfa9f56b6f24cffcd5ba07b30c2d388490b6
[
    {
        "Id": "sha256:6dae3976ee053bb83177d82f6d05d91d669423bab48a9db94805e0b7808065c5",
        "RepoTags": [],
        "RepoDigests": [
            "nginx@sha256:fc9b8c25953467e406a95ab7b65cbfa9f56b6f24cffcd5ba07b30c2d388490b6"
        ],
        "Parent": "",
        "Comment": "",
        "Created": "2023-08-09T02:16:04.742143271Z",
        "Container": "2c525ecdd2ce275fc8fcbb28650a821965558907fee45bae682fffb7bb0c4594",
        "ContainerConfig": {
            "Hostname": "",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "ExposedPorts": {
                "80/tcp": {}
            },
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "NGINX_VERSION=1.24.0",
                "PKG_RELEASE=1",
                "NJS_VERSION=0.7.12"
            ],
            "Cmd": [
                "/bin/sh",
                "-c",
                "set -x     && apkArch=\"$(cat /etc/apk/arch)\"     && nginxPackages=\"         nginx=${NGINX_VERSION}-r${PKG_RELEASE}         nginx-module-xslt=${NGINX_VERSION}-r${PKG_RELEASE}         nginx-module-geoip=${NGINX_VERSION}-r${PKG_RELEASE}         nginx-module-image-filter=${NGINX_VERSION}-r${PKG_RELEASE}         nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-r${PKG_RELEASE}     \"     && apk add --no-cache --virtual .checksum-deps         openssl     && case \"$apkArch\" in         x86_64|aarch64)             set -x             && KEY_SHA512=\"e09fa32f0a0eab2b879ccbbc4d0e4fb9751486eedda75e35fac65802cc9faa266425edf83e261137a2f4d16281ce2c1a5f4502930fe75154723da014214f0655\"             && wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub             && if echo \"$KEY_SHA512 */tmp/nginx_signing.rsa.pub\" | sha512sum -c -; then                 echo \"key verification succeeded!\";                 mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/;             else                 echo \"key verification failed!\";                 exit 1;             fi             && apk add -X \"https://nginx.org/packages/alpine/v$(egrep -o '^[0-9]+\\.[0-9]+' /etc/alpine-release)/main\" --no-cache $nginxPackages             ;;         *)             set -x             && tempDir=\"$(mktemp -d)\"             && chown nobody:nobody $tempDir             && apk add --no-cache --virtual .build-deps                 gcc                 libc-dev                 make                 openssl-dev                 pcre2-dev                 zlib-dev                 linux-headers                 libxslt-dev                 gd-dev                 geoip-dev                 libedit-dev                 bash                 alpine-sdk                 findutils             && su nobody -s /bin/sh -c \"                 export HOME=${tempDir}                 && cd ${tempDir}                 && curl -f -O https://hg.nginx.org/pkg-oss/archive/${NGINX_VERSION}-${PKG_RELEASE}.tar.gz                 && PKGOSSCHECKSUM=\\\"dc47dbaeb1c0874b264d34ddfec40e7d2b814e7db48d144e12d5991c743ef5fcf780ecbab72324e562dd84bb9c0e4dd71d14850b20ceaf470c46f8fe7510275b *${NGINX_VERSION}-${PKG_RELEASE}.tar.gz\\\"                 && if [ \\\"\\$(openssl sha512 -r ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz)\\\" = \\\"\\$PKGOSSCHECKSUM\\\" ]; then                     echo \\\"pkg-oss tarball checksum verification succeeded!\\\";                 else                     echo \\\"pkg-oss tarball checksum verification failed!\\\";                     exit 1;                 fi                 && tar xzvf ${NGINX_VERSION}-${PKG_RELEASE}.tar.gz                 && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE}                 && cd alpine                 && make module-geoip module-image-filter module-njs module-xslt                 && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk                 && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz                 \"             && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/             && apk del .build-deps             && apk add -X ${tempDir}/packages/alpine/ --no-cache $nginxPackages             ;;     esac     && apk del .checksum-deps     && if [ -n \"$tempDir\" ]; then rm -rf \"$tempDir\"; fi     && if [ -n \"/etc/apk/keys/abuild-key.rsa.pub\" ]; then rm -f /etc/apk/keys/abuild-key.rsa.pub; fi     && if [ -n \"/etc/apk/keys/nginx_signing.rsa.pub\" ]; then rm -f /etc/apk/keys/nginx_signing.rsa.pub; fi     && apk add --no-cache curl ca-certificates"
            ],
            "Image": "sha256:90751f73663d6fc8df8afc448d7d65eaddd4c815176a4738891ad948fa4d5f62",
            "Volumes": null,
            "WorkingDir": "",
            "Entrypoint": null,
            "OnBuild": null,
            "Labels": {
                "maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>"
            },
            "StopSignal": "SIGQUIT"
        },
        "DockerVersion": "20.10.23",
        "Author": "",
        "Config": {
            "Hostname": "",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "ExposedPorts": {
                "80/tcp": {}
            },
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "NGINX_VERSION=1.24.0",
                "PKG_RELEASE=1",
                "NJS_VERSION=0.7.12"
            ],
            "Cmd": [
                "nginx",
                "-g",
                "daemon off;"
            ],
            "Image": "sha256:90751f73663d6fc8df8afc448d7d65eaddd4c815176a4738891ad948fa4d5f62",
            "Volumes": null,
            "WorkingDir": "",
            "Entrypoint": [
                "/docker-entrypoint.sh"
            ],
            "OnBuild": null,
            "Labels": {
                "maintainer": "NGINX Docker Maintainers <docker-maint@nginx.com>"
            },
            "StopSignal": "SIGQUIT"
        },
        "Architecture": "amd64",
        "Os": "linux",
        "Size": 41111276,
        "VirtualSize": 41111276,
        "GraphDriver": {
            "Data": {
                "LowerDir": "/var/lib/docker/overlay2/25e5b92b8de9804d2ee5e5b20149bd6baa6ad225614cbc22a535d75c98220543/diff:/var/lib/docker/overlay2/e0bcb5fb8198eb72cb27e9d48e8d1dce0796a769c2a5f21453ecea9091497866/diff:/var/lib/docker/overlay2/0eefeec894cc90d2ba5e030bca61f188806c71415b6f1c41b20095054c8f4817/diff:/var/lib/docker/overlay2/e00b71a2a5d74a8ddac531808b8fe41dab094314619e0bbedc92125f312c23be/diff:/var/lib/docker/overlay2/648c56736d8f9c1ccea7d8bb1cb911665125a00c3642aa61d63fc41d10c7e6ea/diff:/var/lib/docker/overlay2/a860c0e9e194db3c4f049bea0e3387e2f1f707eea2aae71c9e8cd3677772bfc2/diff",
                "MergedDir": "/var/lib/docker/overlay2/c69f82298e2d2efdb8653a6beff36879fe8c357bddb8429f4fc92203d58886c6/merged",
                "UpperDir": "/var/lib/docker/overlay2/c69f82298e2d2efdb8653a6beff36879fe8c357bddb8429f4fc92203d58886c6/diff",
                "WorkDir": "/var/lib/docker/overlay2/c69f82298e2d2efdb8653a6beff36879fe8c357bddb8429f4fc92203d58886c6/work"
            },
            "Name": "overlay2"
        },
        "RootFS": {
            "Type": "layers",
            "Layers": [
                "sha256:36b50b131297b8860da51b2d2b24bb4c08dfbdf2789b08e3cc0f187c98637a19",
                "sha256:57b608dd7b54de578dfd642a64f3fdd97382b9e6f64048f2e2d2f2f0b5fba106",
                "sha256:9c01e5b3bd66a2fa68d3fc86561e62bee7ac4ba0d48cca885118946ba066d21f",
                "sha256:bb0903fd6f90dc5fa5718236a89f8df7a415a61a595254bb266691c3b1a6d25c",
                "sha256:4c6a1307a10bbd3f947505ba405d43a04e97f1fe5fd23c01a36534cc4f5ca3b0",
                "sha256:2b60bbe779e0616bf50d09b65ce80914ced19ea227d90c81b73bd4d63d3b227b",
                "sha256:194b12cb5e855dd336c7aacf8cb6e9475d9795676ef37b589a62bccc50c757fe"
            ]
        },
        "Metadata": {
            "LastTagTime": "0001-01-01T00:00:00Z"
        }
    }
]

[deivid-rodriguez]

Yes, we currently fallback to the latest tag. The problem is that when checking if a PR is already opened for the latest version, we don't seem to consider SHAs, that's why you won't get the PR superseded with another PR when there's a newer SHA available.

[AlexanderYastrebov]

I have a combination of tag and pinned hash

In such case tag is ignored, see moby/moby#37866

[szuecs]

FYI: we got an update zalando/skipper#2635

[deivid-rodriguez]

Yes. Your problem is specific to the alpine-3 image as I explained at #7387 (comment). The other images shouldn't be having any issues.