Fail the build if dep images are out of sync.

Previously if dependencies changed but dep image SHAs were not updated,
the build could succeed, creating docker images with indeterminate
dependencies.

This change checks the dependency image SHAs hard-coded in Dockerfile's
against the current source tree. If the SHAs do not match, the build
fails.

Fixes #118

Signed-off-by: Andrew Seigner <andrew@sig.gy>

bin/_docker.sh

@@ -6,6 +6,7 @@
 set -eu
 
 . bin/_log.sh
+. bin/_tag.sh
 
 # TODO this should be set to the canonical public docker regsitry; we can override this
 # docker regsistry in, for instance, CI.
@@ -50,6 +51,8 @@ docker_build() {
         output="/dev/stderr"
     fi
 
+    validate_tags "$file"
+
     # Even when we haven't built an image locally, we can try to use a known prior version
     # of the image to prevent rebuilding layers.
     if [ -n "${DOCKER_BUILD_CACHE_FROM_TAG:-}" ]; then
@@ -87,6 +90,8 @@ docker_maybe_build() {
 
     extra="$@"
 
+    validate_tags "$file"
+
     if [ -z "${DOCKER_FORCE_BUILD:-}" ]; then
         docker pull "${repo}:${tag}" >/dev/null 2>&1 || true
 

bin/_tag.sh

@@ -31,3 +31,30 @@ clean_head_root_tag() {
 master_root_tag() {
     echo "git-$(git_sha master)"
 }
+
+validate_tag() {
+    file="$1"
+    shift
+
+    image="$1"
+    shift
+
+    sha="$1"
+    shift
+
+    dockerfile_tag=$(grep -oe $image':[^ ]*' $file) || true
+    deps_tag="$image:$sha"
+    if [ "$dockerfile_tag" != "" ] && [ "$dockerfile_tag" != "$deps_tag" ]; then
+        echo "Tag in "$file" does not match source tree:"
+        echo $dockerfile_tag" ("$file")"
+        echo $deps_tag" (source)"
+        exit 3
+    fi
+}
+
+validate_tags() {
+    file="$1"
+
+    validate_tag "$file" "gcr.io/runconduit/go-deps" "$(go_deps_sha)"
+    validate_tag "$file" "gcr.io/runconduit/proxy-deps" "$(proxy_deps_sha)"
+}