From 3e6b0a20d5ae8dcef9b522f6fb16aef227468766 Mon Sep 17 00:00:00 2001
From: Andrew Seigner <andrew@sig.gy>
Date: Mon, 8 Jan 2018 17:43:22 -0800
Subject: [PATCH] Fail the build if dep images are out of sync.

Previously if dependencies changed but dep image SHAs were not updated,
the build could succeed, creating docker images with indeterminate
dependencies.

This change checks the dependency image SHAs hard-coded in Dockerfile's
against the current source tree. If the SHAs do not match, the build
fails.

Fixes #118

Signed-off-by: Andrew Seigner <andrew@sig.gy>
---
 bin/_docker.sh |  5 +++++
 bin/_tag.sh    | 27 +++++++++++++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/bin/_docker.sh b/bin/_docker.sh
index 0c678bfcf0f4c..ece28c9306b56 100644
--- a/bin/_docker.sh
+++ b/bin/_docker.sh
@@ -6,6 +6,7 @@
 set -eu
 
 . bin/_log.sh
+. bin/_tag.sh
 
 # TODO this should be set to the canonical public docker regsitry; we can override this
 # docker regsistry in, for instance, CI.
@@ -50,6 +51,8 @@ docker_build() {
         output="/dev/stderr"
     fi
 
+    validate_tags "$file"
+
     # Even when we haven't built an image locally, we can try to use a known prior version
     # of the image to prevent rebuilding layers.
     if [ -n "${DOCKER_BUILD_CACHE_FROM_TAG:-}" ]; then
@@ -87,6 +90,8 @@ docker_maybe_build() {
 
     extra="$@"
 
+    validate_tags "$file"
+
     if [ -z "${DOCKER_FORCE_BUILD:-}" ]; then
         docker pull "${repo}:${tag}" >/dev/null 2>&1 || true
 
diff --git a/bin/_tag.sh b/bin/_tag.sh
index df3b6103a7a72..2899eb72c7e73 100644
--- a/bin/_tag.sh
+++ b/bin/_tag.sh
@@ -31,3 +31,30 @@ clean_head_root_tag() {
 master_root_tag() {
     echo "git-$(git_sha master)"
 }
+
+validate_tag() {
+    file="$1"
+    shift
+
+    image="$1"
+    shift
+
+    sha="$1"
+    shift
+
+    dockerfile_tag=$(grep -oe $image':[^ ]*' $file) || true
+    deps_tag="$image:$sha"
+    if [ "$dockerfile_tag" != "" ] && [ "$dockerfile_tag" != "$deps_tag" ]; then
+        echo "Tag in "$file" does not match source tree:"
+        echo $dockerfile_tag" ("$file")"
+        echo $deps_tag" (source)"
+        exit 3
+    fi
+}
+
+validate_tags() {
+    file="$1"
+
+    validate_tag "$file" "gcr.io/runconduit/go-deps" "$(go_deps_sha)"
+    validate_tag "$file" "gcr.io/runconduit/proxy-deps" "$(proxy_deps_sha)"
+}