[Bug]: Github action CI can run on incorrect version of a tagged image if that image tag exists in dockerhub

[KevinMind]

What happened?

When running make up docker compose up <ARGS> is executed. docker compose will create containers for images specified in the config, and attempt to pull latest versions of each image.

In our docker-run action we are specifying only an image verision e.g. test which is then mapped to a tage mozilla/addons-server:<version>

If the version specified is in dockerhub, it will pull that version. Docker compose may or may not build the image. Seems a little unclear on how that logic exactly works. There are configurations available to explicitly build in the run step, but we don't necessarily want that as we have already built the image in a previous workflow step.

What did you expect to happen?

We should always run CI using the exact image build resulting from the build-docker action step. We can achieve this be exposing and specifying the image by build digest instead of version. This is a much more precise specification and means even if docker pulls the image, that means the image you want actually exists in dockerhub and would behave the same as the local version.

Each build of a docker image creates a unique digest so we can rely on it.

Is there an existing issue for this?

• I have searched the existing issues

┆Issue is synchronized with this Jira Task