Using the correct digest for a docker image with an override

[dsm23]

How are you running Renovate?

A Mend.io-hosted app

Which platform you running Renovate on?

GitHub.com

Which version of Renovate are you using?

43.186.8

Please tell us more about your question or problem

I am using the minimumReleaseAge feature on all the relevant datasources that support it. Obviously, docker images hosted on registries other than docker hub are not currently supported, ghcr.io being one. I want my pnpm docker image and pnpm package manager to update on the same day. They are, seemingly, released together. One way I thought I could do this was with overrides. Something like:

{
  "packageRules": [
    ...
    {
      "matchPackageNames": ["ghcr.io/pnpm/pnpm"],
      "matchDatasources": ["docker"],
      "overrideDatasource": "npm",
      "overridePackageName": "pnpm"
    }
  ]
}

This does delay the creation of the PR for the pnpm docker image. What it then fails to do is gather the correct digest for the pnpm docker image because it is no longer pointing at the correct datasource. Is there some hack I could use to use one datasource as the trigger and then collect the specifics of the docker image version from another datasource?

[yudin-s]

I don't think there is a clean way to do this with one dependency entry.

overrideDatasource changes the datasource Renovate uses for that dependency. Once ghcr.io/pnpm/pnpm is treated as npm:pnpm, Renovate can use npm release metadata for timing, but it has also lost the Docker datasource context needed to resolve the image digest. The digest is registry metadata, not npm package metadata.

So the missing piece would be something like separate "version datasource" and "artifact/digest datasource" support. Renovate does not currently model Docker updates that way.

The practical options are probably:

• Keep the Docker image as datasource docker, so digest pinning continues to work.
• Group the pnpm package manager update and the pnpm Docker image update so they are reviewed together when both exist.
• Use schedule/automerge rules to reduce the chance that the Docker image lands much earlier than the npm package.
• If exact synchronization is more important than digest updates, use a custom manager/npm override, but accept that Renovate cannot correctly update the Docker digest from that dependency.

I would not use the npm override for a digest-pinned Docker image unless you are comfortable maintaining the digest separately. It solves the release-age trigger but breaks the thing that makes Docker pinning safe.

If this solves it, please mark this comment as the answer so other people can find it faster.