minimumReleaseAge support for ECR public gallery - proven workaround

[dc2tom]

Tell us more.

As I'm not able to create a new issue on this project am I able to make a suggestion for allowing minimumReleaseAge timestamps to support the upstream amazon ECR public gallery docker registry?

I've been following #37196 and can see why using the repo author overridable releaseTimestamp is not a suitable suggestion, as a compromised registry could have its releaseTimestamp overwritten. However ECR public does offer up imagePushedAt and also createdAt which look to be equivalent to the metadata Docker Hub provides. These aren't included in the Docker manifest but they are available as separate undocumented API operations.

I've written a script to obtain the required imagePushedAt or createdAt timestamps, there's a nuance as the public gallery doesn't allow non browser API calls, so renovate would have to impersonate a browser by setting certain headers such as:

# Contract captured from gallery.ecr.aws: a REST-style POST to
# /describeImageTags with a plain JSON body (no X-Amz-Target). The endpoint
# sits behind a WAF that rejects non-browser clients, so we must send
# browser-like headers (a real User-Agent + Origin) — a generic User-Agent
# gets HTTP 403.
_ECR_GALLERY_URL = "https://api.us-east-1.gallery.ecr.aws/describeImageTags"
_ECR_GALLERY_HEADERS = {
    "Content-Type": "application/json",
    "Accept": "*/*",
    "Origin": "https://gallery.ecr.aws",
    "Referer": "https://gallery.ecr.aws/",
    "User-Agent": (
        "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 "
        "(KHTML, like Gecko) Chrome/149.0.0.0 Safari/537.36"
    ),
}

you can then grab a json response like the below:

            {
            "imageTag": "11.0.31-al2-native-jdk",
            "createdAt": "2026-06-13T11:42:42.461Z",
            "imageDetail": {
                "imageDigest": "sha256:d9b34140ff6ee628a1be5adda2f52b26cdcd3d0f2b2bee99345fbc9567051873",
                "imageSizeInBytes": 224649280,
                "imagePushedAt": "2026-06-13T11:42:41.312Z",
                "imageManifestMediaType": "application/vnd.docker.distribution.manifest.list.v2+json"
            }
        },...

As much as this isn't an officially published API could renovate be altered to support it, as only Docker Hub is supported for release timestamps at present, and ECR public is used heavily by a lot of organisations.

[jamietanna]

Would https://docs.aws.amazon.com/AmazonECRPublic/latest/APIReference/API_DescribeImageTags.html not work? I think we'd want to avoid pretending to be a browser to avoid their scraping protection

[dc2tom]

Hi @jamietanna I did go down this road first, however that is for public ECR repositories that are within an owned AWS account not in the public gallery-I went as far as provisioning IAM roles and building a setup into our pipelines before the penny dropped. Now I’ve added a Gitlab policy gate for renovate MRs to check the upstream ECR pushedAt using the browser spoofing trick but it would obviously be better if renovate itself did this.