You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
FROM python:3.7@sha256:5fb6f4b9d73ddeb0e431c938bee25c69157a1e3c880a81ff72c43a8055628de5 as build
The 3.7 tag part is retained.
As next steps:
Can you please investigate that if the tag is retained for docker images in GitHub Actions workflows, does it work fine, and does dependabot update it?
If yes, make changes to retain the tag in GitHub Actions workflows.
In this case, the test cases would also need to be updated.
The text was updated successfully, but these errors were encountered:
I think we can retain tag for docker image in the given format that you mentioned and the retained tag would act as a fallback option in case referencing the pinned tag version fails, view here.
And for the dependabot part, The functionality for bumping docker actions isn't added yet. There is an open issue tracking this functionality. dependabot/dependabot-core/issues/5541
@Devils-Knight I noticed that when we pin docker images in Github Actions workflows, we do not retain the tag.
On the other hand, when we pin docker images in dockerfiles, we do retain the tag. Here is an example:
secure-repo/testfiles/dockerfiles/output/Dockerfile-not-pinned-as
Line 16 in abc34e3
The
3.7
tag part is retained.As next steps:
In this case, the test cases would also need to be updated.
The text was updated successfully, but these errors were encountered: