Validate container image tag

[suzuki-shunsuke]

• Forbid latest
• hash

Image name and tag format

https://docs.docker.com/engine/reference/commandline/tag/

[HOST[:PORT_NUMBER]/]PATH[:TAG]

Tag Format

The tag must be valid ASCII and can contain lowercase and uppercase letters, digits, underscores, periods, and hyphens.
It cannot start with a period or hyphen and must be no longer than 128 characters.
If the tag is not specified, the command uses latest by default.

https://github.com/google/re2/wiki/Syntax

\w: word characters (≡ [0-9A-Za-z_])

\w[\w.-]{0,127}

Docker Hub Action

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#example-using-a-docker-hub-action

jobs:
  my_first_job:
    steps:
      - name: My first step
        uses: docker://alpine:3.8
      - uses: docker://alpine@sha256:c5c5fda71656f28e49ac9c5416b3643eaa6a108a8093151d6d1afc9463be8e33 # 3.18.3

docker://{image}:{tag}
docker://{host}/{image}:{tag}

Docker action

https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#example-using-public-docker-registry-container

runs:
  using: 'docker'
  image: 'docker://debian:stretch-slim'

Job container

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#example-running-a-job-within-a-container
https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/007.md

The value can be the Docker Hub image name or a registry name.

jobs:
  container1:
    runs-on: ubuntu-latest
    container:
      image: node:latest

  container2:
    runs-on: ubuntu-latest
    container:
      image: alpine@sha256:c5c5fda71656f28e49ac9c5416b3643eaa6a108a8093151d6d1afc9463be8e33 # 3.18.3

[suzuki-shunsuke]

• Using GHCR and wanting get tag snapshot instead of latest renovatebot/renovate#25263
• Support Docker uses in GitHub Actions renovatebot/renovate#25276

Doesn't work.

• chore(deps): update alpine:3.18.3 docker digest to 7144f7b test-github-action#195