Docker digest pinning breaks devcontainers

[JohnStrunk]

What would you like help with?

I think I found a bug

How are you running Renovate?

Mend Renovate hosted app on github.com

If you're self-hosting Renovate, tell us which platform (GitHub, GitLab, etc) and which version of Renovate.

No response

Please tell us more about your question or problem

The new devcontainer updater #28206 seems to be incompatible with pinning Docker digests, resulting in broken devcontainer.json files (at least, as far as vscode is concerned).

My renovate config is here: https://github.com/JohnStrunk/jira-summary/blob/66e7109475dae7975d3bf4686c5a2daba22dca37/.github/renovate.json5

Relevant lines:

  "extends": [
    // ...
    "docker:pinDigests",              // Pin container digests
    // ...
  ],

This resulted in the following commit from renovate: JohnStrunk/jira-summary@286ee44 (#38)
That commit pins not only the "image" (which is correct), but it also pins the containers in the "features" list. However, vscode doesn't support hash pinning for the features.

Resulting devcontainer build log:

[19834 ms] Resolving Feature dependencies for 'ghcr.io/devcontainers/features/docker-in-docker:2.10.2@sha256:23ae11a86089da5f0b98a6edd603f91831802b7f2d5ef1e104e1b94a3beb546c'...
[19834 ms] * Processing feature: ghcr.io/devcontainers/features/docker-in-docker:2.10.2@sha256:23ae11a86089da5f0b98a6edd603f91831802b7f2d5ef1e104e1b94a3beb546c
[19835 ms] Path 'devcontainers/features/docker-in-docker:2.10.2' for input 'ghcr.io/devcontainers/features/docker-in-docker:2.10.2@sha256:23ae11a86089da5f0b98a6edd603f91831802b7f2d5ef1e104e1b94a3beb546c' failed validation.  Expected path to match regex '/^[a-z0-9]+([._-][a-z0-9]+)*(\/[a-z0-9]+([._-][a-z0-9]+)*)*$/'.
[19835 ms] Could not resolve Feature manifest for 'ghcr.io/devcontainers/features/docker-in-docker:2.10.2@sha256:23ae11a86089da5f0b98a6edd603f91831802b7f2d5ef1e104e1b94a3beb546c'.  If necessary, provide registry credentials with 'docker login <registry>'.
[19835 ms] Github feature.
[19835 ms] Could not resolve Feature 'ghcr.io/devcontainers/features/docker-in-docker:2.10.2@sha256:23ae11a86089da5f0b98a6edd603f91831802b7f2d5ef1e104e1b94a3beb546c'.  Ensure the Feature is published and accessible from your current environment.
[19835 ms] Error: ERR: Feature 'ghcr.io/devcontainers/features/docker-in-docker:2.10.2@sha256:23ae11a86089da5f0b98a6edd603f91831802b7f2d5ef1e104e1b94a3beb546c' could not be processed.  You may not have permission to access this Feature, or may not be logged in.  If the issue persists, report this to the Feature author.

Looking at the devcontainer spec, it doesn't seem to support hashes for features: https://containers.dev/implementors/features/#referencing-a-feature

Removing the hashes from the features (but leaving the one for image) allows the devcontainer to build and start as expected.

Logs (if relevant)

Logs

Replace this text with your logs, between the starting and ending triple backticks

[rarkins]

Your config is telling Renovate "pin digests for all docker dependencies". Renovate is attempting to do exactly that. This is not an error of the manager or datasource, instead needs to be fixed using config

[JohnStrunk]

ok. I added the following, which seems to disable pinning for the devcontainer:

  "packageRules": [
    {
      "description": "Don't pin digests in devcontainer.json because it's not supported in features",
      "matchManagers": ["devcontainer"],
      "pinDigests": false
    }
  ]

1. It would be nice if it were possible to continue to pin the image:, but not the items in the feature list
2. The docker:pinDigests preset would probably benefit from an update to include the above so it doesn't accidentally break users.
3. ... or at least a note in the docs for the devcontainer manager that mentions the need to disable pinning.

Thanks for your help.

[rarkins]

Do they have a different depType value? Look at the "packageFiles with updates" message

[JohnStrunk]

I'm not seeing any difference between them, nor is there a depType. The log snippet below shows the image (mcr.microsoft.com/devcontainers/python:3.12-bookworm) and one of the features (ghcr.io/devcontainers/features/docker-in-docker:2.10.2)

While I might be able to match on the depName containing the string "features", that's not a guarantee since it can be an arbitrary container image name.

Here's that portion of the log...

DEBUG: packageFiles with updates (repository=local)
       "config": {
         "devcontainer": [
           {
             "deps": [
               {
                 "depName": "mcr.microsoft.com/devcontainers/python",
                 "currentValue": "3.12-bookworm",
                 "replaceString": "mcr.microsoft.com/devcontainers/python:3.12-bookworm",
                 "autoReplaceStringTemplate": "{{depName}}{{#if newValue}}:{{newValue}}{{/if}}{{#if newDigest}}@{{newDigest}}{{/if}}",
                 "datasource": "docker",
                 "updates": [
                   {
                     "isPinDigest": true,
                     "updateType": "pinDigest",
                     "newValue": "3.12-bookworm",
                     "newDigest": "sha256:907f5f276a1a670b0fc7da5fbf729c3edb3c03c384b8d7aa18b42ed01c66a1c2",
                     "branchName": "renovate/pin-dependencies"
                   }
                 ],
                 "packageName": "mcr.microsoft.com/devcontainers/python",
                 "versioning": "docker",
                 "warnings": [],
                 "registryUrl": "https://mcr.microsoft.com",
                 "lookupName": "devcontainers/python",
                 "currentVersion": "3.12",
                 "fixedVersion": "3.12-bookworm"
               },
               {
                 "depName": "ghcr.io/devcontainers/features/docker-in-docker",
                 "currentValue": "2.10.2",
                 "replaceString": "ghcr.io/devcontainers/features/docker-in-docker:2.10.2",
                 "autoReplaceStringTemplate": "{{depName}}{{#if newValue}}:{{newValue}}{{/if}}{{#if newDigest}}@{{newDigest}}{{/if}}",
                 "datasource": "docker",
                 "updates": [
                   {
                     "isPinDigest": true,
                     "updateType": "pinDigest",
                     "newValue": "2.10.2",
                     "newDigest": "sha256:23ae11a86089da5f0b98a6edd603f91831802b7f2d5ef1e104e1b94a3beb546c",
                     "branchName": "renovate/pin-dependencies"
                   }
                 ],
                 "packageName": "ghcr.io/devcontainers/features/docker-in-docker",
                 "versioning": "docker",
                 "warnings": [],
                 "registryUrl": "https://ghcr.io",
                 "lookupName": "devcontainers/features/docker-in-docker",
                 "currentVersion": "2.10.2",
                 "fixedVersion": "2.10.2"
               },

[rarkins]

Created #28781

[berkaycagir]

I was about to open up a new discussion with this, glad to have found this.

Devcontainer cli (which is used by the VS Code extension) supports digest pinning for features but the maintainers unfortunately decided on a different syntax (issue, PR). In short, devcontainer features can only be pinned with the following syntax:

registry/image_name@sha256:digest

Trying to pin them with registry/image_name:tag@sha256:digest syntax results in an error.

I had also created a minimal reproduction before seeing this discussion, if it'd be of help to anyone: https://github.com/berkaycagir/renovate-devcontainer-feature-digest-poc

[rarkins]

Is there anywhere we can put (preserve) the tag? e.g. a jsonc comment