docker: Replacement causes existing dependencies to use wrong digest #20304
Comments
uhthomas
added
priority-5-triage
status:requirements
|
Please see this snippet from the logs, with relevant modifications for privacy. "deps": [
{
"autoReplaceStringTemplate": "example.com/legacy:{{#if newValue}}{{newValue}}{{/if}}@{{#if newDigest}}{{newDigest}}{{/if}}",
"currentDigest": "sha256:46cea30fe85df1f3d554cee602fa69d553da7ab746c8c9f20defb1f1fc3e03b8",
"currentValue": "some-tag",
"currentVersion": "some-tag",
"datasource": "docker",
"depIndex": 0,
"depName": "example.com/legacy",
"depType": "final",
"fixedVersion": "some-tag",
"registryUrl": "https://example.com",
"replaceString": "example.com/legacy:some-tag@sha256:46cea30fe85df1f3d554cee602fa69d553da7ab746c8c9f20defb1f1fc3e03b8",
"versioning": "docker",
"warnings": [],
"updates": [
{
"updateType": "replacement",
"newName": "example.com/current",
"newValue": "some-tag",
"newDigest": "sha256:174f813303ad00bbe1409ea01eb909cb67818a8fbaae8c07df79036a7dea3e1d",
"branchName": "renovate/example-com-legacy-replacement"
},
{
"updateType": "digest",
"newValue": "some-tag",
"newDigest": "sha256:174f813303ad00bbe1409ea01eb909cb67818a8fbaae8c07df79036a7dea3e1d",
"branchName": "renovate/example-com-legacy-some-tag"
}
]
}
], |
rarkins
added
the
auto:reproduction
|
Hi there, Get your issue fixed faster by creating a minimal reproduction. This means a repository dedicated to reproducing this issue with the minimal dependencies and config possible. Before we start working on your issue we need to know exactly what's causing the current behavior. A minimal reproduction helps us with this. To get started, please read our guide on creating a minimal reproduction. We may close the issue if you, or someone else, haven't created a minimal reproduction within two weeks. If you need more time, or are stuck, please ask for help or more time in a comment. Good luck, The Renovate team |
|
I tried to create a reproduction repository but Renovate isn't able to create any PRs at all. https://github.com/uhthomas/renovate20304 https://app.renovatebot.com/dashboard#github/uhthomas/renovate20304/1001308789 |
HonkingGoose
added
reproduction:provided
and removed
auto:reproduction
provide more context debug logs |
I really am not sure what more to provide. This is the hosted version of Renovate, so all the debug logs are: https://app.renovatebot.com/dashboard#github/uhthomas/renovate20304/1001308789 The repository only contains a https://github.com/uhthomas/renovate20304 The dependency dashboard also shows that it can't make a PR for some reason.
|
|
If it helps, I've copied the output from the linked debug log and put it in this gist. |
|
the logs doesn't contain the warning, so wrong run |
Yes they do. https://gist.github.com/uhthomas/da50bee0a31a3e0755bc5e6644780f34#file-renovate-debug-log-L254 |
|
looks like a duplicate of |
|
@viceice I did see that issue, but it's not quite the same. The replacement rules work as expected in our case, but it just seems that for some reason Renovate will now open PRs with the replacement digest for the original image. I am struggling to demonstrate this as the hosted version of Renovate is running into a different(?) issue in the debug log. |
|
Okay @viceice, I have a full working reproduction now. Repository: https://github.com/uhthomas/renovate20304/tree/445bbce6bf13dc2da5f4350e10c74d8f9d946601 Logs: https://app.renovatebot.com/dashboard#github/uhthomas/renovate20304/1001783011 (gist). Here's what Renovate is trying to do:
See: https://github.com/uhthomas/renovate20304/pull/3/files It's trying to update the original image with a digest from the replacement image... I can confirm it's incorrect as Is what I've written clear? |
|
please write expected and current behavior to the repo readme, then we'll fork it |
|
Will do. |
|
@viceice Done! |
viceice
added
priority-3-medium
|
ok, i see a pin PR but no replacement PR. is this only happen on self hosted renovate or also on the GitHub app? @rarkins @secustor @JamieMagee it seems the pin PR uses the replacement data for pin and blocks any other PR. i think the pin update type shouldn't use the replacement rule data. |
viceice
added
priority-2-high
|
I think this is the same behaviour as self hosted. We saw correct replacement in some repos, but just a pin PR with the incorrect digest in others. |
|
Is there anything I can do to help fix this? |
|
disable pin for those does or pin before enable the replacement |
|
I believe this issue occurs even if the original dependency was pinned. I can add that to the reproduction repository to prove it if that would be helpful. |
rarkins
added
priority-3-medium
|
I tried disabling digest pinning for those deps, but the same thing happened. Have I misconfigured it? {
"packageRules": {
"matchDatasources": [
"docker"
],
"matchPackageNames": [
"example.com/old"
],
"pinDigests": false,
"replacementName": "example.com/new",
"replacementVersion": "some-tag"
}
}As noted in my previous comment, this happens for dependencies which already have digests. So I imagine this probably prevents this for dependencies which don't already have a digest, but this is still a problem for dependencies which do already have a digest. So, it's not possible to use this feature for what we need unfortunately. Is the demotion from p2 to p3 correct given the potential severity of using bad digests? |
|
I was really hoping some of the recent changes in v35 around replacement would have inadvertently fixed this issue, but that does not appear to be the case. @rarkins @viceice Any ideas on how we can resolve this? We really want to use Renovate to replace older versions of internal debian images (jessie, stretch, buster) with bullseye or bookworm but just can't because Renovate creates PRs to update those old images to bad digests. |
|
We are also seeing this issue. We want to use In other words, we're expecting renovate to open java11 image PR updates normally, and also a java11 image replacement PR with java17 |
|
I'd like to add more information. I have the following renovate.json file The following Dockerfile Last node-16 docker image version: 4.7.102 In this case, Renovate should create two PR
PR 2 is created correctly Looking at the logs I see the following It seems that Renovate is replacing only the docker image name in the PR (1) |
How are you running Renovate?
Mend Renovate hosted app on github.com
If you're self-hosting Renovate, tell us what version of Renovate you run.
34.125.1
If you're self-hosting Renovate, select which platform you are using.
Bitbucket Server
If you're self-hosting Renovate, tell us what version of the platform you run.
N/A
Was this something which used to work for you, and then stopped?
I never saw this working
Describe the bug
We're replacing an old image with a new one, but the digest for the new image is different.
This is fine and the replacement PRs look fine too, but Renovate seems to assume the replacements are also aliases.
This means that Renovate is now opening PRs for the old image with the digest for the new image...
To help illustrate this, here are our two images:
Renovate is opening PRs which look like:
This is wrong and unexpected. I've read these issues, but they're not completely the same:
Relevant debug logs
Logs
Have you created a minimal reproduction repository?
No reproduction repository
The text was updated successfully, but these errors were encountered: