Skip to content

chore(dependabot): split docker config so /collector skips cooldown#245

Merged
Amund211 merged 1 commit into
mainfrom
fix/dependabot-docker-cooldown-crash
Apr 26, 2026
Merged

chore(dependabot): split docker config so /collector skips cooldown#245
Amund211 merged 1 commit into
mainfrom
fix/dependabot-docker-cooldown-crash

Conversation

@Amund211
Copy link
Copy Markdown
Owner

@Amund211 Amund211 commented Apr 26, 2026

Summary

  • Splits the docker ecosystem block back into two entries (one per directory) so /collector can omit cooldown while / keeps it.
  • Works around Cooldown breaks breaks docker updates dependabot/dependabot-core#14044: the cooldown logic crashes the whole docker job when a candidate tag points to a multi-arch OCI image index. The collector's base image (us-docker.pkg.dev/cloud-ops-agents-artifacts/.../otelcol-google) is exactly that, so every weekly run was failing — and taking the root golang update down with it.

Why this works

apply_cooldown calls get_tag_publication_details, which HEADs the config-blob digest. For an image index there's no flat config blob at that digest → 404 → exception bubbles up and aborts the whole job. Removing cooldown skips that code path. The root Dockerfile's golang is also a multi-arch image, but it only triggers the bug if a newer tag is found, so it's safe for now.

Upstream fix PR (dependabot/dependabot-core#14149) is still in draft; revisit once it ships.

Test plan

  • Wait for the next scheduled dependabot run (or trigger a manual one) and confirm both / and /collector jobs complete without DockerRegistry2::NotFound.

🤖 Generated with Claude Code

@Amund211 @claude
chore(dependabot): split docker config so /collector skips cooldown
a1fbd01 
The collector's base image (otelcol-google) is a multi-arch OCI image
index. dependabot's cooldown logic looks up publication dates by
HEAD-ing the config-blob digest, which 404s for image indexes and
crashes the whole docker job — taking out unrelated updates like the
root Dockerfile's golang base.

See dependabot/dependabot-core#14044. Drop cooldown for /collector
only; / keeps it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings April 26, 2026 11:29
Copilot AI reviewed Apr 26, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates Dependabot configuration to avoid a known Dependabot Docker cooldown bug affecting multi-arch OCI image indexes, ensuring Docker update jobs continue to run reliably across the repo.

Changes:

  • Split the single Docker ecosystem entry (covering both / and /collector) into two separate entries.
  • Keep cooldown enabled for the root / Docker updates while omitting it for /collector to bypass the crashing code path.

@Amund211 Amund211 merged commit ca044c8 into main Apr 26, 2026
13 checks passed
@Amund211 Amund211 deleted the fix/dependabot-docker-cooldown-crash branch April 26, 2026 12:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Amund211