Suppress Docker digest-only updates when tag version is unchanged

[markhallen]

What are you trying to accomplish?

Fixes #15081 — Dependabot is bumping Docker image digests when the tag value has not changed.

When a Dockerfile pins both a tag and a digest (e.g., FROM golang:1.26.3-bookworm@sha256:...), Dependabot proposes PRs that only update the digest when the same tag is re-pushed on the registry. This is noisy because the user's intent with a tag+digest pin is to track version changes while ensuring reproducibility for a given version — not to chase every tag re-push.

This adds a new experiment flag docker_digest_only_update_suppression that, when enabled, treats the digest as up-to-date if the latest resolved tag name matches the current pinned tag. Digest updates still occur whenever the tag version actually advances.

Anything you want to highlight for special attention from reviewers?

The fix is scoped entirely to the digest_up_to_date? method in the Docker update checker. When the experiment is enabled and a source has both a tag and a digest:

• If latest_tag_from(source_tag).name == source_tag (tag hasn't changed), we short-circuit and treat the digest as current
• If the tag has changed, we proceed with the normal digest comparison

This means:

• Tag+digest pins: digest-only updates suppressed ✓
• Digest-only pins (no tag): unaffected, still updates ✓
• Tag-only pins (no digest): unaffected ✓
• Experiment off: existing behavior preserved ✓

How will you know you've accomplished your goal?

After enabling the docker_digest_only_update_suppression experiment in production, we expect to observe:

• Reduction in digest-only Docker PRs: Repositories that pin both a tag and digest (e.g., image:1.26.3@sha256:...) should stop receiving PRs that only update the @sha256: portion when the tag itself hasn't changed.
• Version-advancing PRs still include digest updates: When a newer tag is available (e.g., 1.26.3 → 1.26.4), the PR should update both the tag and the digest as before.
• No regression for digest-only references: Repositories using FROM image@sha256:... (no tag) should continue receiving digest update PRs normally.
• Specifically for the reporter's case: Repos like atc0005/go-ci should no longer see PRs like #2510 that bump the digest for amd64/golang:1.26.3-bookworm without a version change.

Checklist

• I have run the complete test suite to ensure all tests and linters pass.
• I have thoroughly tested my code changes to ensure they work as expected, including adding additional tests for new functionality.
• I have written clear and descriptive commit messages.
• I have provided a detailed description of the changes in the pull request, including the problem it addresses, how it fixes the problem, and any relevant details about the implementation.
• I have ensured that the code is well-documented and easy to understand.

[Copilot]

Pull request overview

This PR introduces an experiment flag (docker_digest_only_update_suppression) to reduce noise from Docker tag+digest pins by suppressing “digest-only” updates when the resolved latest tag name hasn’t changed, while preserving existing behavior when the experiment is disabled.

Changes:

• Add short-circuit logic in the Docker update checker to treat the digest as up-to-date when the latest resolved tag matches the currently pinned tag (experiment-gated).
• Add/update specs to cover experiment-enabled vs experiment-disabled behavior for tag+digest pins and digest-only pins.

Show a summary per file

File	Description
docker/lib/dependabot/docker/update_checker.rb	Adds experiment-gated suppression logic inside digest_up_to_date? for tag+digest sources when the tag hasn’t changed.
docker/spec/dependabot/docker/update_checker_spec.rb	Adds specs validating suppression behavior when the experiment is enabled/disabled.

Copilot's findings

• Files reviewed: 2/2 changed files
• Comments generated: 2

[yeikel]

@markhallen #15081 (comment)