Suppress Docker digest-only updates when tag version is unchanged#15103
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces an experiment flag (docker_digest_only_update_suppression) to reduce noise from Docker tag+digest pins by suppressing “digest-only” updates when the resolved latest tag name hasn’t changed, while preserving existing behavior when the experiment is disabled.
Changes:
- Add short-circuit logic in the Docker update checker to treat the digest as up-to-date when the latest resolved tag matches the currently pinned tag (experiment-gated).
- Add/update specs to cover experiment-enabled vs experiment-disabled behavior for tag+digest pins and digest-only pins.
Show a summary per file
| File | Description |
|---|---|
| docker/lib/dependabot/docker/update_checker.rb | Adds experiment-gated suppression logic inside digest_up_to_date? for tag+digest sources when the tag hasn’t changed. |
| docker/spec/dependabot/docker/update_checker_spec.rb | Adds specs validating suppression behavior when the experiment is enabled/disabled. |
Copilot's findings
- Files reviewed: 2/2 changed files
- Comments generated: 2
robaiken
approved these changes
May 22, 2026
When a Dockerfile pins both a tag and a digest (e.g., FROM golang:1.26.3@sha256:...), Dependabot would propose PRs that only update the digest when the same tag was re-pushed on the registry, even though the tag version hadn't changed. This adds a new experiment flag docker_digest_only_update_suppression that, when enabled, treats the digest as up-to-date if the latest resolved tag name matches the current tag name. This prevents noisy digest-only PRs while still updating the digest whenever the tag version actually advances. Fixes #15081 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Non-comparable tags (e.g., 'latest', distro codenames like 'artful') should still receive digest updates since they cannot be version-compared. Only versioned/comparable tags get digest-only suppression. Adds test for non-comparable tag+digest pin scenario. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
markhallen
force-pushed
the
markhallen/suppress-docker-digest-only-updates
branch
from
a509d67 to
1d9912d
Compare
2 tasks
Contributor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What are you trying to accomplish?
Fixes #15081 — Dependabot is bumping Docker image digests when the tag value has not changed.
When a Dockerfile pins both a tag and a digest (e.g.,
FROM golang:1.26.3-bookworm@sha256:...), Dependabot proposes PRs that only update the digest when the same tag is re-pushed on the registry. This is noisy because the user's intent with a tag+digest pin is to track version changes while ensuring reproducibility for a given version — not to chase every tag re-push.This adds a new experiment flag
docker_digest_only_update_suppressionthat, when enabled, treats the digest as up-to-date if the latest resolved tag name matches the current pinned tag. Digest updates still occur whenever the tag version actually advances.Anything you want to highlight for special attention from reviewers?
The fix is scoped entirely to the
digest_up_to_date?method in the Docker update checker. When the experiment is enabled and a source has both a tag and a digest:latest_tag_from(source_tag).name == source_tag(tag hasn't changed), we short-circuit and treat the digest as currentThis means:
How will you know you've accomplished your goal?
After enabling the
docker_digest_only_update_suppressionexperiment in production, we expect to observe:image:1.26.3@sha256:...) should stop receiving PRs that only update the@sha256:portion when the tag itself hasn't changed.1.26.3→1.26.4), the PR should update both the tag and the digest as before.FROM image@sha256:...(no tag) should continue receiving digest update PRs normally.amd64/golang:1.26.3-bookwormwithout a version change.Checklist