Skip to content

Commit 3462daa

Browse files
raballewclaude
andcommitted
fix: drop container image digest pinning and bump Fedora to 44
Most container registries prune untagged manifests within weeks, so pinned digests break reproducibility instead of guaranteeing it and force an unsustainable biweekly update cycle. Disable pinDigests in Renovate while keeping GitHub Action commit-SHA pinning via helpers:pinGitHubActionDigests. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 1cebbd0 commit 3462daa

5 files changed

Lines changed: 34 additions & 6 deletions

File tree

.github/workflows/build-oci-bundle.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ on:
66
jobs:
77
build-fits:
88
runs-on: ubuntu-24.04-arm
9-
container: fedora:43
9+
container: fedora:44
1010
steps:
1111
- name: Checkout repository
1212
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6

python/Dockerfile

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,12 @@
11
FROM --platform=$BUILDPLATFORM ghcr.io/astral-sh/uv:0.11.19 AS uv
22

3-
FROM --platform=$BUILDPLATFORM fedora:43 AS builder
3+
FROM --platform=$BUILDPLATFORM fedora:44 AS builder
44
RUN dnf install -y make git && \
55
dnf clean all && \
66
rm -rf /var/cache/dnf
77
COPY --from=uv /uv /uvx /bin/
88

9-
FROM fedora:43 AS product
9+
FROM fedora:44 AS product
1010
RUN dnf install -y python3 ustreamer libusb1 android-tools python3-libgpiod curl \
1111
nftables dnsmasq iproute procps-ng tcpdump && \
1212
dnf clean all && \

python/Dockerfile.utils

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
FROM fedora:43
1+
FROM fedora:44
22
RUN dnf install -y kubernetes-client easy-rsa trurl && \
33
dnf clean all && \
44
rm -rf /var/cache/dnf

python/packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb/build_fits.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ cd "$(dirname "$0")"
44

55
# run only in a container
66
if [[ -z "$container" && ! -f /.dockerenv ]]; then
7-
exec podman run --rm -it -v $(pwd):/host:Z -w /host fedora:43 "$0" "$@"
7+
exec podman run --rm -it -v $(pwd):/host:Z -w /host fedora:44 "$0" "$@"
88
else
99
set -euo pipefail
1010
BUILDROOT_DIR="/var/tmp/buildroot"

renovate.json

Lines changed: 29 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,12 @@
44
"config:recommended",
55
"helpers:pinGitHubActionDigests"
66
],
7-
"pinDigests": true,
7+
// Most container registries prune untagged manifests within weeks, so
8+
// pinned digests break reproducibility instead of guaranteeing it and
9+
// force an unsustainable biweekly update cycle. Keep tag-based version
10+
// pinning only; GitHub Action commit-SHA pinning is handled separately
11+
// by helpers:pinGitHubActionDigests and is unaffected.
12+
"pinDigests": false,
813
"timezone": "Etc/UTC",
914
"schedule": [
1015
"before 5am on monday"
@@ -42,6 +47,18 @@
4247
"depNameTemplate": "python",
4348
"datasourceTemplate": "python-version",
4449
"versioningTemplate": "pep440"
50+
},
51+
{
52+
"description": "Track Fedora container image in build_fits.sh podman fallback",
53+
"customType": "regex",
54+
"managerFilePatterns": [
55+
"**/build_fits.sh"
56+
],
57+
"matchStrings": [
58+
"podman run[^\\n]+fedora:(?<currentValue>[^\\s\"]+)"
59+
],
60+
"depNameTemplate": "fedora",
61+
"datasourceTemplate": "docker"
4562
}
4663
],
4764
"packageRules": [
@@ -163,6 +180,17 @@
163180
],
164181
"automerge": false
165182
},
183+
{
184+
"description": "Group build_fits.sh Fedora image with Docker base images",
185+
"groupName": "docker-base-images",
186+
"matchManagers": [
187+
"custom.regex"
188+
],
189+
"matchDepNames": [
190+
"fedora"
191+
],
192+
"automerge": false
193+
},
166194
{
167195
"description": "Group Python dev tools",
168196
"groupName": "python-dev-tools",

0 commit comments

Comments
 (0)