Skip to content

fix(renovate): disable digest pinning for devfile base-developer-image#807

Merged
mangelajo merged 3 commits into
jumpstarter-dev:mainfrom
raballew:fix/devfile-unpin-digest
Jun 18, 2026
Merged

fix(renovate): disable digest pinning for devfile base-developer-image#807
mangelajo merged 3 commits into
jumpstarter-dev:mainfrom
raballew:fix/devfile-unpin-digest

Conversation

@raballew

Copy link
Copy Markdown
Member

Summary

  • Disable digest pinning for quay.io/devfile/base-developer-image since the image only publishes rolling tags (ubi10-latest) with no semver releases
  • Strip @sha256:... digests from python/.devfile/Containerfile and Containerfile.client
  • Add pinDigests: false to the devfile package rule in renovate.jsonc

Test plan

  • Verify Renovate dry-run picks up the ubi10-latest tag without attempting to pin a digest
  • Confirm devfile Containerfiles build successfully without the pinned digest

🤖 Generated with Claude Code

The image only publishes rolling tags (ubi10-latest) with no semver
releases, so pinning the digest creates churn without supply-chain
benefit -- the tag itself is already a derived latest.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2903b88d-fbc9-4044-a85f-ed9a4fb36eba

📥 Commits

Reviewing files that changed from the base of the PR and between 4420bd9 and e0d882c.

📒 Files selected for processing (3)
  • python/.devfile/Containerfile
  • python/.devfile/Containerfile.client
  • renovate.jsonc
🚧 Files skipped from review as they are similar to previous changes (3)
  • python/.devfile/Containerfile
  • python/.devfile/Containerfile.client
  • renovate.jsonc

📝 Walkthrough

Walkthrough

Removes SHA256 digest pins from the FROM directives in two devfile Containerfiles, replacing them with the bare quay.io/devfile/base-developer-image:ubi10-latest tag. The corresponding Renovate package rule gains pinDigests: false to prevent the tool from re-pinning that image.

Changes

Unpin devfile base-developer-image

Layer / File(s) Summary
Remove SHA256 digest pins from Containerfiles
python/.devfile/Containerfile, python/.devfile/Containerfile.client
Both FROM directives are switched from content-pinned (tag@sha256:...) references to the unpinned ubi10-latest tag.
Disable Renovate digest pinning
renovate.jsonc
The package rule for quay.io/devfile/base-developer-image adds pinDigests: false, preventing Renovate from restoring digest pins for this image.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

  • jumpstarter-dev/jumpstarter#781: Also modifies renovate.jsonc to add pinDigests: false for a container image, directly overlapping the same Renovate digest-pinning pattern used in this PR.

Suggested reviewers

  • kirkbrauer
  • mangelajo

Poem

🐇 No more long hashes to track and maintain,
The image tag stands free in the refrain!
ubi10-latest now runs unrestrained,
And Renovate won't pin those digests again.
Hop along, container—no sha256 chain! 🎉

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: disabling digest pinning for the devfile base-developer-image in Renovate configuration.
Description check ✅ Passed The description is directly related to the changeset, explaining why digest pinning is disabled and what changes were made to address the limitation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@mangelajo mangelajo enabled auto-merge (squash) June 18, 2026 10:30
Comment thread python/.devfile/Containerfile.client Outdated
Co-authored-by: Miguel Angel Ajo Pelayo <majopela@redhat.com>
@mangelajo mangelajo merged commit f19e473 into jumpstarter-dev:main Jun 18, 2026
28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants