Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pin Docker Image Versions in GitHub Actions #1034

Closed
5000164 opened this issue Jul 11, 2024 · 11 comments
Closed

Pin Docker Image Versions in GitHub Actions #1034

5000164 opened this issue Jul 11, 2024 · 11 comments
Labels
answered

Comments

@5000164
Copy link
Contributor

5000164 commented Jul 11, 2024

Summary

To enhance the reliability and consistency of CI/CD pipeline, I propose using Docker image digests instead of tags in GitHub Actions.

Details

Currently, the action is using Docker image tags, which can lead to unexpected changes or breaking updates when the tagged image is updated.
By specifying the image digest, we ensure that the exact same image is used every time, providing a more stable and reproducible environment.

Reference: https://github.com/Codium-ai/pr-agent/blob/6135bf1f53f78ba265b5958ac1475f49463fce81/Dockerfile.github_action_dockerhub#L1
@mrT23
Copy link
Collaborator

mrT23 commented Jul 11, 2024
edited
Loading

i am not sure i understand this issue.
We do have stable versions for the docker.
v0.23 was released couple of days ago

https://hub.docker.com/r/codiumai/pr-agent/tags
https://github.com/Codium-ai/pr-agent/releases/tag/v0.23
image

@5000164
Copy link
Contributor Author

5000164 commented Jul 12, 2024

Hi, thank you for your response.

My concern is about using tags like github_action in the GitHub Actions. Tags can point to different images over time, which might cause unexpected changes or instability in the CI/CD pipeline. By using the github_action tag, the workflow always pulls the latest image associated with that tag at the time of execution.

To address this, I propose using Docker image digests instead of tags. Digests uniquely identify an image based on its content, ensuring we use the exact same image every time. This enhances the reliability and security of our pipeline.

For example, instead of:

FROM codiumai/pr-agent:github_action

We would use:

FROM codiumai/pr-agent@sha256:<digest>

This way, we ensure a stable and reproducible environment.

@mrT23
Copy link
Collaborator

mrT23 commented Jul 12, 2024

If you want to work with a stable version (v0.22, v0.23, ..), use the relevant one in your yaml file:

https://pr-agent-docs.codium.ai/installation/github/#run-as-a-github-action
image

These versions are fixed. we release a new version once a month.

In any case, we don't intend to change our dockerhub release mechanism

@no-yan
Copy link

no-yan commented Jul 12, 2024

If you want to work with a stable version (v0.22, v0.23, ..), use the relevant one in your yaml file:

@mrT23 You cannot use the PR Agent stable version by that.
For all versions, the Dockerfile's tag codiumai/pr-agent:github_action points to the same tag(i.e. github_action). Therefore, the same container is built regardless of the version specified in Actions.
image
image
image
Verification repository link

As a result, if you specify any version in GitHub Actions, it will be ignored. Users using v0.12 might not expect that the codiumai/pr-agent:github_action running is actually the one updated just two days ago.

This problem has already been noted.  See #1015 (comment)

To solve this, consider the following options:

  1. For each release, update the Dockerfile to use a unique tag for that version (e.g., codiumai/pr-agent:v0.23 or codiumai/pr-agent:0.23-github_action).
  2. Stop using Docker Hub and instead build the Dockerfile.github_action directly in GitHub Actions.

Second approach ensures the correct version is used, because GitHub Actions will check out the exact source code for the specified tag (like v0.23).

@no-yan
Copy link

no-yan commented Jul 12, 2024

It's a significant issue that versioning is clearly not working correctly with GitHub Actions.
It would be wise to separate discussions about running appropriately version-managed containers from those about pinning images for security hardening.

@mrT23
Copy link
Collaborator

mrT23 commented Jul 13, 2024

ok, we will look into that issue

@mrT23
Copy link
Collaborator

mrT23 commented Jul 14, 2024
edited
Loading

@5000164 @no-yan

try referring to the docker directly instead:

    steps:
      - name: PR Agent action step
        id: pragent
        uses: docker://codiumai/pr-agent:0.23-github_action

it worked for me, with the correct sha.
(This is much easier and simpler than the alternatives)

If it works also for you, you can, and should, open a PR to update the documentation with the new methodology

@5000164
Copy link
Contributor Author

5000164 commented Jul 16, 2024

Thank you.
I will try this approach and report back with the results.
I'll follow up soon.

@5000164
Copy link
Contributor Author

5000164 commented Jul 16, 2024

uses: docker://codiumai/pr-agent@sha256:14165e525678ace7d9b51cda8652c2d74abb4e1d76b57c4a6ccaeba84663cc64 worked for me, I will create a PR to document it.

@5000164 5000164 mentioned this issue Jul 16, 2024
Merged
@5000164
Copy link
Contributor Author

5000164 commented Jul 16, 2024
edited
Loading

opened #1042

@mrT23 mrT23 added the answered label Jul 16, 2024
@5000164
Copy link
Contributor Author

5000164 commented Jul 17, 2024

I've found a way to fix the image digest, and the PR has been merged, so I'll be closing this issue.
Thank you for your assistance.

@5000164 5000164 closed this as completed Jul 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
answered
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@5000164 @mrT23 @no-yan