Support dependabot updates of docker images referencing cypress-docker-images

[anscfrisson]

I have configured dependabot updates of cypress-docker-images in a private repository:

• .github/dependabot.yml:

  version: 2
  updates:
    - package-ecosystem: "docker" # See documentation for possible values
      directories:
        - "/docker/chrome/"
        - "/docker/firefox/"
      schedule:
        interval: daily
      commit-message:
        prefix: "build(deps): browser"
      labels:
        - "dependabot"
  

• docker/chrome/Dockerfile

  FROM cypress/browsers:node-22.11.0-chrome-130.0.6723.116-1-ff-132.0.1-edge-130.0.2849.68-1
  

• docker/firefox/Dockerfile

  FROM cypress/browsers:node-22.11.0-chrome-130.0.6723.69-1-ff-132.0-edge-130.0.2849.56-1
  

(browsers with separate docker files each with separate cypress/browsers tags as our cypress tests may break independently with web browser version updates even if these versions are supported by cypress, but that's not the issue here)

Dependabot runs include:

• for docker/chrome/Dockerfile

  updater | 2024/11/19 16:37:01 INFO <job_919438816> Checking if cypress/browsers node-22.11.0-chrome-130.0.6723.116-1-ff-132.0.1-edge-130.0.2849.68-1 needs updating
  ...
  updater | 2024/11/19 16:37:02 INFO <job_919438816> Latest version is 
  node-22.11.0-chrome-130.0.6723.116-1-ff-132.0.1-edge-130.0.2849.68-1
  updater | 2024/11/19 16:37:02 INFO <job_919438816> No update needed for cypress/browsers 
  node-22.11.0-chrome-130.0.6723.116-1-ff-132.0.1-edge-130.0.2849.68-1
  

• for docker/firefox/Dockerfile

  updater | 2024/11/19 16:37:02 INFO <job_919438816> Checking if cypress/browsers 
  node-22.11.0-chrome-130.0.6723.69-1-ff-132.0-edge-130.0.2849.56-1 needs updating
  ...
  updater | 2024/11/19 16:37:03 INFO <job_919438816> Latest version is 
  node-22.11.0-chrome-130.0.6723.69-1-ff-132.0-edge-130.0.2849.56-1
  updater | 2024/11/19 16:37:03 INFO <job_919438816> No update needed for cypress/browsers 
  node-22.11.0-chrome-130.0.6723.69-1-ff-132.0-edge-130.0.2849.56-1
  

Dependabot should have proposed to update node-22.11.0-chrome-130.0.6723.69-1-ff-132.0-edge- 30.0.2849.56-1 to node-22.11.0-chrome-130.0.6723.116-1-ff-132.0.1-edge-130.0.2849.68-1 for docker/firefox/Dockerfile.

From https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#docker

In order for Dependabot to fetch Docker metadata, maintainers of Docker images must add the org.opencontainers.image.source label to their Dockerfile, and include the URL of the source repository. Additionally, maintainers must tag the repository with the same tags as the published Docker images. For an example, see the dependabot-fixtures/docker-with-source repository. For more information on Docker labels, see Extension image labels and BUILDX_GIT_LABELS in the Docker documentation.

Would it be possible to support dependabot updates of cypress-docker-images, by, as in dependabot-fixtures/docker-with-source, 1) adding org.opencontainers.image.source labels to Dockerfiles and 2) tagging the repository with the same tags as the published Docker images?

[MikeMcC399]

@anscfrisson

Would it be possible to support dependabot updates of cypress-docker-images, by, as in dependabot-fixtures/docker-with-source, 1) adding org.opencontainers.image.source labels to Dockerfiles and 2) tagging the repository with the same tags as the published Docker images?

For Cypress Docker images to support GitHub Dependabot version updates would require a re-design of the whole Cypress Docker image creation and publication process as far as I can see.

1. adding org.opencontainers.image.source labels to Dockerfiles

Cypress Docker images do not have a 1:1 relationship to a specific Dockerfile.

2. tagging the repository with the same tags as the published Docker images?

Reading the Dependabot documentation it seems that tags would need to be semver compliant and I assume it would mean creating separate GitHub repos to correspond to each of the Docker Hub repos factory, base, browsers and included, which are currently fed from this one GitHub repo.

[anscfrisson]

Thanks @MikeMcC399 for the update!

I understand that supporting dependabot for cypress-docker-images might then not be planned soon as it requires a re-design?

Would there be other opportunities from the list of dependabot package-ecosystem to auto-update browsers supported by cypress?

For instance:

• relying on a npm/yarn package that would at minimum reference browsers versions?
• referencing web browsers tags as git submodules?

Then to fetch browsers there are options:

• https://github.com/browser-actions/ for chrome and firefox and edge but https://github.com/browser-actions/setup-edge does not support semver for edge-version parameter
• https://github.com/puppeteer/puppeteer/tree/main/packages/browsers for chrome and firefox only
• both solutions above install chrome for testing compatible with cypress once Chrome for Testing - we can't run your tests cypress#28554 is resolved

[MikeMcC399]

@anscfrisson

I understand that supporting dependabot for cypress-docker-images might then not be planned soon as it requires a re-design?

You can assume that there are no major enhancements planned unless the Cypress.io team announces them.

Would there be other opportunities from the list of dependabot package-ecosystem to auto-update browsers supported by cypress?

I don't see any simple way to use Dependabot. If you are not tied to Dependabot, you may want to look at https://docs.renovatebot.com/docker/ which is able to update cypress/factory, cypress/base and cypress/included (short-form tag only) as these tags use semver formats.

[MikeMcC399]

It would be possible to extend this scheme also to cypress/browsers. This would be similar to the way that CircleCI handles tagging. I will submit a separate enhancement request to describe this so that it could be used with Renovate.

[anscfrisson]

Thanks @MikeMcC399 for the tip, I'll look into renovatebot, and for the opportunity to extends its support to cypress/browsers.

[MikeMcC399]

@anscfrisson

It seems I was too optimistic in thinking that the Renovate Docker implementation would help in GitHub Actions. Reading the docs, GitHub Actions aren't listed. CircleCI is listed however, so it would have some benefit.

[anscfrisson]

@MikeMcC399

Seems like it is possible to use renovate with GitHub Actions with this app https://github.com/apps/renovate

This app is free to install for both public and private repositories. Service is provided complimentary of Mend (formerly known as WhiteSource) and no paid plan is required.

[MikeMcC399]

@anscfrisson

Seems like it is possible to use renovate with GitHub Actions with this app https://github.com/apps/renovate

This app is free to install for both public and private repositories. Service is provided complimentary of Mend (formerly known as WhiteSource) and no paid plan is required.

If you can find a section which says that Docker images used in GitHub Actions can be updated by Renovate, that would be great. That was however not my understanding of the documentation.

[anscfrisson]

@anscfrisson

If you can find a section which says that Docker images used in GitHub Actions can be updated by Renovate, that would be great. That was however not my understanding of the documentation.

@MikeMcC399

I looked at https://docs.renovatebot.com/docker/
Then searched iteratively:

• https://github.com/search?q=path%3Arenovate.json+%22docker-compose%22&type=code
• https://github.com/search?q=path%3Arenovate.json+%22dockerfile%22&type=code

The following example among candidates of the second search seems to show a proof of concept:

• Simplified sample from https://github.com/k3d-io/k3d/blob/63c7a2a1620fb42bce4d122edf82185f595cc602/renovate.json

  {
    "extends": [
      "config:base"
    ],
    "packageRules": [
      {
        "managers": ["dockerfile"],
        "enabled": true,
        "paths": [
          ".",
          "tools",
          "proxy"
        ]
      },
      {
        "automerge": true,
        "automergeType": "pr",
        "automergeStrategy": "squash",
        "matchPackageNames": ["*"]
      }
    ]
  }
  

• example of PR chore(deps): update golang docker tag to v1.23.3 chore(deps): update golang docker tag to v1.23.4 k3d-io/k3d#1510 authored by https://github.com/apps/renovate

edit:

plus renovate-created issue/PR:

• list of updates Dependency Dashboard k3d-io/k3d#1496
• diagnosis of config Action Required: Fix Renovate Configuration k3d-io/k3d#1498

[MikeMcC399]

@anscfrisson

• Please see Support Renovate updating of Cypress Docker images #1255 for a proposal to extend the tags to support Renovate also for Cypress browser Docker images. I plan to go ahead with implementing this. EDIT: This is now complete.

[MikeMcC399]

@anscfrisson

Sorry that there was a little confusion, as your original example was about updating a Cypress browser Docker image in a docker/chrome/Dockerfile for instance. This would be covered by the proposed change to support Renovate.

I was additionally asking about updating Cypress Docker images in a GitHub Actions workflow, such as https://github.com/cypress-io/github-action/blob/master/.github/workflows/example-docker.yml. And as far as I can see, that would not be covered by Renovate.

If you have any further comments about using Renovate, please feel free to add them to the new issue #1255. EDIT: The issue is now closed as resolved.

We can keep this issue (#1250) to discuss about Dependabot updates only.

[MikeMcC399]

I was additionally asking about updating Cypress Docker images in a GitHub Actions workflow, such as https://github.com/cypress-io/github-action/blob/master/.github/workflows/example-docker.yml. And as far as I can see, that would not be covered by Renovate.

Although it's not explicitly documented, Renovate is updating cypress/browsers images in GitHub Actions workflows, if they use the short-form version tage.