A newly pulled updater image is removed at the end of the same dependabot jobΒ #10493
Description
Is there an existing issue for this?
- I have searched the existing issues
Package ecosystem
npm
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
No response
dependabot.yml content
No response
Updated dependency
No response
What you expected to see, versus what you actually saw
When running dependabot on self-hosted runners, I can see that the docker images are pulled from the registry, in the Run Dependabot step with output like this:
Pulling updater images
Pulling image ghcr.io/dependabot/dependabot-updater-npm:1df0623ee586f8c6ba7ca2d5b3fb39616d89ba72...
Pulled image ghcr.io/dependabot/dependabot-updater-npm:1df0623ee586f8c6ba7ca2d5b3fb39616d89ba72
Pulling image ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:v2.0.20240822164746@sha256:158d34720d277bbe051c60705a72a43a72e0e8db961c094fc246ab4c86f8871a...
Pulled image ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:v2.0.20240822164746@sha256:158d34720d277bbe051c60705a72a43a72e0e8db961c094fc246ab4c86f8871a
Then in the Post Run Dependabot step, I see this:
Post job cleanup.
Pruning networks older than 24h
Pruning containers older than 24h
Cleaning up images for ghcr.io/dependabot/dependabot-updater-bundler
Cleaning up images for ghcr.io/dependabot/dependabot-updater-cargo
Cleaning up images for ghcr.io/dependabot/dependabot-updater-composer
Cleaning up images for ghcr.io/dependabot/dependabot-updater-pub
Cleaning up images for ghcr.io/dependabot/dependabot-updater-docker
Cleaning up images for ghcr.io/dependabot/dependabot-updater-elm
Cleaning up images for ghcr.io/dependabot/dependabot-updater-github-actions
Cleaning up images for ghcr.io/dependabot/dependabot-updater-gitsubmodule
Cleaning up images for ghcr.io/dependabot/dependabot-updater-gomod
Cleaning up images for ghcr.io/dependabot/dependabot-updater-gradle
Cleaning up images for ghcr.io/dependabot/dependabot-updater-maven
Cleaning up images for ghcr.io/dependabot/dependabot-updater-mix
Cleaning up images for ghcr.io/dependabot/dependabot-updater-nuget
Cleaning up images for ghcr.io/dependabot/dependabot-updater-npm
Cleaning up images for ghcr.io/dependabot/dependabot-updater-pip
Cleaning up images for ghcr.io/dependabot/dependabot-updater-swift
Cleaning up images for ghcr.io/dependabot/dependabot-updater-terraform
Cleaning up images for ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy
Removing image sha256:32cacb8bcc0e33da6a11d16816106e321062cd48111635468f66de5ee8bb1600
Skipping current image sha256:36595cd5ab82a2b837ef2e2785017e57c7779c2879bb45f4cc26a52aefd7a238
After the images had been pulled, but before the cleanup started, I saw this line when running docker images in a terminal:
ghcr.io/dependabot/dependabot-updater-npm 1df0623ee586f8c6ba7ca2d5b3fb39616d89ba72 32cacb8bcc0e 3 hours ago 988MB
So, it can be seen that the ghcr.io/dependabot/dependabot-updater-npm image that got pulled is the same that got removed.
While this technically work, it's a big waste of the bandwidth if there are several dependabot jobs to be executed on the same runner as is the case for my use case.
From what I can tell, this happens when the updater entry in https://github.com/github/dependabot-action/blob/main/docker/containers.json is not aligned with the main branch of https://github.com/dependabot/dependabot-core, i.e. the github instructs the dependabot-action to use a newer image revision than what is recorded in the containers.json file.
The expected behavior would be that the up-to-date updater image should be kept even if it's not the one recorded in the containers.json file.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response
Metadata
Assignees
Labels
Type
Projects
Status
No status