Generate Docker image tags that are compatible with Dependabot

[nhhagen]

Our current tag scheme gitc-${GITHASH} e.g. gitc-074217add42f811cc10ae667bb98e9dd0a772313 is not compatible with Dependabot when used in combination with digests.

When a Dockerfile is defined like bellow Dependabot cannot find any updates for the images even if there are updates available.

FROM ghcr.io/coopnorge/engineering-docker-images/e0/devtools-golang-v1beta1:gitc-0dccc1b2eaba57b71d5ea85638038222ccf9cb4d@sha256:a6c1a8d62bce6a2675327371e2758ccef2aeb57073260c5f498df3e2df1a1c26 AS golang-devtools
FROM ghcr.io/coopnorge/engineering-docker-images/e0/techdocs:gitc-385d3f0481b4513bb75e78ab9b348de4ede51fd1@sha256:65f201075361789374934ac4b260b9bb0ff65930bcd81f60fb5ed1e696b79ee5 as techdocs
FROM ghcr.io/coopnorge/engineering-docker-images/e0/devtools-terraform-v1beta1:gitc-aa0e3d881e246f07ff3e03b24aab7631d89d14f3@sha256:bf2d5aa1267f81b19e2a1211e99a91247373781a93372beed3fd692959ca635a AS terraform-devtools

When updating the Dockerfile to use latest as the tag Dependabot is able to update the image.

FROM ghcr.io/coopnorge/engineering-docker-images/e0/devtools-golang-v1beta1:latest@sha256:1890d00b5eaac5cdd68f7594e944fea46fddd518e381f7768d13e93bc02ce6e3 AS golang-devtools
FROM ghcr.io/coopnorge/engineering-docker-images/e0/techdocs:latest@sha256:15b82f7101db89aefd224070e1a15306180b3734637684d9e8a23b3522b6c86e AS techdocs
FROM ghcr.io/coopnorge/engineering-docker-images/e0/devtools-terraform-v1beta1:latest@sha256:53a3db27068919d9483de2a44afc05f5eadb1b0dca75e6e985b3f22e7352ca95 AS terraform-devtools

Here is an example of a working update:

• https://github.com/coopnorge/helloworld/pull/420/files

Using latest as the tag and the image digest as the only way of communicating the version of an image is not very human friendly and causes a poor developer experience.

Ideally er should have a versioned tag that is both human friendly and allows Dependabot to update the image when using a digest as a part of the image reference.

Working example:

• Bump library/node from 20.6.0-bullseye to 20.6.1-bullseye in /images/techdocs/context #1249

Find solution to generate a human friendly image tag that can be used in combination with an image digest that Dependabot can maintain. As a part of this we need to figure out what the image tag pattern should be, SemVer is an option.

Replaces:

• Move version component from image names to image tags #22

[MahdiZerara]

@nhhagen @arunpoudel should we try to opt for a similar versioning mechanism as in go-services-interfaces? Something like:
v1.0.0-${GITHASH}

[nhhagen]

For stable versions we should not include the commit hash in the version. If we can use release-drafter to create releases and tag the images correct when we publish a release we should get the track record we need and at the same time be able to release images at a sustainable pace.