Only push newly built image if it is different from registry image (!5) · Merge requests · The Tor Project / TPA / base-images

micah requested to merge push_changed into main Oct 06, 2023

Add functionality to determine if the newly built mmdebstrap'd result is different from the one in the registry, and only push it to the registry if it is different. If it is different, then something has updated, and we want the newer version in the registry. If it is not different, then we do not want to push this newer version.

The reason why we don't want to push the newer version is because the container digest changes each time, even if the contents are the same. If a container digest changes, then you cannot track that version by pinning the container digest, or handle updates with something like renovate. If the digest changes, and you've pinned to the previous digest, then you will need to build new containers that depended on the previous digest, but if the actual underlying mmdebstrapped rootFS didn't change, then there is no reason to churn the containers.

The reason the container digest changes is due to timestamps that podman import puts in there, and no amount of libfaketime has been able to change that. (see https://github.com/containers/podman/issues/14978#issuecomment-1750655731)

So what we do is look at the sha256 of the rootFS contained in the initial layer, and if it is the same as what is in the registry, then we've rebuilt the same image and we do not need to push this one.

This allows us to set up a schedule rebuild of this image on a regular basis, but keep churn down.

Note: this depends on !3 (merged) and !4 (merged) being merged first.

Only push newly built image if it is different from registry image

Merge request reports