Use latest dependency versions in devcontainer (#78)

Prior to this commit we were pinning specific apt-get versions in the devcontainer, in order to avoid the devcontainer breaking due to a version of a dependency changing. In practice the risk of this is very small though, and the cost of using pinned apt-get versions was outweighing the perceived benefit.
SpectoLabs · Oct 23, 2022 · b8263d6 · b8263d6
1 parent e91cf57
commit b8263d6
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 57 deletions.
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -8,10 +8,11 @@ FROM mcr.microsoft.com/vscode/devcontainers/base:${VARIANT}
 
 ARG SHELLCHECK_VERSION="v0.7.1"
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+# hadolint ignore=DL3008
 RUN apt-get update \
     && export DEBIAN_FRONTEND=noninteractive \
 # Install xz-utils to extract tarballs
-    && apt-get -y install --no-install-recommends xz-utils=5.2.4-1 \
+    && apt-get -y install --no-install-recommends xz-utils \
 # Install shellcheck (apt-get doesn't install the latest version needed by VS code, so installing from GitHub release, see:
 # https://askubuntu.com/a/1228181)
     && mkdir -p /tmp/shellcheck \

diff --git a/.github/DEPENDENCIES.md b/.github/DEPENDENCIES.md
@@ -47,13 +47,7 @@ For major version updates, we should test that the remote container works succes
 
 ## Dockerfile dependencies
 
-We have [pinned the linux dependencies in the devcontainer Dockerfile](https://github.com/agilepathway/hoverfly-github-action/pull/46/files), but there is no mechanism to automatically update them, currently.  It looks like [it's on Dependabot's roadmap](https://github.com/dependabot/dependabot-core/issues/2129#issuecomment-511552345), so we have [an issue automatically created every 6 months](https://github.com/agilepathway/hoverfly-github-action/pull/59) to 
-1. update the dependencies manually
-2. see if Dependabot now offer this functionality
-
-### Updating the Dockerfile dependencies manually
-
-1. Temporarily unpin the versions (i.e. remove `=<version>` from each package in the Dockerfile)
-2. Execute the Dockerfile (e.g. if it's a remote container Dockerfile build the remote container)
-3. Run `apt-cache policy <package>` for each package, to see the version installed
-4. Pin all the versions, replacing any old versions with new ones
+We do not pin the linux apt-get dependencies in the devcontainer Dockerfile as
+[Dependabot currently does not support this](https://github.com/dependabot/dependabot-core/issues/2129), and also the
+risk of side effects due to an updated apt-get dependency in the devcontainer is very small indeed (and there's zero
+risk to production, as this is just in the devcontainer).
diff --git a/.github/ISSUE_TEMPLATE/scheduled/update-dockerfile-dependencies.md b/.github/ISSUE_TEMPLATE/scheduled/update-dockerfile-dependencies.md
diff --git a/.github/workflows/schedule_dockerfile_dependency_updates_issue.yml b/.github/workflows/schedule_dockerfile_dependency_updates_issue.yml