pre-commit-shfmt icon indicating copy to clipboard operation
pre-commit-shfmt copied to clipboard
verified publisher icon scop

shfmt-docker is pulled without the TAG being applied, docker has the image as dangling

Open drjasonharrison opened this issue 1 year ago • 2 comments

I'm not sure if this is pre-commit or shfmt-docker issue. I noticed that when using pre-commit version 2.17.0 (yes an old version, but readon) and this hook definition:

      rev: v3.9.0-1
      hooks:
          - id: shfmt-docker
            args: ["-i", "4"]
            stages: [commit]

my docker repo contains:

$ docker images
REPOSITORY                  TAG       IMAGE ID       CREATED          SIZE
<none>                      <none>    ba0ce9908660   22 minutes ago   11.9GB
mvdan/shfmt                 <none>    b6f4a7d5d056   7 weeks ago      2.83MB
ghcr.io/hadolint/hadolint   latest    da13a5ec2e84   23 months ago    2.43MB
koalaman/shellcheck         v0.8.0    72bc383380ff   2 years ago      6.75MB

the other docker images for hadolint and shellcheck have TAGs, but shfmt does not. This means it would be deleted when a docker image prune command is executed:

$ docker image prune --force
Deleted Images:
deleted: sha256:ba0ce99086600356ebc20b1a050c394cbfb4f08ea3893eb6b68993e3cfa05b21
untagged: mvdan/shfmt@sha256:cb4ca87cc18e52f184a7ba1ae1ef7350b79a2c216ace78a0d24b473e87f0b8f5
deleted: sha256:b6f4a7d5d0568fbefd84aa16c8db977072c2e829c59361f81f1676b5bdb4f096
deleted: sha256:8822eef318b8f8686b7edaa4f64588a0c8ff57f8444efd5ca802ab166ddf04d8
untagged: mvdan/shfmt@sha256:c029770b8d8091b482cd1b30bd190d1d422bb5787e6ddc7894ef7d9784578690
deleted: sha256:3aece85f3e760e83fdd8d496647d286211a6cd97d666052783dbf272fdff79fb
deleted: sha256:276e42dbc91b42effdc45067b0b1778d58dcc03d297709d3270cea2eb0375b83

this leaves

$ docker images
REPOSITORY                  TAG      IMAGE ID       CREATED          SIZE
ghcr.io/hadolint/hadolint   latest   da13a5ec2e84   23 months ago    2.43MB
koalaman/shellcheck         v0.8.0   72bc383380ff   2 years ago      6.75MB

I suspect, because of the TAG's on hadolint and shellcheck that it is something on the shfmt side of things rather than in pre-commit.

drjasonharrison avatar Oct 09 '24 19:10 drjasonharrison

This seems to be a docker thing, when pulling an image having a tag and a digest, the tag does not get pulled.

$ docker images | grep shfmt
$ docker pull "mvdan/shfmt:v3.9.0@sha256:cb4ca87cc18e52f184a7ba1ae1ef7350b79a2c216ace78a0d24b473e87f0b8f5"
docker.io/mvdan/shfmt@sha256:cb4ca87cc18e52f184a7ba1ae1ef7350b79a2c216ace78a0d24b473e87f0b8f5: Pulling from mvdan/shfmt
bf481ca7fca6: Pull complete 
Digest: sha256:cb4ca87cc18e52f184a7ba1ae1ef7350b79a2c216ace78a0d24b473e87f0b8f5
Status: Downloaded newer image for mvdan/shfmt@sha256:cb4ca87cc18e52f184a7ba1ae1ef7350b79a2c216ace78a0d24b473e87f0b8f5
docker.io/mvdan/shfmt:v3.9.0@sha256:cb4ca87cc18e52f184a7ba1ae1ef7350b79a2c216ace78a0d24b473e87f0b8f5
$ docker images | grep shfmt
mvdan/shfmt   <none>     b6f4a7d5d056   8 weeks ago     2.83MB

docker pull has --all-tags, but

$ docker pull --all-tags "mvdan/shfmt:v3.9.0@sha256:cb4ca87cc18e52f184a7ba1ae1ef7350b79a2c216ace78a0d24b473e87f0b8f5"
tag can't be used with --all-tags/-a

I'm afraid I don't see this being fixed any time soon. I'm not inclined to remove the digest from the image in the hook config, as it's a security measure. pre-commit could add some ugly workarounds or docker change its behavior, but I find both quite unlikely at least in the short term.

An untested and possibly somewhat inconvenient workaround for cases where the user of this hook is willing to give up digest pinning could be to override entry in their local .pre-commit-config.yaml with an image without the digest, like

  entry: --net none mvdan/shfmt:v3.9.0

scop avatar Oct 14 '24 06:10 scop

Thank you for the reply. Perhaps there is something on the docker side that can be done. I'll take a look.

drjasonharrison avatar Nov 25 '24 05:11 drjasonharrison