Support for Docker multi-stage builds

[Nishnha]

Is there an existing issue for this?

• I have searched the existing issues

Feature description

Docker has a feature called multi-stage builds where Docker images can be split up and referenced later by name.

Dependabot currently supports updates to images using the FROM directive, but naming the images may cause the update to not work properly.

Another related issue is that Dependabot does not currently update images that have two FROM directives in a Dockerfile, which is common with multi-stage builds, as are the COPY and ARG directives

We should confirm what level of support we have for Docker images.

[igwejk]

Hi @Nishnha 👋,

I am assigned to DVAG from the expert services team. Do you have any workaround we could possibly offer the customer until a long term solution is available?

~ https://github.com/githubcustomers/DVAG/issues/210

[Nishnha]

Hi @igwejk, one workaround is to split up each build stage of the multi-stage Dockerfile into separate single-stage Dockerfiles and build the image with an Actions workflow.

Dependabot should then be able to keep the images used in each single-stage Dockerfile up to date.

There are some paved paths for this - Docker has an official build-push-action which can be used to build the image, and the GitHub cache action can help avoid having to rebuild each stage of the image every time the workflow runs, saving on costs and build times.

The image can also be built as separate jobs using the upload-artifact and download-artifact actions in case that fits their use case better.

[reitzmichnicht]

this feature would be really crucial for us to rely on dependency update management. Any estimation date?