Do Not Run a Container with the :latest Tag
Never ever use the latest
tag when building Docker images…been there, done that, it was not pretty! 😅
If you remember (if you don’t, check here), I’m using Github Actions as a pipeline to publish my blog post.
[…] I commit my new content (or my changes) to a private GitHub repository. The commit will trigger a GitHub Actions workflow that will create a container, install Hugo with a specific version, clone my repository, build the content using the hugo CLI, sync the generated HTML / CSS / images to AWS S3 and invalidate my CloudFront distribution.
After writing my Full 0.12 Syntax Support with the new Terraform Visual Studio Code Extension post, I pushed the new content to my Github repository, and I left my desk. When I checked later, I noticed that the article was not online (usually it takes a few minutes). It didn’t take me long to discover that my workflow in Github Actions was failed.

As you can see in the screenshot above, I had a Python dependency error (Python is required for AWS CLI in my publication workflow).
RUN apk -v --update add python
ERROR: unsatisfiable constraints:
python (missing):
required by: world[python]
I’m using Alpine as the base image for the container that handles the publication process. But, Alpine recently stopped providing the python
package (more precisely in 3.12). In a Dockerfile, the FROM instruction specifies the parent image from which you are building. Mine was FROM alpine:latest
…which means that it picked the latest Alpine image where Python was missing.
To fix it, I corrected the FROM alpine:latest
intruction to FROM alpine:3.11.6
.
Obviously, I could change to python2
or python3
, but that’s not the goal of this blog post today. 😉
In closing, if you use latest
, you always depend on the people that maintain the images.
Note: I’m talking about Docker images here, but it’s true for any component/system that have use such tags.