Do Not Run a Container with the :latest Tag

Never ever use the latest tag when building Docker images…been there, done that, it was not pretty! 😅

If you remember (if you don’t, check here), I’m using Github Actions as a pipeline to publish my blog post.

[…] I commit my new content (or my changes) to a private GitHub repository. The commit will trigger a GitHub Actions workflow that will create a container, install Hugo with a specific version, clone my repository, build the content using the hugo CLI, sync the generated HTML / CSS / images to AWS S3 and invalidate my CloudFront distribution.

After writing my Full 0.12 Syntax Support with the new Terraform Visual Studio Code Extension post, I pushed the new content to my Github repository, and I left my desk. When I checked later, I noticed that the article was not online (usually it takes a few minutes). It didn’t take me long to discover that my workflow in Github Actions was failed.

As you can see in the screenshot above, I had a Python dependency error (Python is required for AWS CLI in my publication workflow).

RUN apk -v --update add python
ERROR: unsatisfiable constraints:
  python (missing):
    required by: world[python]

I’m using Alpine as the base image for the container that handles the publication process. But, Alpine recently stopped providing the python package (more precisely in 3.12). In a Dockerfile, the FROM instruction specifies the parent image from which you are building. Mine was FROM alpine:latest…which means that it picked the latest Alpine image where Python was missing.

To fix it, I corrected the FROM alpine:latest intruction to FROM alpine:3.11.6.

Obviously, I could change to python2 or python3, but that’s not the goal of this blog post today. 😉

In closing, if you use latest, you always depend on the people that maintain the images.

Note: I’m talking about Docker images here, but it’s true for any component/system that have use such tags.