fix: Improve dockerfile_fragments.py to use marker-based substitution instead of regex on FROM lines

[jiridanek]

Problem

scripts/dockerfile_fragments.py uses regex substitution to replace Dockerfile instruction strings (like FROM registry.access.redhat.com/ubi9/go-toolset:...). This introduces ARG-based interpolation into FROM lines, which causes Renovate to skip those dependencies with skipReason: "contains-variable".

Affected image: registry.access.redhat.com/ubi9/go-toolset — skipped in ~12 Dockerfiles across jupyter/, rstudio/, runtimes/, codeserver/ directories.

The current approach also risks matching unintended lines if the regex pattern appears elsewhere in a Dockerfile.

Suggestion: marker-based substitution

Instead of matching on Dockerfile instruction strings, use explicit markers:

### BEGIN go-toolset
FROM registry.access.redhat.com/ubi9/go-toolset:1.25.8-1776370298 AS buildscripts
### END go-toolset

The fragment script would match on ### BEGIN <name> / ### END <name> and replace only the block between markers. This:

1. Lets Renovate track the FROM line normally (no ARG interpolation needed)
2. Makes the substitution explicit and auditable
3. Avoids accidental matches on similar instruction strings elsewhere

Alternative: ARG + custom.regex manager

Add an ARG GO_TOOLSET_VERSION=1.25.8-1776370298 at the top and use FROM registry.access.redhat.com/ubi9/go-toolset:${GO_TOOLSET_VERSION}. Then add a custom.regex manager entry (similar to how BASE_IMAGE is handled via build-args/konflux.*.conf files) so Renovate can track the version through the ARG.

Affected files

From the Renovate debug log, these show contains-variable for go-toolset:

• Multiple Dockerfiles across jupyter/, rstudio/, runtimes/ directories (~12 instances)
• scripts/dockerfile_fragments.py itself

Note

The go-toolset image should NOT use :latest — it should be pinned to a specific version tag. The allowedVersions: "/^1\\./" rule in .github/renovate.json5 already restricts go-toolset to Go 1.x tags, which is correct.

[jiridanek]

@coderabbitai critically analyze the evidence and the proposals

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
gh issue view 3402 --repo opendatahub-io/notebooks --json title,body,comments,author,labels,state | jq '.'

Repository: opendatahub-io/notebooks
Length of output: 75

---

🏁 Script executed:

#!/bin/bash
# Fetch issue `#3402` from opendatahub-io/notebooks via GitHub API (public, no auth needed)
curl -s "https://api.github.com/repos/opendatahub-io/notebooks/issues/3402" | jq '{title, body, state, user: .user.login, labels: [.labels[].name]}'
echo "---COMMENTS---"
curl -s "https://api.github.com/repos/opendatahub-io/notebooks/issues/3402/comments" | jq '[.[] | {user: .user.login, body}]'

Length of output: 2370

---

🏁 Script executed:

#!/bin/bash
echo "=== dockerfile_fragments.py ==="
fd -i "dockerfile_fragments.py" --exec cat {}

echo ""
echo "=== renovate.json5 ==="
fd -i "renovate.json5" --exec cat {}

echo ""
echo "=== Sample Dockerfiles with go-toolset ==="
rg -l "go-toolset" --include="Dockerfile*"

echo ""
echo "=== go-toolset ARG/FROM usage patterns ==="
rg -n "go-toolset|GO_TOOLSET" --include="Dockerfile*" -C2

Repository: opendatahub-io/notebooks
Length of output: 18687

---

🏁 Script executed:

#!/bin/bash
echo "=== Renovate config file search ==="
fd -i "renovate" -e json5 -e json
fd -i "renovate"

echo ""
echo "=== Dockerfiles with go-toolset ==="
rg -l "go-toolset"

echo ""
echo "=== go-toolset FROM line patterns ==="
rg -n "go-toolset" -C3

echo ""
echo "=== ntb.blockinfile usage / definition ==="
fd -i "ntb.py" -o "ntb" --exec cat {}

Repository: opendatahub-io/notebooks
Length of output: 12652

---

🏁 Script executed:

#!/bin/bash
echo "=== First 30 lines of jupyter/datascience Dockerfile.cpu ==="
head -40 jupyter/datascience/ubi9-python-3.12/Dockerfile.cpu

echo ""
echo "=== First 30 lines of jupyter/datascience Dockerfile.konflux.cpu ==="
head -40 jupyter/datascience/ubi9-python-3.12/Dockerfile.konflux.cpu

echo ""
echo "=== ntb module location and blockinfile definition ==="
fd "ntb" -e py
rg -n "def blockinfile" -C10

echo ""
echo "=== Check for ARG GO_TOOLSET or similar anywhere ==="
rg -rn "ARG.*TOOLSET\|ARG.*GO_TOOL\|go.toolset.*ARG"

echo ""
echo "=== Check rstudio and codeserver Dockerfiles for go-toolset ==="
rg -rn "go-toolset" runtimes/ codeserver/ rstudio/ 2>/dev/null || echo "not found in those dirs"

echo ""
echo "=== Look for any Renovate config (yaml, json, json5) ==="
fd -e json5 -e json -e yaml -e yml | xargs grep -l -i "renovate" 2>/dev/null | head -20

Repository: opendatahub-io/notebooks
Length of output: 4144

---

@jiridanek Here's a critical analysis of the issue's evidence and both proposals:

---

Critical Analysis: Issue #3402

Claim 1: "dockerfile_fragments.py uses regex substitution on FROM lines, introducing ARG-based interpolation"

This is factually incorrect based on the current code.

The script already uses a marker-based substitution system (ntb.blockinfile() from ntb/strings.py), replacing content between ### BEGIN <key> / ### END <key> delimiters. The only regex in the file (MICROPIPENV_UV_INLINE_LINE_RE) targets RUN pip install lines for micropipenv/uv — it has nothing to do with FROM lines or go-toolset.

Confirmed by inspecting all 14 affected Dockerfiles: every go-toolset FROM line is already literal and pinned, for example in jupyter/datascience/ubi9-python-3.12/Dockerfile.cpu (Line 10):

FROM registry.access.redhat.com/ubi9/go-toolset:1.25.8-1776370298 AS mongocli-builder

There is no ARG-based interpolation for go-toolset anywhere in the codebase. rg across the entire repo finds zero matches for ARG.*TOOLSET, ARG.*GO_TOOL, etc.

---

Claim 2: "~12 Dockerfiles affected across jupyter/, rstudio/, runtimes/, codeserver/"

Partially supported, but the directory scope is wrong. There are exactly 14 Dockerfiles with go-toolset references, all in jupyter/. The runtimes/, codeserver/, and rstudio/ directories contain zero go-toolset references. This undermines the scope of the claimed problem.

---

Claim 3: allowedVersions: "/^1\\./" rule exists in .github/renovate.json5

Unverifiable — the file does not exist. There is no renovate.json5 in this repository. Renovate appears to be managed externally via Mintmaker (per docs/architecture/decisions/0013-renovate-mintmaker-and-self-hosted-github-actions.md). Any claim about a config rule in that file is unsupported.

---

The actual likely cause of skipReason: "contains-variable"

The 14 affected Dockerfiles all start with:

ARG BASE_IMAGE
...
FROM registry.access.redhat.com/ubi9/go-toolset:1.25.8-1776370298 AS mongocli-builder
...
FROM ${BASE_IMAGE} AS cpu-base   ← variable-interpolated FROM

Renovate's Dockerfile manager can flag all FROM lines in a file when any one of them uses a variable (${BASE_IMAGE}). This is the most plausible root cause of skipReason: "contains-variable" for go-toolset — it's a Renovate file-level attribution issue, not a script-generated ARG interpolation problem. A secondary possibility is that Renovate's version scheme detection fails on the compound tag format 1.25.8-1776370298 (it's a Go version concatenated with a build timestamp), causing it to fall back to the contains-variable skip reason in error.

Neither cause has anything to do with dockerfile_fragments.py.

---

Proposal 1: Marker-based substitution

Already implemented. ntb.blockinfile() with ### BEGIN/### END markers is the current mechanism. This proposal is asking for something that already exists. Adding ### BEGIN go-toolset / ### END go-toolset markers around the FROM line would not help Renovate, because the FROM line is already literal — the marker system would just make it regenerable, not more parseable by Renovate.

Proposal 2: ARG + custom.regex manager

Regressive. This introduces the very ARG-based FROM pattern (FROM ... ${GO_TOOLSET_VERSION}) that the issue's own premise identifies as problematic (contains-variable). Trading Renovate's native Dockerfile parser for a custom.regex rule is strictly worse in maintainability and fragility, and it requires modifying an external Renovate config (Mintmaker-managed) that the team may not directly control.

---

What should actually be investigated

1. Root cause in Renovate: Check if the FROM ${BASE_IMAGE} line is causing Renovate to skip all FROM lines in the same file. A workaround might be to configure a fileMatch or ignorePaths exception in the Mintmaker config, or to use Renovate's packageRules with matchFiles to force-enable the go-toolset package.
2. Version scheme: Verify whether Renovate correctly interprets 1.25.8-1776370298 as a version. If it doesn't, a versioning override for registry.access.redhat.com/ubi9/go-toolset in the Mintmaker config would be the correct fix.
3. Unused replacements?: The "mongocli-builder stage" and "mongocli-builder stage with s390x support" entries in dockerfile_fragments.py's replacements dict don't appear to match any ### BEGIN markers in the currently committed Dockerfiles. These entries may be dead code that was never wired up, or they target Dockerfiles that haven't been added yet.

In short: the issue diagnoses the wrong mechanism, both proposals either duplicate existing behavior or introduce regression, and the actual fix belongs in Renovate/Mintmaker configuration — not in dockerfile_fragments.py.