Docker Hub newDigest from tag API bypasses architecture-specific digest resolution

[dschmidt]

How are you running Renovate?

Self-hosted Renovate CLI

Which platform are you running Renovate on?

GitLab (.com or self-hosted)

Which version of Renovate are you using?

43.25.10

Please tell us more about your question or problem

When processing Docker Hub images, Renovate uses the tag_last_pushed API which returns a newDigest field containing the manifest list digest (multi-platform index). This digest is assigned to release.newDigest in datasource/docker/index.js:565, and the lookup code uses it directly via ??=, bypassing getDigest() and its architecture-specific resolution.

When an architecture-specific digest is already pinned (e.g. linux/amd64), Renovate's update broadens it to the manifest list digest, effectively changing the scope from a single platform to a multi-platform index.

Minimal reproduction

# Dockerfile — amd64-specific digest for postgres:16-alpine
# Obtained via: docker manifest inspect postgres:16-alpine | jq '.manifests[] | select(.platform.architecture == "amd64") | .digest'
FROM postgres:16-alpine@sha256:129fbfd388241accda7b15e38ada14b11c70698e01e5c8072265b0eaa03af010

Run Renovate with --dry-run=lookup and --platform local against a repo containing this Dockerfile.

Result: Renovate proposes updating to sha256:035b9ab53cfa147d7202b61f5f7782b939ae815b7d6bc81c96b7b42ff1fca950 (18-alpine) and sha256:97ff59a4e30e08d1c11bdcd9455e7832368c0572b576c9092cde2df4ae5552a3 (16-alpine digest update). Both are manifest list digests (16 platforms each).

Expected: Renovate should propose the linux/amd64-specific digest, e.g. sha256:9560e8419a4918b86a54703cebcb0c89c59b741ee2461761352336df09bacb87 for 18-alpine — a single-platform manifest. This is what getDigest() returns when it's actually called.

Root cause

In datasource/docker/index.js, the Docker Hub tag API response populates release.newDigest:

if (newDigest) {
    logger.once.debug({ documentationUrl: "https://github.com/renovatebot/renovate/issues/38659" }, "Using the `tag_last_pushed` ...");
    release.newDigest = newDigest;
}

Later in the lookup flow, this pre-populated newDigest is used via ??=, so getDigest() (which resolves the architecture-specific digest) is never called.

Our workaround

We remove the release.newDigest = newDigest assignment via an ESM loader hook, so getDigest() is always called and resolves the correct architecture-specific digest.

Logs (if relevant)

Logs

# Without workaround — getDigest() is never called, manifest list digest used:
DEBUG: Using the `tag_last_pushed` to determine the age of a release from Docker Hub. [...]
"newDigest": "sha256:035b9ab53cfa147d7202b61f5f7782b939ae815b7d6bc81c96b7b42ff1fca950"
# ^ This is a manifest list digest (16 platforms)

# With workaround — getDigest() is called, architecture-specific digest used:
DEBUG: getDigest(https://index.docker.io, library/postgres, 18-alpine)
DEBUG: getManifestResponse(https://index.docker.io, library/postgres, sha256:129fbfd..., head)
DEBUG: Current digest sha256:129fbfd... relates to architecture amd64
DEBUG: Architecture-specific digest or missing docker-content-digest header - pulling full manifest
DEBUG: getManifestResponse(https://index.docker.io, library/postgres, 18-alpine, getText)
"newDigest": "sha256:9560e8419a4918b86a54703cebcb0c89c59b741ee2461761352336df09bacb87"
# ^ This is an amd64-specific manifest digest