Skip to content

Use digest-pinned images for Dockerfile container deploys#14343

Merged
th0m merged 1 commit into
mainfrom
tlefebvre/container-dockerfile-deploy-digest
Jun 24, 2026
Merged

Use digest-pinned images for Dockerfile container deploys#14343
th0m merged 1 commit into
mainfrom
tlefebvre/container-dockerfile-deploy-digest

Conversation

@th0m

@th0m th0m commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Snapshot-enabled container applications are rejected by Cloudchamber unless configuration.image is a registry reference pinned by digest. Wrangler still lets users configure Dockerfile-backed containers with image = "./Dockerfile", but after building and pushing the image it deployed the mutable tag, which fails validation when experimental_enable_snapshots is enabled.

Return a digest-pinned image reference from pushed Dockerfile builds and use it in container application deploys. Preserve the local tag path for non-pushed builds, keep registry image URI deploys unchanged, and fall back to docker manifest inspect when Docker does not expose RepoDigests after push.

This lets Dockerfile-based Wrangler configs continue to work for snapshot-enabled container apps while giving Cloudchamber the immutable image reference it requires.

  • Tests
    • Tests included/updated
    • Automated tests not possible - manual testing has been completed as follows:
    • Additional testing not necessary because:
  • Public documentation
    • Cloudflare docs PR(s):
    • Documentation not necessary because: fixing a bug

A picture of a cute animal (not mandatory, but encouraged)
image

@changeset-bot

changeset-bot Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 33d7240

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
wrangler Patch
@cloudflare/vite-plugin Patch
@cloudflare/vitest-pool-workers Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-project-automation github-project-automation Bot moved this to Untriaged in workers-sdk Jun 17, 2026
ask-bonk[bot]
ask-bonk Bot reviewed Jun 17, 2026
View reviewed changes

@ask-bonk ask-bonk Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm Bonk, and I've done a quick review of your PR.

Returns a digest-pinned image reference from pushed Dockerfile builds (with a docker manifest inspect fallback) and always deploys that digest instead of falling back to the previous app's tag.

The core logic looks sound and is well covered by the updated tests:

  • findRemoteDigest/imageRefWithDigest correctly resolve the repo and re-attach the digest, and the resolveImageName idempotency means passing the already-namespaced tag in the post-push path is safe.
  • Dropping the prevApp?.configuration.image fallback is the right call given Cloudchamber now requires a digest-pinned reference, and the early-exit ("already exists remotely") path also returns a digest, so deploys stay consistent.

One actionable item:

  1. (medium) Missing changeset. This is a user-facing behavior change to wrangler (Dockerfile container deploys now publish a digest-pinned image reference instead of a mutable tag), so per the repo conventions it needs a changeset or it won't trigger a release. The changeset-bot also flagged this. A patch changeset describing the fix would do, e.g.:

    ---
"wrangler": patch
---

Use digest-pinned images for Dockerfile container deploys

Snapshot-enabled container applications require `configuration.image` to be a registry reference pinned by digest. Dockerfile-backed containers now deploy the pushed image's digest reference instead of the mutable tag.

    Alternatively, add the no-changeset-required label if you intend to ship this without a release.

@ask-bonk

ask-bonk Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Review posted successfully to PR #14343.

I reviewed PR #14343 ("Use digest-pinned images for Dockerfile container deploys"). The core logic is sound and well-tested:

  • The digest resolution functions (findRemoteDigest/imageRefWithDigest) correctly handle both namespaced and non-namespaced tags via resolveImageName idempotency.
  • Dropping the prevApp?.configuration.image fallback in favor of always using the digest is correct given the Cloudchamber requirement, and the early-exit path also returns a digest, keeping deploys consistent.

The one actionable item is the missing changeset for a user-facing wrangler behavior change, which I flagged with a ready-to-use patch changeset suggestion.

github run

@pkg-pr-new

pkg-pr-new Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
@cloudflare/autoconfig

npm i https://pkg.pr.new/@cloudflare/autoconfig@14343

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@14343

@cloudflare/deploy-helpers

npm i https://pkg.pr.new/@cloudflare/deploy-helpers@14343

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@14343

miniflare

npm i https://pkg.pr.new/miniflare@14343

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@14343

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@14343

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@14343

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@14343

@cloudflare/workers-auth

npm i https://pkg.pr.new/@cloudflare/workers-auth@14343

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@14343

@cloudflare/workers-utils

npm i https://pkg.pr.new/@cloudflare/workers-utils@14343

wrangler

npm i https://pkg.pr.new/wrangler@14343

commit: 33d7240

nikitassharma
nikitassharma reviewed Jun 17, 2026
View reviewed changes
Comment thread packages/wrangler/src/cloudchamber/build.ts
nikitassharma
nikitassharma approved these changes Jun 17, 2026
View reviewed changes
Comment thread packages/wrangler/src/cloudchamber/build.ts Outdated
martinezjandrew
martinezjandrew approved these changes Jun 17, 2026
View reviewed changes

@martinezjandrew martinezjandrew left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@th0m th0m force-pushed the tlefebvre/container-dockerfile-deploy-digest branch from fa5dd7a to e5858a9 Compare June 17, 2026 23:08
@th0m th0m marked this pull request as ready for review June 18, 2026 16:36
@th0m th0m requested a review from workers-devprod as a code owner June 18, 2026 16:36
@workers-devprod workers-devprod requested review from a team and emily-shen and removed request for a team June 18, 2026 16:37
@workers-devprod

workers-devprod commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Codeowners approval required for this PR:

  • @cloudflare/wrangler
  • ✅ @cloudflare/cloudchamber
Show detailed file reviewers
  • .changeset/dockerfile-container-digest.md: [@cloudflare/wrangler]
  • packages/wrangler/e2e/deployments.test.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/tests/cloudchamber/build.test.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/tests/containers/deploy.test.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/cloudchamber/build.ts: [@cloudflare/wrangler]
  • packages/wrangler/src/containers/deploy.ts: [@cloudflare/wrangler]

devin-ai-integration[bot]
devin-ai-integration Bot reviewed Jun 18, 2026
View reviewed changes

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

Open in Devin Review

@th0m th0m force-pushed the tlefebvre/container-dockerfile-deploy-digest branch from e5858a9 to c933e52 Compare June 22, 2026 18:31
@github-actions

github-actions Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

✅ All changesets look good

@th0m th0m force-pushed the tlefebvre/container-dockerfile-deploy-digest branch from c933e52 to 6956e5b Compare June 22, 2026 18:42
@th0m th0m requested a review from a team June 22, 2026 19:04
@th0m

th0m commented Jun 22, 2026

Copy link
Copy Markdown
Contributor Author

@cloudflare/wrangler can you please take a look? Thank you

@th0m th0m enabled auto-merge (squash) June 22, 2026 21:05
@edmundhung edmundhung added ci:e2e Run wrangler + vite-plugin E2E tests on a pull request ci:run-remote-tests Run remote/E2E tests that require Cloudflare API credentials labels Jun 23, 2026
@th0m th0m force-pushed the tlefebvre/container-dockerfile-deploy-digest branch from 6956e5b to 85a14fd Compare June 23, 2026 16:53
@workers-devprod

workers-devprod commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Codeowners approval required for this PR:

  • ✅ @cloudflare/cloudchamber
  • ✅ @cloudflare/wrangler
Show detailed file reviewers

@th0m th0m force-pushed the tlefebvre/container-dockerfile-deploy-digest branch from 251111c to 9729a68 Compare June 23, 2026 21:35
@th0m th0m force-pushed the tlefebvre/container-dockerfile-deploy-digest branch from 9729a68 to 33d7240 Compare June 23, 2026 21:39
@th0m

th0m commented Jun 23, 2026

Copy link
Copy Markdown
Contributor Author

Thanks for enabling e2e CI tests @edmundhung CI is green!

workers-devprod
workers-devprod approved these changes Jun 24, 2026
View reviewed changes

@workers-devprod workers-devprod left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codeowners reviews satisfied

@th0m th0m merged commit daa5389 into main Jun 24, 2026
88 of 91 checks passed
@github-project-automation github-project-automation Bot moved this from Untriaged to Approved in workers-sdk Jun 24, 2026
@th0m th0m deleted the tlefebvre/container-dockerfile-deploy-digest branch June 24, 2026 14:10
@github-project-automation github-project-automation Bot moved this from Approved to Done in workers-sdk Jun 24, 2026
@workers-devprod workers-devprod mentioned this pull request Jun 24, 2026
Merged
@edmundhung edmundhung mentioned this pull request Jun 26, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments
@ask-bonk ask-bonk[bot] ask-bonk[bot] left review comments
@edmundhung edmundhung edmundhung approved these changes
@nikitassharma nikitassharma nikitassharma approved these changes
@martinezjandrew martinezjandrew martinezjandrew approved these changes
@workers-devprod workers-devprod workers-devprod approved these changes
@emily-shen emily-shen Awaiting requested review from emily-shen emily-shen was automatically assigned from cloudflare/wrangler

Assignees

No one assigned

Labels

ci:e2e Run wrangler + vite-plugin E2E tests on a pull request ci:run-remote-tests Run remote/E2E tests that require Cloudflare API credentials

Projects

workers-sdk
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@th0m @workers-devprod @edmundhung @nikitassharma @martinezjandrew