fix: --update allow updating existing pinned digests (#22)

azu · claude · web-flow · commit f8a9df2947cc · 2026-04-01T22:55:15.000+09:00
## Summary Allow `--update` to re-resolve and replace digests on images that are already pinned. Previously, images with an existing `@sha256:` digest were skipped during apply, making `--update` ineffective for already-pinned images. ## Changes - Remove the `inst.Digest != ""` early-return guard in `applyDockerfile` and `applyCompose` (`cmd/pin.go`) so that existing digests are overwritten with the newly resolved value - Add `TestApplyDockerfile_UpdateExistingDigest` test to verify digest replacement - Update README to document the `--update` flag usage ## Breaking Changes None ## Test Plan - `go test ./...` passes - `TestApplyDockerfile_UpdateExistingDigest` confirms that `FROM node:20.11.1@sha256:olddigest` is rewritten to the new digest  --- <a href="https://app.devin.ai/review/azu/dockerfile-pin/pull/22" target="_blank"> <picture> <source media="(prefers-color-scheme: dark)" srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1"> <img src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1" alt="Open with Devin"> </picture> </a>  --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/README.md b/README.md
@@ -230,7 +230,14 @@ For private registries (GCR, GHCR, ECR), configure Docker credentials before run
 
 ## Digest Updates
 
-This tool handles initial pinning and validation. For ongoing digest updates, use [Renovate](https://docs.renovatebot.com/docker/) which understands the `image:tag@sha256:digest` format.
+`--update` re-resolves each tag against the registry and replaces the existing digest with the current digest of that tag. The tag itself is not changed.
+
+```bash
+# Re-resolve all pinned digests from the registry
+dockerfile-pin run --write --update
+```
+
+For automated ongoing digest updates, use [Renovate](https://docs.renovatebot.com/docker/) which understands the `image:tag@sha256:digest` format.
 
 ## License
 
diff --git a/cmd/pin.go b/cmd/pin.go
@@ -92,9 +92,9 @@ func runRun(cmd *cobra.Command, args []string) error {
 	for _, pf := range parsed {
 		switch pf.fileType {
 		case FileTypeCompose:
-			applyCompose(pf, digestMap, dryRun)
+			applyCompose(pf, digestMap, dryRun, runUpdate)
 		default:
-			applyDockerfile(pf, digestMap, dryRun)
+			applyDockerfile(pf, digestMap, dryRun, runUpdate)
 		}
 	}
 	return nil
@@ -170,10 +170,10 @@ func resolveParallel(ctx context.Context, res resolver.DigestResolver, refs []st
 	return results
 }
 
-func applyDockerfile(pf parsedFile, digestMap map[string]string, dryRun bool) {
+func applyDockerfile(pf parsedFile, digestMap map[string]string, dryRun bool, update bool) {
 	digests := make(map[int]string)
 	for i, inst := range pf.dockerInsts {
-		if inst.Skip || inst.Digest != "" {
+		if inst.Skip || (inst.Digest != "" && !update) {
 			continue
 		}
 		if d, ok := digestMap[inst.ImageRef]; ok {
@@ -196,10 +196,10 @@ func applyDockerfile(pf parsedFile, digestMap map[string]string, dryRun bool) {
 	fmt.Printf("pinned %d image(s) in %s\n", len(digests), pf.path)
 }
 
-func applyCompose(pf parsedFile, digestMap map[string]string, dryRun bool) {
+func applyCompose(pf parsedFile, digestMap map[string]string, dryRun bool, update bool) {
 	digests := make(map[int]string)
 	for i, ref := range pf.composeRefs {
-		if ref.Skip || ref.Digest != "" {
+		if ref.Skip || (ref.Digest != "" && !update) {
 			continue
 		}
 		if d, ok := digestMap[ref.ImageRef]; ok {
diff --git a/cmd/pin_test.go b/cmd/pin_test.go
@@ -0,0 +1,92 @@
+package cmd
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/azu/dockerfile-pin/internal/dockerfile"
+)
+
+func TestApplyDockerfile_UpdateExistingDigest(t *testing.T) {
+	content := "FROM node:20.11.1@sha256:olddigest111\nFROM python:3.12-slim@sha256:olddigest222\n"
+	dir := t.TempDir()
+	path := filepath.Join(dir, "Dockerfile")
+	if err := os.WriteFile(path, []byte(content), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	instructions, err := dockerfile.Parse(strings.NewReader(content))
+	if err != nil {
+		t.Fatalf("Parse() error = %v", err)
+	}
+
+	pf := parsedFile{
+		path:        path,
+		fileType:    FileTypeDockerfile,
+		dockerInsts: instructions,
+		content:     []byte(content),
+	}
+
+	digestMap := map[string]string{
+		"node:20.11.1":     "sha256:newdigest111",
+		"python:3.12-slim": "sha256:newdigest222",
+	}
+
+	applyDockerfile(pf, digestMap, false, true)
+
+	result, err := os.ReadFile(path)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if !strings.Contains(string(result), "FROM node:20.11.1@sha256:newdigest111") {
+		t.Errorf("expected node digest to be updated, got: %s", string(result))
+	}
+	if !strings.Contains(string(result), "FROM python:3.12-slim@sha256:newdigest222") {
+		t.Errorf("expected python digest to be updated, got: %s", string(result))
+	}
+}
+
+func TestApplyDockerfile_SkipExistingDigestWithoutUpdate(t *testing.T) {
+	content := "FROM node:20.11.1@sha256:olddigest111\nFROM golang:1.22\n"
+	dir := t.TempDir()
+	path := filepath.Join(dir, "Dockerfile")
+	if err := os.WriteFile(path, []byte(content), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	instructions, err := dockerfile.Parse(strings.NewReader(content))
+	if err != nil {
+		t.Fatalf("Parse() error = %v", err)
+	}
+
+	pf := parsedFile{
+		path:        path,
+		fileType:    FileTypeDockerfile,
+		dockerInsts: instructions,
+		content:     []byte(content),
+	}
+
+	digestMap := map[string]string{
+		"node:20.11.1": "sha256:newdigest111",
+		"golang:1.22":  "sha256:ccc333",
+	}
+
+	applyDockerfile(pf, digestMap, false, false)
+
+	result, err := os.ReadFile(path)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Without --update, existing digest should NOT be changed
+	if !strings.Contains(string(result), "FROM node:20.11.1@sha256:olddigest111") {
+		t.Errorf("expected node digest to be preserved, got: %s", string(result))
+	}
+	// Unpinned image should still be pinned
+	if !strings.Contains(string(result), "FROM golang:1.22@sha256:ccc333") {
+		t.Errorf("expected golang to be pinned, got: %s", string(result))
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -92,9 +92,9 @@ func runRun(cmd *cobra.Command, args []string) error {`
`92`	`92`	`for _, pf := range parsed {`
`93`	`93`	`switch pf.fileType {`
`94`	`94`	`case FileTypeCompose:`
`95`		`- applyCompose(pf, digestMap, dryRun)`
	`95`	`+ applyCompose(pf, digestMap, dryRun, runUpdate)`
`96`	`96`	`default:`
`97`		`- applyDockerfile(pf, digestMap, dryRun)`
	`97`	`+ applyDockerfile(pf, digestMap, dryRun, runUpdate)`
`98`	`98`	`}`
`99`	`99`	`}`
`100`	`100`	`return nil`
`@@ -170,10 +170,10 @@ func resolveParallel(ctx context.Context, res resolver.DigestResolver, refs []st`
`170`	`170`	`return results`
`171`	`171`	`}`
`172`	`172`
`173`		`-func applyDockerfile(pf parsedFile, digestMap map[string]string, dryRun bool) {`
	`173`	`+func applyDockerfile(pf parsedFile, digestMap map[string]string, dryRun bool, update bool) {`
`174`	`174`	`digests := make(map[int]string)`
`175`	`175`	`for i, inst := range pf.dockerInsts {`
`176`		`- if inst.Skip \|\| inst.Digest != "" {`
	`176`	`+ if inst.Skip \|\| (inst.Digest != "" && !update) {`
`177`	`177`	`continue`
`178`	`178`	`}`
`179`	`179`	`if d, ok := digestMap[inst.ImageRef]; ok {`
`@@ -196,10 +196,10 @@ func applyDockerfile(pf parsedFile, digestMap map[string]string, dryRun bool) {`
`196`	`196`	`fmt.Printf("pinned %d image(s) in %s\n", len(digests), pf.path)`
`197`	`197`	`}`
`198`	`198`
`199`		`-func applyCompose(pf parsedFile, digestMap map[string]string, dryRun bool) {`
	`199`	`+func applyCompose(pf parsedFile, digestMap map[string]string, dryRun bool, update bool) {`
`200`	`200`	`digests := make(map[int]string)`
`201`	`201`	`for i, ref := range pf.composeRefs {`
`202`		`- if ref.Skip \|\| ref.Digest != "" {`
	`202`	`+ if ref.Skip \|\| (ref.Digest != "" && !update) {`
`203`	`203`	`continue`
`204`	`204`	`}`
`205`	`205`	`if d, ok := digestMap[ref.ImageRef]; ok {`