add docs about using Dependabot as an alternative

[dersimn]

The GitHub way of updating Base Images would be to use Dependabot, how do you feel about adding an example to your README?

I'd prepare a PR, but if you don't like the idea to advertise other workflows, then i don't need to do the effort

[lucacome]

Hi @dersimn

This action checks if the base image has a new version without a new tag.
I use dependabot/renovate too to automatically get updates when a new tag is published, but it's pretty common for images to publish a new version and overwrite the tag or latest, edge, etc.

For example, if my image cool-app:1.2.3 is based on Debian 12, i.e. has FROM debian:12 in the Dockerfile, it will always use the version of Debian 12 that was published at the time of build. But if there's a CVE or package updates, the Debian image will be rebuilt and will overwrite the debian:12 tag.

This action can detect that kind of change. Then you can rebuild cool-app:1.2.3 with the updated version of Debian 12, or send a notification or whatever you want...

Let me know if it makes sense. Maybe we need to add a better explanation of what this action does to the README 😅

[dersimn]

idk when they adopted this feature to Dependabot, but I'm quite sure it wasn't there when I started using your project, but now you could just specify the full SHA in Dockerfile, like:

FROM alpine:3.19.4@sha256:ae65dbf8749a7d4527648ccee1fa3deb6bfcae34cbc30fc67aa45c44dcaa90ee

..and enable Dependabot (file: .github/dependabot.yaml):

version: 2

updates:
  - package-ecosystem: docker
    directory: /
    schedule:
      interval: daily

Then you will get Pull Requests like this one.
Because of the SHA, you'll also get PRs when the SHA of the parent Image differs from the one in your Dockerfile (for whatever reason, but the most likely is the parent image was updated and re-tagged. This also works for latest or for ubuntu:24.04 which also doesn't change with updates.

Auto-Merge

Doing some magic with GitHub Workflow you can also add auto-merge for PR created by Dependabot:

name: Dependabot Auto-Merge
run-name: ${{ github.ref_name }} (${{github.ref_type}}, triggered by ${{ github.event_name }})

on:
  pull_request:

permissions:
  contents: write
  pull-requests: write

jobs:
  dependabot:
    runs-on: ubuntu-latest
    if: github.actor == 'dependabot[bot]'
    steps:
      - name: Enable auto-merge for Dependabot PRs
        run: gh pr merge --auto --merge "$PR_URL"
        env:
          PR_URL: ${{ github.event.pull_request.html_url }}
          GH_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
          # Using GITHUB_TOKEN __won't__ trigger following Workflows
          # see: https://github.com/orgs/community/discussions/55906
          #GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

I tried the whole setup here.

---

This approach will clutter the git history though, but could be nicer when updating images with semantic versioning, bc then you could just increase the patch version whenever the parent image was updated.