{"id":15163155,"url":"https://github.com/jille/dockpin","last_synced_at":"2025-10-25T00:31:56.657Z","repository":{"id":43177938,"uuid":"446565391","full_name":"Jille/dockpin","owner":"Jille","description":"A tool for pinning Docker image and apt package versions","archived":false,"fork":false,"pushed_at":"2024-01-15T06:47:26.000Z","size":310,"stargazers_count":33,"open_issues_count":17,"forks_count":3,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-02-04T08:04:16.243Z","etag":null,"topics":["apt-get","debian","docker","repeatable-builds","ubuntu"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Jille.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-01-10T20:04:15.000Z","updated_at":"2024-08-29T08:59:38.000Z","dependencies_parsed_at":"2024-06-19T05:16:15.721Z","dependency_job_id":"0462b774-75c7-4777-9fa7-ca16720550a5","html_url":"https://github.com/Jille/dockpin","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Jille%2Fdockpin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Jille%2Fdockpin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Jille%2Fdockpin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Jille%2Fdockpin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Jille","download_url":"https://codeload.github.com/Jille/dockpin/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":238053514,"owners_count":19408699,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apt-get","debian","docker","repeatable-builds","ubuntu"],"created_at":"2024-09-27T02:04:24.106Z","updated_at":"2025-10-25T00:31:56.318Z","avatar_url":"https://github.com/Jille.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Dockpin\n\n\u003cimg align=\"right\" src=\"logo.png\" /\u003e\n\nInstall dockpin with: `go install github.com/Jille/dockpin@latest`\n\nDockpin helps you achieve repeatable builds. It pins base images in your Dockerfile, and packages you install with apt-get.\n\n`dockpin docker pin -f Dockerfile` rewrites your Dockerfile to use the latest digest for each image. Docker will then use exactly that image until you upgrade it.\n\nDockpin can also pin apt packages, though it's slightly more complex:\n\n```shell\n$ (echo postgresql-12; echo curl) \u003e dockpin-apt.pkgs\n$ dockpin apt pin\n```\n\nthen you can change your `apt-get update \u0026\u0026 apt-get install -y postgresql-12 curl \u0026\u0026 apt-get clean \u0026\u0026 rm -rf /var/lib/apt/lists/*` in your Dockerfile to:\n\n```\nFROM ghcr.io/jille/dockpin AS dockpin\nFROM ubuntu:focal\nCOPY --from=dockpin /bin/dockpin /usr/local/sbin/dockpin\nCOPY dockpin-apt.lock /tmp\nRUN /usr/local/sbin/dockpin apt install -p /tmp/dockpin-apt.lock\n[...]\n```\n\n## Why repeatable builds?\n\nIf you do a small cherrypick, to fix a bug, and you're going to roll that out to prod with an accelerated push, you don't want to accidentally also pick up a new Python version.\n\nIncreasingly more people do pin versions, but never upgrade and stay on that version forever. That makes security folks shudder.\n\nDockpin aims to make it easy to move to new versions *when you want*.\n\n## Docker pinning\n\nThis is pretty easy. You can either make dockpin rewrite your Dockerfile in place:\n\n```shell\n$ dockpin docker pin [-f your.Dockerfile]\n```\n\nor control output yourself:\n\n```shell\n$ dockpin docker pin -f - \u003c Dockerfile.template \u003e Dockerfile\n```\n\n## Apt pinning\n\nYou should create a file called dockpin-apt.pkgs which contains one Debian/Ubuntu package per line. After that you can run `dockpin apt pin` which generates dockpin-apt.lock, which contains the URLs and size/hash of each .deb file to use.\n\nWhen you run `dockpin apt install` in your Dockerfile, it will read (only) dockpin-apt.lock and install all the listed packages at the pinned versions.\n\nThe easiest way to get the `dockpin` binary in your Docker build is by grabbing it from the ghcr.io/jille/dockpin image (as shown in the example at the top of this README).\n\nNote that the Debian/Ubuntu archives will eventually delete the old package you pinned from their mirrors. At that point you'll get an error when you try to build (rather than a silent upgrade). You can reproduce your build by somehow finding the old .deb file and changing the lock file to point at whichever URL you put it at. You can also COPY it into /var/cache/apt/archives/ and `dockpin apt install` will use that without downloading.\n\nWe rely on apt(8) to figure out which dependencies you already have / need to install. However, that does mean that we need to do the pinning on the same base image as you'll run `dockpin apt install`. We try to guess this automatically by parsing your Dockerfile, but that might fail and you'll need to pass `--base-image=ubuntu:focal` (or whatever image you use).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjille%2Fdockpin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjille%2Fdockpin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjille%2Fdockpin/lists"}