Background

We build a bunch of stuff for RISC-V using the Dart official Docker image, but the RISC-V images can often arrive some time (days) after the more mainstream images[1]. That means that if we merge a Dependabot PR for an updated image it might well be missing RISC-V, causing the Continuous Delivery (CD) pipeline to break when trying to do a release :(

More testing

The answer is to have an additional test e.g. check_riscv_image.yml. This is triggered by any PR that’s changing a Dockerfile that might go awry because of an incomplete manifest. It then uses docker buildx to inspect the manifest, along with some jq to pick the bits we need out of the json. If we find a riscv64 image in there then all is good; otherwise the test fails and we know not to merge the offending PR (and wait a while longer for a more complete manifest to show up).

Note

[1] This isn’t just a problem for Dart, it happens for all of the official images that include RISC-V (and other less popular architectures). The underlying problem is the Docker folk just don’t have sufficient build infrastructure, and it’s particularly acute when lots of images are being (re)built at once (e.g. because of a new Debian stable release).