A newly pulled updater image is removed at the end of the same dependabot job

[Torbjorn-Svensson]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem

npm

Package manager version

No response

Language version

No response

Manifest location and content before the Dependabot update

No response

dependabot.yml content

No response

Updated dependency

No response

What you expected to see, versus what you actually saw

When running dependabot on self-hosted runners, I can see that the docker images are pulled from the registry, in the Run Dependabot step with output like this:

Pulling updater images
  Pulling image ghcr.io/dependabot/dependabot-updater-npm:1df0623ee586f8c6ba7ca2d5b3fb39616d89ba72...
  Pulled image ghcr.io/dependabot/dependabot-updater-npm:1df0623ee586f8c6ba7ca2d5b3fb39616d89ba72
  Pulling image ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:v2.0.20240822164746@sha256:158d34720d277bbe051c60705a72a43a72e0e8db961c094fc246ab4c86f8871a...
  Pulled image ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy:v2.0.20240822164746@sha256:158d34720d277bbe051c60705a72a43a72e0e8db961c094fc246ab4c86f8871a

Then in the Post Run Dependabot step, I see this:

Post job cleanup.
Pruning networks older than 24h
Pruning containers older than 24h
Cleaning up images for ghcr.io/dependabot/dependabot-updater-bundler
Cleaning up images for ghcr.io/dependabot/dependabot-updater-cargo
Cleaning up images for ghcr.io/dependabot/dependabot-updater-composer
Cleaning up images for ghcr.io/dependabot/dependabot-updater-pub
Cleaning up images for ghcr.io/dependabot/dependabot-updater-docker
Cleaning up images for ghcr.io/dependabot/dependabot-updater-elm
Cleaning up images for ghcr.io/dependabot/dependabot-updater-github-actions
Cleaning up images for ghcr.io/dependabot/dependabot-updater-gitsubmodule
Cleaning up images for ghcr.io/dependabot/dependabot-updater-gomod
Cleaning up images for ghcr.io/dependabot/dependabot-updater-gradle
Cleaning up images for ghcr.io/dependabot/dependabot-updater-maven
Cleaning up images for ghcr.io/dependabot/dependabot-updater-mix
Cleaning up images for ghcr.io/dependabot/dependabot-updater-nuget
Cleaning up images for ghcr.io/dependabot/dependabot-updater-npm
Cleaning up images for ghcr.io/dependabot/dependabot-updater-pip
Cleaning up images for ghcr.io/dependabot/dependabot-updater-swift
Cleaning up images for ghcr.io/dependabot/dependabot-updater-terraform
Cleaning up images for ghcr.io/github/dependabot-update-job-proxy/dependabot-update-job-proxy
Removing image sha256:32cacb8bcc0e33da6a11d16816106e321062cd48111635468f66de5ee8bb1600
Skipping current image sha256:36595cd5ab82a2b837ef2e2785017e57c7779c2879bb45f4cc26a52aefd7a238

After the images had been pulled, but before the cleanup started, I saw this line when running docker images in a terminal:
ghcr.io/dependabot/dependabot-updater-npm 1df0623ee586f8c6ba7ca2d5b3fb39616d89ba72 32cacb8bcc0e 3 hours ago 988MB

So, it can be seen that the ghcr.io/dependabot/dependabot-updater-npm image that got pulled is the same that got removed.
While this technically work, it's a big waste of the bandwidth if there are several dependabot jobs to be executed on the same runner as is the case for my use case.

From what I can tell, this happens when the updater entry in https://github.com/github/dependabot-action/blob/main/docker/containers.json is not aligned with the main branch of https://github.com/dependabot/dependabot-core, i.e. the github instructs the dependabot-action to use a newer image revision than what is recorded in the containers.json file.

The expected behavior would be that the up-to-date updater image should be kept even if it's not the one recorded in the containers.json file.

Native package manager behavior

No response

Images of the diff or a link to the PR, issue, or logs

No response

Smallest manifest that reproduces the issue

No response