While fixing the broken Updateexterner Link to GitLab 17.3.0 I noticed that the Runner’s version was lagging behind:

services:
  gitlab:
    image: 'gitlab/gitlab-ce:17.3.1-ce.0@sha256:6f2ab9c42cef6b8058ef45042ce33a4505a0a9ac1a8d9ed85016ceca743dd01d'
    ...
  runner:
    image: 'gitlab/gitlab-runner:alpine-v17.0.0@sha256:1979e0d80f503489de2893877fff6d242931f1fffc779964a9c300e2ca2d497c'
    ...

This surprised me because I had configured renovateexterner Link for this repository and there were no open updates from renovate. Let’s have a look why renovate doesn’t update this specific image and how to resolve it. Lets investigate why renovate doesn’t update this image.

GitLab Runner is released in sync with a GitLab versions. This reflects in the available images. 8 different tags are available (though 6 only are actually different):

  • v17.3.0, ubuntu-v17.3.0: These are the same image and based on Ubuntu.
  • alpine-v17.3.0, alpine3.19-v17.3.0, alpine3.18-v17.3.0, alpine3.17-v17.3.0, alpine3.16-v17.3.0: These images are based on different versions of alpine. They are only 20% the size (100MB vs. 500MB) of the Ubuntu-based images.
  • ubi-fips-v17.3.0: This image complies with FIPS 140-21.

Many docker images use a format similar to v?(?<major>\d+)(\.(?<minor>\d+)(\.(?<patch>\d+))?)?(-(?<platform>.+))?. In short: they start with the version and then have some compatibility indicator. This compatibility indicator could be used to indicate what base was used to build the version (e.g. ubuntu, alpine or bookworm for Debian bookworm). When updating one usually wants to update the version but keep the compatibility indiciator the same. The problem with these version names is that they differ from the format the many docker image use by having the compatibility indicator at the beginning.

We can fix this why telling renovate how it should parse the version for this image. This can be done with a packageRules entry:

{
  // Rest of your renovate config.
  "packageRules": [
    {
      "matchDatasources": ["docker"],
      "matchPackageNames": ["gitlab/gitlab-runner", "docker.io/gitlab/gitlab-runner"],
      "versioning": "regex:^(?<compatibility>.+)-v(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)$"
    }
  ]
}

Now renovate is able to update the runner again:

Screenshot of renovates MR to update the GitLab Runner image.

  1. FIPS 140-2externer Link is a security standard governing cryptographic modules. The standard is relevant for the public sector in the US. ↩︎