generate tags based results of non-deterministic commands

[errordeveloper]

There should be a way of generating a new tag based on whether some command results in non-deterministic layer changes.

A typical use-case would be to have RUN yum update-minimal --security --yes. It's not possible to do this with pinned dependencies, especially in the context of multiple distributions, not all package manager allow invocations where exact package versions are specified, and that wouldn't even work for the purpose of obtaining security updates.

It's possible that an a dedicated assertion target could be used for this, similar to test target, but one that precludes the main build stages...

It should be fairly doable to inspect the outcome based on layers, and perhaps use append digest to the tag.

[errordeveloper]

It's important to understand that one biggest issue is - how does one decide when to run the build? Perhaps a nightly CI job would do, but with that, how does one tell that image contents in particular run differs with regards to actual software installed? Digest change may reflect some side-effects, it won't necessarily tell that software had been updated.

So the solution that is being proposed here is to have a stage that would be ran in a way similar to tests, e.g.:

FROM centos:8 as upgrade
RUN yum update-minimal --security --yes

So imagine will need to be given a special target, upgrade in this case, and will run that separately. It will need to check the outcome and compare it to the base image somehow. It maybe possible to compare layers, or perhaps user maybe need to provide some kind of script that e.g. fails with a specific exit code if upgrade was a no-op. If upgrade is going ahead, there will need to be a way to encode the the outcome in the tag in order to align with imagine's general model.