Support human readable tags on docker-compose ecosystem

[gegoune]

Is there an existing issue for this?

• I have searched the existing issues

Feature description

Following up from #390 (comment).

It is a common practice to complement digest versioned docker images in compose files with human readable tags by inline comment, such as:

image: postgres@sha256:a35ec42526e3c522eb13b4d82eddaee875d0ac6ca9eb5cc5607e412854478c71 # 16.7

Reasons behind such practice are:

• using digests instead of tags due to tag's mutability
• digests aren't descriptive enough for humans, they don't convey actual tag along

Currently Dependabot offers updates for above declaration with PR:

Title: build(deps): bump postgres from a35ec42 to 0321e22

This does not convey any meaning. It's impossible to tell which tag is being proposed. As far as I know registries don't support searching by digest, but even if they did, it would require extra step from users to find out what's going on.

And proposing following changes:

-image: postgres@sha256:a35ec42526e3c522eb13b4d82eddaee875d0ac6ca9eb5cc5607e412854478c71 # 16.7
+image: postgres@sha256:0321e2252ebfeecb8bc1a899755084d29bce872953e1a5a3e25ec0860b739098 # 16.7

Please note that comment is not updated. That leads to outdated information resulting in false assumptions by future readers.

---

This feature request therefore is about two things:

1. using human readable tags in PR's subject even when digest are used to pin images

Title: `build(deps): bump postgres from 16.7 to 16.8`

2. updating human readable tag in inline comment alongside corresponding digest

-image: postgres@sha256:a35ec42526e3c522eb13b4d82eddaee875d0ac6ca9eb5cc5607e412854478c71 # 16.7
+image: postgres@sha256:0321e2252ebfeecb8bc1a899755084d29bce872953e1a5a3e25ec0860b739098 # 16.8

(or whatever tag that digest points to).

[abdulapopoola]

Thanks @gegoune , I suspect this will also apply to docker as well.