codeql-container MCR / Tag Listing

[travisgosselin]

This codeql-container is a fantastic tool for making the execution of codeql and necessary dependencies simple. However I'd like to pin to a particular version to prevent breaking changes (i.e. such as the introduction of a non-root user). I'm struggling to find the associated tagging strategy... I see some images with dates and iterations: 2022-05-29_07.15

I'm not particular about what the strategy should be, just that I can easily reference and identify tags for specific images when needed. That is difficult today unless you pull down all images (which is a lot and are massive). Tags are not available for reference on Dockerhub... and I was hoping I'd find this in the MCR catalog - but don't see it there either.

Is it possible to get this exposed on MCR to be able to view tags?
https://mcr.microsoft.com/en-us/catalog

Can the tags be associated to releases when publishing a new version to be visible on GitHub (if not available to publish in MCR catalog)?

[joshuaostrom-cb]

+1 Experienced breaking changes from the recent update (last 2 weeks) and would appreciate tagged versions of the container to ensure stability downstream.

[travisgosselin]

Agreed, I also experienced two major breaking changes in the last upgrade:

• Ubuntu upgrade broke .NET installation
• Script permissions were off, failing general usage

That being said, the nature of these "weekly" update cadences for latest queries and CLI does mean we need a regular image tag that is updated that we can pull without updating the image tag all the time. To that end, perhaps some type of semantic versioning can be done with major versions. Weekly updates just push out new patches to that version. We can pin to the major version only (and collect patches automatically as they come out). This would enable a process for breaking changes as well by bumping the major version tag your pinned too.