Add OCI header support to Docker

[deivid-rodriguez]

It was added upstream at deitch/docker_registry2#77, released as 1.14.0.

This allows us to update ubuntu images.

Before:

$ time bin/dry-run.rb docker dsp-testing/dependabot-core-4419 --cache files
=> reading dependency files from cache manifest: ./dry-run/dsp-testing/dependabot-core-4419/cache-manifest-docker.json
=> parsing dependency files
=> updating 1 dependencies: ubuntu

=== ubuntu (12.04.5)
 => checking for updates 1/1
 => latest available version is 23.04
 => latest allowed version is 23.04
 => requirements to unlock: own
 => requirements update strategy: 
/home/dependabot/dependabot-core/docker/lib/dependabot/docker/file_updater.rb:66:in `updated_dockerfile_content': Expected content to change! (RuntimeError)
	from /home/dependabot/dependabot-core/docker/lib/dependabot/docker/file_updater.rb:33:in `block in updated_dependency_files'
	from /home/dependabot/dependabot-core/docker/lib/dependabot/docker/file_updater.rb:22:in `each'
	from /home/dependabot/dependabot-core/docker/lib/dependabot/docker/file_updater.rb:22:in `updated_dependency_files'
	from bin/dry-run.rb:747:in `block in <main>'
	from bin/dry-run.rb:655:in `each'
	from bin/dry-run.rb:655:in `<main>'

real	0m16.357s
user	0m1.339s
sys	0m1.089s

After

$ time bin/dry-run.rb docker dsp-testing/dependabot-core-4419 --cache files
warning: parser/current is loading parser/ruby31, which recognizes 3.1.4-compliant syntax, but you are running 3.1.3.
Please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
=> reading dependency files from cache manifest: ./dry-run/dsp-testing/dependabot-core-4419/cache-manifest-docker.json
=> parsing dependency files
=> updating 1 dependencies: ubuntu

=== ubuntu (12.04.5)
 => checking for updates 1/1
 => latest available version is 22.04
 => latest allowed version is 22.04
 => requirements to unlock: own
 => requirements update strategy: 
 => bump ubuntu from 12.04.5 to 22.04

    ± Dockerfile
    ~~~
    --- /tmp/original20230331-11-ahtknn	2023-03-31 20:09:00.397034010 +0000
    +++ /tmp/updated20230331-11-40ilm2	2023-03-31 20:09:00.397034010 +0000
    @@ -1,4 +1,4 @@
    -FROM ubuntu:12.04.5@sha256:18305429afa14ea462f810146ba44d4363ae76e4c8dfc38288cf73aa07485005
    +FROM ubuntu:22.04@sha256:67211c14fa74f070d27cc59d69a7fa9aeff8e28ea118ef3babc295a0428a6d21
     
     ### SYSTEM DEPENDENCIES
     
    ~~~
    2 insertions (+), 2 deletions (-)
🌍 Total requests made: '0'

real	0m16.662s
user	0m1.571s
sys	0m1.028s

Since I was at it, I also fixed #6386.

[jeffwidman]

🎉

[jeffwidman]

I just bumped this dep manually in:

• Bump docker_registry2 to 1.13 #6885

Ideally would open PR's notifying us when this dep bumps so that we don't have to manually track when they have releases... I don't remember enough about the bundler ecosystem to remember why that isn't happening here...

[deivid-rodriguez]

Yeah, I think it's because of our "weird" setup (library in common, application in updater, acting somewhat as a monorepo).

[mctofu]

We'd need to run dependabot against the common gemspec? https://github.com/dependabot/dependabot-core/blob/main/common/dependabot-common.gemspec

That wouldn't update the updater's gemfile.lock though.

You could also add it as a direct dep in https://github.com/dependabot/dependabot-core/blob/main/updater/Gemfile.

[deivid-rodriguez]

I think I changed it from common to updater a while ago when I "unified dependencies", because otherwise we were getting duplicated dependencies for RuboCop and others.

Maybe if we added configuration to also bump indirect dependencies to updater/ maybe that could work? 🤔

[deivid-rodriguez]

In any case, this release happened 10h ago, so I think we were faster than the bot this time :)