Dependabot auto-merge and test build CI

[fredclausen]

Two questions:

• Should we enable auto-merging of a dependabot PR if it passes the CI?
• Do we know, during a PR run, that any newly built images are used by images further down the tree? We aren't pushing the image out as a package. What I mean, as an example to be more explicit, is that if :base is updated do all of the images that depend on it also use that newly build :base image or does each child image pull from the most recent (and now old) tagged package?

The second point is important because if it ISN'T using the test images we definitely shouldn't auto-merge because the child builds aren't using the new images and may have problems.

[kx1t]

My vote:

• aye
• It is my understanding that each image uses this hard coded layers, which means that if the base image gets updated, any subsequent images will only get updated up on the next rebuild. So if you only update the base image, and don’t trigger a rebuild of any of the downstream images, those will continue to use the original layer.
  Maybe something that can be monitored or resolved with a GitHub Action?

[fredclausen]

Yeah. I just dived in to the logs of the PR run that went off and it is definitely not using parent images made during that particular run. I don't want to fix it in the current PR but I have a solution that will fix it.