pulumi/pulumi:vX.Y.Z does not share layers beyond the base image with prior images

[pgavlin]

Even when commands run by the Dockerfile are identical up to the installation of pulumi, the latest image does not share any layers with prior images. This may be by-design--it ensures that each new version is actually running yum update, amongst other things--but it means that even if pulumi/pulumi:v1.2.3 is present locally, docker pull pulumi/pulumi:v1.2.4 will always pull all layers besides the base (python:3.9-slim). This means that pulling a new version of pulumi/pulumi ends up downloading something like 750MB of data.

It might be nice to e.g. factor out the installation of the dependencies into its own image that can serve as the base image for pulumi/pulumi. That base image could then be updated at its own cadence, and new versions of pulumi/pulumi would be able to share all layers up to the installation of Pulumi itself.

[RobbieMcKinstry]

Updating dependencies on a more regular cadence would be useful. In the past Snyk has indicated there are vulns in our base images that have been patched, but since we don't update our images except when we release a new CLI release, we won't get those patches until the next release.

The problem then is that image tags are no longer immutable, which I'd consider extremely undesirable.