Why does AWS CDK use a fingerprint instead of a Docker digest for its image tags?

[skairunner]

When you create an image asset using DockerImageAsset, the image is tagged according to a fingerprint of the build context, as attested to here: #17355 .

Docker images already have a sort of "identity" in the form of the manifest digest. Long story short, the digest depends on the byte content of the docker image plus its configuration options, and two images with the same digest should be the same.

Since CDK generates its own fingerprint to use as the tag, it's possible for images with different tags to have the same digest but trigger spurious redeployment of ECS tasks or Lambdas. Why doesn't CDK use the digest directly?

[dil-mezzy]

Possible Solutions:

Hybrid Approach: CDK could potentially use a combination of digest and a custom fingerprint for specific scenarios.
Configuration Option: An option could be provided to allow users to choose between using the digest or a CDK-generated fingerprint.

Overall, CDK's current approach offers some benefits but can lead to the mentioned redeployment issue. The best approach depends on your specific needs and priorities.