Lockfiles
Lockfiles let Dagger remember the exact result of selected lookups, so later runs can either reuse that recorded result or intentionally refresh it.
There are two separate concepts:
- A lock mode answers: "Where should this run read lookup results from?"
- A lock policy answers: "When live resolution is allowed, should this entry stay fixed or be refreshed?"
Lock modes
Lock mode is set for a run, typically with --lock.
dagger --lock=pinned call ...
Available modes:
| Mode | Meaning |
|---|---|
disabled | Ignore the lockfile completely. |
live | Resolve everything live and record the result. |
pinned | Reuse pinned entries, resolve everything else live, and record the result. |
frozen | Resolve only from the lockfile and fail on misses. |
The easiest way to think about lock modes is:
disabled: feature offlive: refresh while runningpinned: prefer stable pins, refresh the restfrozen: require a complete lockfile
Typical uses:
disabled: opt out for this runlive: bootstrap or intentionally refresh while running a workflowpinned: day-to-day development and most CIfrozen: reproducible, hermetic, or offline runs
Lock policies
Lock policy is stored on each lock entry.
Available policies:
| Policy | Meaning |
|---|---|
pin | Prefer the recorded value when the lock mode allows it. |
float | Prefer live resolution when the lock mode allows it. |
The easiest way to think about lock policies is:
pin: stay on this exact resolved resultfloat: keep following the live reference when possible
How mode and policy work together
Mode is chosen by the caller for the current run. Policy is remembered in the lockfile for each entry.
That means:
- mode controls the behavior of this run
- policy controls whether an existing entry should be preferred or refreshed when live resolution is allowed
For example, if a lock entry has policy pin:
disabledignores itliveresolves live and rewrites itpinnedreuses itfrozenreuses it
If a lock entry has policy float:
disabledignores itliveresolves live and rewrites itpinnedresolves live and rewrites itfrozenreuses the recorded value as-is
If an entry is missing:
disabledresolves live and does not writeliveresolves live and writespinnedresolves live and writesfrozenfails
Updating lockfiles
Use dagger lock update when you want to rewrite lock entries on purpose.
dagger lock update
That refreshes entries already recorded in .dagger/lock using the current environment's normal ambient authentication.
To refresh or discover entries encountered by a specific command, run that command with --lock=live:
dagger --lock=live call release
dagger --lock=live query --doc query.graphql
It is your responsibility to run lock updates in an environment that can authenticate to any private registries or repositories those lookups require.
Lock-aware operations
These operations currently record and resolve lock entries:
| Operation | Inputs | Default policy |
|---|---|---|
container.from | [imageRef, platform] | pin |
git.head | [remoteURL] | float |
git.branch | [remoteURL, branchName] | float |
git.tag | [remoteURL, tagName] | pin |
git.ref | [remoteURL, refName] | pin for tags, float otherwise |
git.commit is already pinned by its input and does not create lock entries.