Use of docker image :latest tag can result in failed workflow runs

[bkmartinjr]

Various QC WDL such as QC/tasks/quast.wdl reference their docker image dependency using the :latest tag. This causes an ambiguity on which image is required, as latest is an ambiguous tag (changes over time). This can cause a couple of issues:

• run failures if a user updates their WDL, but does not pull the latest images
• makes it quite difficult to use an old WDL version, as you have no idea which docker image it requires.

Recommend that all images be referenced in WDL by an unambiguous tag or their actual digest. That will create an unambiguous dependency.

CC @0seastar0 @tpesout

[juklucas]

Thanks, Bruce. Agreed, we will start referencing Docker images with @sha256.

[tfmorris]

Thanks, Bruce. Agreed, we will start referencing Docker images with @sha256.

While using the sha256 digest will give you binary reproducibility, I'd argue that human readable versions are better for human understanding of what's going on (ie is sha256a before or after sha256b? Or on an alternate timeline/branch?) Of course, either is much, much better than :latest which is completely unreproducible.