---
- set_fact:
    pull_by_digest: >-
      {%- if download.sha256 is defined and download.sha256 != '' -%}true{%- else -%}false{%- endif -%}

- set_fact:
    pull_args: >-
      {%- if pull_by_digest %}{{download.repo}}@sha256:{{download.sha256}}{%- else -%}{{download.repo}}:{{download.tag}}{%- endif -%}

- name: Register docker images info
  shell: >-
    {{ docker_bin_dir }}/docker images -q | xargs {{ docker_bin_dir }}/docker inspect -f "{{ '{{' }} if .RepoTags {{ '}}' }}{{ '{{' }} (index .RepoTags 0) {{ '}}' }}{{ '{{' }} end {{ '}}' }}{{ '{{' }} if .RepoDigests {{ '}}' }},{{ '{{' }} (index .RepoDigests 0) {{ '}}' }}{{ '{{' }} end {{ '}}' }}" | tr '\n' ','
  no_log: true
  register: docker_images
  failed_when: false
  changed_when: false
  check_mode: no
  when: not download_always_pull

- set_fact:
    pull_required: >-
      {%- if pull_args in docker_images.stdout.split(',') %}false{%- else -%}true{%- endif -%}
  when: not download_always_pull

- name: Check the local digest sha256 corresponds to the given image tag
  assert:
    that: "{{download.repo}}:{{download.tag}} in docker_images.stdout.split(',')"
  when: not download_always_pull and not pull_required and pull_by_digest
  tags:
    - asserts