We are using .NET 6 with global.json specifying the required SDK version. Which Docker image tag should we use to achieve the same roll-forward behavior?

{
  "sdk": {
    "version": "6.0.200"
  }
}

We rely on the default roll-forward behavior, which preserves the major, minor, and feature band while it rolls forward the patch version automatically. This corresponds to "rollForward": "latestPatch". All potentially breaking changes are prevented while security patches are allowed. Different patches of the same feature band are in-place updates and they cannot be installed side-by-side, anyway. We upgrade feature bands manually, in a controlled way.

Our apps are containerized, using the official .NET Docker images as their base. The docs recommend using the tag that fixes major and minor version, but they still roll forward the feature band automatically.

It is recommended to pull the SDK image before running the appropriate command. This ensures that you get the latest patch version of the SDK. Use the following command:

docker pull mcr.microsoft.com/dotnet/sdk:6.0

If we use the 6.0 tag for the base image, our build will break when a new feature band is released as the roll forward policy fixes the feature band. If we use the 6.0.200 tag for the base image, the build will not break, but we will not receive the security patches automatically -- we will need to update the tag for each patch release manually.

Is there a way to keep the build working reliably while automatically getting security patches of the SDK in the Docker images? We build our apps using Azure Pipelines in Azure DevOps Server 2020u1, using YAML pipelines.