fix: add pull:true to security rebuild to fetch fresh base images

Without pull:true, the weekly security rebuild may use stale base
images cached on GitHub runners, missing security patches like
c-ares 1.34.6-r0 (CVE-2025-62408).
This commit is contained in:
GitHub Actions
2025-12-14 05:21:15 +00:00
parent 7c79bf066a
commit 72ebde31ce

View File

@@ -71,6 +71,7 @@ jobs:
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
no-cache: ${{ github.event_name == 'schedule' || inputs.force_rebuild }}
pull: true # Always pull fresh base images to get latest security patches
build-args: |
VERSION=security-scan
BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}