From 72ebde31ce6cb6ded9ed2a8669ce0ab3facb797e Mon Sep 17 00:00:00 2001
From: GitHub Actions <actions@github.com>
Date: Sun, 14 Dec 2025 05:21:15 +0000
Subject: [PATCH] fix: add pull:true to security rebuild to fetch fresh base
 images

Without pull:true, the weekly security rebuild may use stale base
images cached on GitHub runners, missing security patches like
c-ares 1.34.6-r0 (CVE-2025-62408).
---
 .github/workflows/security-weekly-rebuild.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/security-weekly-rebuild.yml b/.github/workflows/security-weekly-rebuild.yml
index c1230ebc..44c5bdb6 100644
--- a/.github/workflows/security-weekly-rebuild.yml
+++ b/.github/workflows/security-weekly-rebuild.yml
@@ -71,6 +71,7 @@ jobs:
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           no-cache: ${{ github.event_name == 'schedule' || inputs.force_rebuild }}
+          pull: true  # Always pull fresh base images to get latest security patches
           build-args: |
             VERSION=security-scan
             BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}