fix(docker): update CADDY_IMAGE to track Debian base image digest for enhanced security

2026-01-30 02:16:06 +00:00
parent ac5d819996
commit c81503fb0a
2 changed files with 6 additions and 5 deletions
@@ -47,13 +47,14 @@
    },
    {
      "customType": "regex",
-      "description": "Track Debian base image in Dockerfile",
+      "description": "Track Debian base image digest in Dockerfile for security updates",
      "managerFilePatterns": ["/^Dockerfile$/"],
      "matchStrings": [
-        "ARG CADDY_IMAGE=debian:(?<currentValue>[\\w.-]+)"
+        "#\\s*renovate:\\s*datasource=docker\\s+depName=debian.*\\nARG CADDY_IMAGE=debian:(?<currentValue>trixie-slim@sha256:[a-f0-9]+)"
      ],
      "depNameTemplate": "debian",
-      "datasourceTemplate": "docker"
+      "datasourceTemplate": "docker",
+      "versioningTemplate": "docker"
    }
  ],

@@ -22,8 +22,8 @@ ARG CADDY_VERSION=2.11.0-beta.2
 ## upstream caddy image tags while still shipping a pinned caddy binary.
 ## Using trixie (Debian 13 testing) for faster security updates - bookworm
 ## packages marked "wont-fix" are actively maintained in trixie.
-# renovate: datasource=docker depName=debian
-ARG CADDY_IMAGE=debian:trixie-slim
+# renovate: datasource=docker depName=debian versioning=docker
+ARG CADDY_IMAGE=debian:trixie-slim@sha256:77ba0164de17b88dd0bf6cdc8f65569e6e5fa6cd256562998b62553134a00ef0

 # ---- Cross-Compilation Helpers ----
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.9.0 AS xx