From cb5bd01a9360ad728644ab2f284a7e33ad72c971 Mon Sep 17 00:00:00 2001
From: GitHub Actions <actions@github.com>
Date: Sun, 14 Dec 2025 06:18:42 +0000
Subject: [PATCH] fix: add pull:true to docker-build to ensure fresh base
 images

Ensures all Docker builds pull fresh Alpine base images to get
security patches like c-ares 1.34.6-r0 (CVE-2025-62408).

This mirrors the change made to security-weekly-rebuild.yml.
---
 .github/workflows/docker-build.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 3235fc61..645e02b1 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -110,6 +110,7 @@ jobs:
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          pull: true  # Always pull fresh base images to get latest security patches
           cache-from: type=gha
           cache-to: type=gha,mode=max
           build-args: |