fix: add pull:true to docker-publish for fresh base images

The docker-publish.yml workflow was missing pull:true, causing it to use cached Alpine images with vulnerable c-ares 1.34.5-r0. This completes the fix across all three Docker workflows: - docker-build.yml ✓ - docker-publish.yml ✓ (this commit) - security-weekly-rebuild.yml ✓ Resolves CVE-2025-62408 (c-ares)
fix: add pull:true to docker-build to ensure fresh base images
2025-12-14 06:28:47 +00:00 · 2025-12-14 06:18:42 +00:00 · 2025-12-14 05:21:15 +00:00 · 2025-12-14 05:12:01 +00:00 · 2025-12-14 04:36:39 +00:00
3 changed files with 6 additions and 2 deletions
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -110,6 +110,7 @@ jobs:
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
+          pull: true  # Always pull fresh base images to get latest security patches
          cache-from: type=gha
          cache-to: type=gha,mode=max
          build-args: |
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -114,6 +114,8 @@ jobs:
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
+          # Always pull fresh base images to get latest security patches
+          pull: true
          cache-from: type=gha
          cache-to: type=gha,mode=max
          build-args: |
--- a/.github/workflows/security-weekly-rebuild.yml
+++ b/.github/workflows/security-weekly-rebuild.yml
@@ -71,6 +71,7 @@ jobs:
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          no-cache: ${{ github.event_name == 'schedule' || inputs.force_rebuild }}
+          pull: true  # Always pull fresh base images to get latest security patches
          build-args: |
            VERSION=security-scan
            BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
@@ -121,8 +122,8 @@ jobs:
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "Checking key security packages:" >> $GITHUB_STEP_SUMMARY
          echo '```' >> $GITHUB_STEP_SUMMARY
-          docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }} \
-            sh -c "apk info c-ares curl libcurl openssl" >> $GITHUB_STEP_SUMMARY
+          docker run --rm --entrypoint "" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }} \
+            sh -c "apk update >/dev/null 2>&1 && apk info c-ares curl libcurl openssl" >> $GITHUB_STEP_SUMMARY
          echo '```' >> $GITHUB_STEP_SUMMARY

      - name: Create security scan summary
Author	SHA1	Message	Date
GitHub Actions	18868a47fc	fix: add pull:true to docker-publish for fresh base images The docker-publish.yml workflow was missing pull:true, causing it to use cached Alpine images with vulnerable c-ares 1.34.5-r0. This completes the fix across all three Docker workflows: - docker-build.yml ✓ - docker-publish.yml ✓ (this commit) - security-weekly-rebuild.yml ✓ Resolves CVE-2025-62408 (c-ares)	2025-12-14 06:28:47 +00:00
GitHub Actions	cb5bd01a93	fix: add pull:true to docker-build to ensure fresh base images Ensures all Docker builds pull fresh Alpine base images to get security patches like c-ares 1.34.6-r0 (CVE-2025-62408). This mirrors the change made to security-weekly-rebuild.yml.	2025-12-14 06:18:42 +00:00
GitHub Actions	72ebde31ce	fix: add pull:true to security rebuild to fetch fresh base images Without pull:true, the weekly security rebuild may use stale base images cached on GitHub runners, missing security patches like c-ares 1.34.6-r0 (CVE-2025-62408).	2025-12-14 05:21:15 +00:00
GitHub Actions	7c79bf066a	fix: update security package check to include apk update for accurate version info	2025-12-14 05:12:01 +00:00
GitHub Actions	394ada14f3	fix: update Docker run command to remove entrypoint for security package checks	2025-12-14 04:36:39 +00:00