fix: add pull:true to security rebuild to fetch fresh base images

Without pull:true, the weekly security rebuild may use stale base images cached on GitHub runners, missing security patches like c-ares 1.34.6-r0 (CVE-2025-62408).
fix: update security package check to include apk update for accurate version info
2025-12-14 05:21:15 +00:00 · 2025-12-14 05:12:01 +00:00
1 changed files with 2 additions and 1 deletions
--- a/.github/workflows/security-weekly-rebuild.yml
+++ b/.github/workflows/security-weekly-rebuild.yml
@@ -71,6 +71,7 @@ jobs:
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          no-cache: ${{ github.event_name == 'schedule' || inputs.force_rebuild }}
+          pull: true  # Always pull fresh base images to get latest security patches
          build-args: |
            VERSION=security-scan
            BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
@@ -122,7 +123,7 @@ jobs:
          echo "Checking key security packages:" >> $GITHUB_STEP_SUMMARY
          echo '```' >> $GITHUB_STEP_SUMMARY
          docker run --rm --entrypoint "" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }} \
-            sh -c "apk info c-ares curl libcurl openssl" >> $GITHUB_STEP_SUMMARY
+            sh -c "apk update >/dev/null 2>&1 && apk info c-ares curl libcurl openssl" >> $GITHUB_STEP_SUMMARY
          echo '```' >> $GITHUB_STEP_SUMMARY

      - name: Create security scan summary
Author	SHA1	Message	Date
GitHub Actions	72ebde31ce	fix: add pull:true to security rebuild to fetch fresh base images Without pull:true, the weekly security rebuild may use stale base images cached on GitHub runners, missing security patches like c-ares 1.34.6-r0 (CVE-2025-62408).	2025-12-14 05:21:15 +00:00
GitHub Actions	7c79bf066a	fix: update security package check to include apk update for accurate version info	2025-12-14 05:12:01 +00:00