chore: add renovate comments for alpine base image tracking

Ensures Renovate detects and updates Alpine 3.23 to future versions (3.24, 3.25, etc.) automatically without manual monitoring.
fix: add pull:true to docker-publish for fresh base images
2025-12-14 06:36:42 +00:00 · 2025-12-14 06:28:47 +00:00 · 2025-12-14 06:18:42 +00:00
3 changed files with 5 additions and 0 deletions
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -110,6 +110,7 @@ jobs:
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
+          pull: true  # Always pull fresh base images to get latest security patches
          cache-from: type=gha
          cache-to: type=gha,mode=max
          build-args: |
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -114,6 +114,8 @@ jobs:
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
+          # Always pull fresh base images to get latest security patches
+          pull: true
          cache-from: type=gha
          cache-to: type=gha,mode=max
          build-args: |
--- a/2
+++ b/2
@@ -18,6 +18,7 @@ ARG CADDY_VERSION=2.10.2
 ## plain Alpine base image and overwrite its caddy binary with our
 ## xcaddy-built binary in the later COPY step. This avoids relying on
 ## upstream caddy image tags while still shipping a pinned caddy binary.
+# renovate: datasource=docker depName=alpine
 ARG CADDY_IMAGE=alpine:3.23

 # ---- Cross-Compilation Helpers ----
@@ -203,6 +204,7 @@ RUN mkdir -p /crowdsec-out/config && \
    cp -r config/* /crowdsec-out/config/ || true

 # ---- CrowdSec Fallback (for architectures where build fails) ----
+# renovate: datasource=docker depName=alpine
 FROM alpine:3.23 AS crowdsec-fallback

 WORKDIR /tmp/crowdsec