[PMAR-290] Automate patching #49
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
🦋 Changeset detectedLatest commit: 1c4e8d7 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
apmatthews
force-pushed
the
PMAR-290/automate-patching
branch
from
d953cc1 to
fe2a3ec
Compare
Dependabot version checks aren't able to detect changes to the base image because the tag format (i.e. alpine3.20) is not standard semver. This prevents Dependabot from automatically updating the base image when a new version is released, creating the need to manually monitor for and apply base image updates. The instrumentisto/rsync-ssh base image isn't particularly complex and we're already running package updates and installing a few additional dependencies. Therefore, it makes sense to just use alpine directly and install all of the instrumentisto/rsync-ssh dependencies ourselves. This should allow Dependabot to automatically update the base image when a new version is released.
apmatthews
force-pushed
the
PMAR-290/automate-patching
branch
from
fe2a3ec to
1c4e8d7
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
JIRA Ticket
PMAR-290
What Are We Doing Here
Problem
The Docker image is only rebuilt when new versions are released. During periods without releases, the image accumulates security vulnerabilities in the base OS packages.
Solution
Add a monthly scheduled workflow that rebuilds and pushes the Docker image to ensure security patches are applied regularly.
Changes
.github/workflows/scheduled-rebuild.yml): Rebuilds the Docker image on the 1st of each month, pushing to latest and all versioned tags. Uses no-cache to ensure fresh base image layers.instrumentisto/rsync-ssh:alpine3.20withalpine:3.20directly. This enables Dependabot to detect Alpine version updates (the previous tag format wasn't recognized). Sincealpine:3.23is available, I'd expect to see a dependabot PR come in within 24 hours bumping this.DEVELOPMENT.md): Added maintenance plan covering automatic builds, base image updates, and instructions for handling Dependabot PRs.Setup Required
Add these repository secrets for the scheduled workflow:
-
DOCKERHUB_USERNAME✅-
DOCKERHUB_TOKEN✅I've used my personal username and a personal access token for now. I'm planning to follow up about getting a service account instead.
Testing
After merging, trigger the workflow manually via Actions → Scheduled Docker Rebuild → Run workflow to verify credentials and push access.