[PMAR-290] Automate patching

.changeset/flat-shrimps-hide.md

@@ -0,0 +1,5 @@
+---
+"@wpengine/site-deploy": patch
+---
+
+Remove dependency on instrumentisto/rsync-ssh

.github/workflows/scheduled-rebuild.yml

@@ -0,0 +1,55 @@
+name: Scheduled Docker Rebuild
+
+on:
+  schedule:
+    # Run monthly on the 1st at 00:00 UTC
+    - cron: '0 0 1 * *'
+  workflow_dispatch: # Allow manual triggers
+
+jobs:
+  rebuild:
+    name: Rebuild Docker Image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get current version
+        id: version
+        run: |
+          VERSION=$(jq -r '.version' package.json)
+          MAJOR=$(echo $VERSION | cut -d. -f1)
+          MINOR=$(echo $VERSION | cut -d. -f2)
+          PATCH=$(echo $VERSION | cut -d. -f3)
+          echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
+          echo "MAJOR=$MAJOR" >> $GITHUB_OUTPUT
+          echo "MINOR=$MINOR" >> $GITHUB_OUTPUT
+          echo "PATCH=$PATCH" >> $GITHUB_OUTPUT
+
+      - name: Checkout release tag
+        run: git checkout v${{ steps.version.outputs.MAJOR }}.${{ steps.version.outputs.MINOR }}.${{ steps.version.outputs.PATCH }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: |
+            wpengine/site-deploy:latest
+            wpengine/site-deploy:v${{ steps.version.outputs.MAJOR }}
+            wpengine/site-deploy:v${{ steps.version.outputs.MAJOR }}.${{ steps.version.outputs.MINOR }}
+            wpengine/site-deploy:v${{ steps.version.outputs.MAJOR }}.${{ steps.version.outputs.MINOR }}.${{ steps.version.outputs.PATCH }}
+          # No cache - we want fresh base image layers for security patches
+          no-cache: true
+

DEVELOPMENT.md

@@ -38,15 +38,35 @@ Any other customizations that are uniquely required can be added to the Dockerfi
 
 ## Updating the Docker Image
 
-The `latest` Docker Image will be updated automatically after merging into the `main` branch.
-`wpengine/site-deploy:latest`
+### Automatic Builds
 
+Docker images are built and pushed automatically:
 
-A versioned Docker Image will be automatically generated for each release of this repository, based on the tag name
-`wpengine/site-deploy:{tagName}`
+| Trigger | Tags Updated | Source |
+|---------|--------------|--------|
+| Push to `main` | `latest` | Docker Hub Autobuild |
+| New version release | `latest`, `vX`, `vX.Y`, `vX.Y.Z` | Docker Hub Autobuild |
+| Monthly schedule (1st of month) | `latest`, `vX`, `vX.Y`, `vX.Y.Z` | GitHub Actions |
 
-Additional Docker Images will be automatically generated for each branch to use in testing.
-`wpengine/site-deploy:branch-{branchName}`
+The scheduled monthly rebuild ensures security patches are applied even when there are no new releases. This workflow uses `no-cache` to pull fresh base image layers.
+
+### Base Image Maintenance
+
+The Dockerfile uses Alpine Linux as its base image. The base image follows this update pattern:
+
+- **Dependabot** monitors for new Alpine versions and creates PRs automatically
+- **Scheduled rebuilds** pick up security patches from `apk upgrade` monthly
+- Alpine releases new versions every 6 months (roughly June and December)
+
+When Dependabot opens a PR for a new Alpine version:
+
+1. Review the [Alpine release notes](https://alpinelinux.org/releases/) for breaking changes
+2. Add a changeset to the PR (`npx changeset`) so a proper release is created when merged
+3. Merge the PR to trigger a new versioned release
+
+### Docker Hub
+
+Images are published to DockerHub: [wpengine/site-deploy](https://hub.docker.com/r/wpengine/site-deploy)
 
 ## Manually updating the Docker Image
 

Dockerfile

@@ -1,10 +1,15 @@
-FROM instrumentisto/rsync-ssh:alpine3.20
-# Install dependencies
+FROM alpine:3.20
+
 RUN apk update \
  && apk upgrade \
  && apk add --no-cache \
+            rsync \
+            openssh-client-default sshpass \
+            gettext-envsubst \
+            ca-certificates tzdata \
             bash \
             php \
+ && update-ca-certificates \
  && rm -rf /var/cache/apk/*
 # Add entrypoint and utils
 COPY utils /utils