Skip to content

ci: weekly scheduled rebuild to refresh container base layers#2242

Open
pjordanandrsn wants to merge 1 commit into
AlexxIT:masterfrom
pjordanandrsn:weekly-rebuild-schedule
Open

ci: weekly scheduled rebuild to refresh container base layers#2242
pjordanandrsn wants to merge 1 commit into
AlexxIT:masterfrom
pjordanandrsn:weekly-rebuild-schedule

Conversation

@pjordanandrsn

@pjordanandrsn pjordanandrsn commented May 3, 2026

Copy link
Copy Markdown

Motivation

The alexxit/go2rtc:latest and ghcr.io/alexxit/go2rtc:master container images currently rebuild only on push to master and on tag. Between tagged releases, the alpine base layer accumulates security fixes that aren't picked up.

Latest published image (v1.9.14, 2026-01-19) scanned with trivy on 2026-05-02:

Severity Count
CRITICAL 4
HIGH 24

All findings are in alpine OS packages — none in go2rtc itself. Rebuilding the same docker/Dockerfile against current python:3.13-alpine reduces these to 0 HIGH/CRITICAL without any source change.

Change

Adds a schedule: trigger to the existing Build and Push workflow:

on:
  workflow_dispatch:
  push:
    branches: ['master']
    tags: ['v*']
  schedule:
    - cron: '0 4 * * 0'   # Sunday 04:00 UTC

Existing jobs already use --pull semantics via docker/build-push-action@v5 plus cache-from: type=gha / cache-to: type=gha,mode=max, so subsequent rebuilds are fast (only base layers re-pulled).

Tradeoff

This also re-runs the build-binaries job weekly. If you'd rather isolate the docker rebuilds, I can split it into a separate rebuild-containers.yml workflow that calls only the three docker-* jobs — happy to switch to that pattern if preferred.

Verified locally

docker build --pull -t local/go2rtc:rebuilt -f docker/Dockerfile . against current alpine + python:3.13 → 0 HIGH/CRITICAL OS CVEs.

@pjordanandrsn
ci: weekly scheduled rebuild to refresh container base layers
d1934a3 
The alexxit/go2rtc:latest and ghcr.io/alexxit/go2rtc:master images rebuild
only on push to master and on tag. Between tagged releases the alpine base
accumulates security fixes that aren't picked up — a trivy scan of v1.9.14
(2026-01-19) on 2026-05-02 found 4 CRITICAL + 24 HIGH OS CVEs, all in
alpine packages, none in go2rtc itself.

Adding a weekly schedule lets existing build jobs run with --pull
semantics so :master / :latest stay current with base-layer fixes. The
gha cache means re-runs are fast (only base layers re-pulled).
geekho-me added a commit to geekho-me/go2rtc that referenced this pull request May 23, 2026
@geekho-me @claude
ci: weekly scheduled rebuild + pull:true for CVE refresh
c52e517 
Adds a weekly schedule (Sunday 04:00 UTC) to the Docker-image
build workflow so the master/latest images pick up Alpine and
Python base-layer CVE fixes between tagged go2rtc releases.

Also sets pull:true on docker/build-push-action@v6. Without
this, the GitHub-Actions layer cache can indefinitely re-use a
vulnerable `apk add` layer because the cache key matches the
unchanged instruction text -- the rebuild would just cache-hit
and produce an identical image. pull:true bumps the parent
layer SHA whenever Alpine ships a refreshed base image, which
invalidates downstream cache and forces apk to re-install at
current package versions.

Test workflow is workflow_dispatch only and doesn't need a
schedule. No code change, no test impact.

Pattern adopted from upstream PR
AlexxIT#2242. The fork's
workflow is Docker-only (no build-binaries job) so the
trade-off discussed there doesn't apply here.

CHANGES.md gains a new "CI / Build" section (sec 16) recording
the change.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pjordanandrsn