From 3182da8d92d078c0129bb1dc7d520a8e7fcd6e76 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Mon, 18 May 2026 11:21:55 +0200
Subject: [PATCH] fix(infra): pin ocr-volume-init to alpine:3.21 and drop
 project network
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

alpine:3 is a moving tag — pinning to 3.21 makes builds reproducible and
rollbacks possible. networks: [] removes the init container from the project
network since it only needs volume access, not network access (least privilege).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 docker-compose.prod.yml | 3 ++-
 docker-compose.yml      | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 517d7a98..31d85e42 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -134,7 +134,7 @@ services:
   # created before the non-root ocr user was introduced in commit 1aca4c4a)
   # and guarantees /app/cache/.tmp exists for TMPDIR staging. See ADR-021.
   ocr-volume-init:
-    image: alpine:3
+    image: alpine:3.21
     command:
       - sh
       - -c
@@ -142,6 +142,7 @@ services:
     volumes:
       - ocr-models:/app/models
       - ocr-cache:/app/cache
+    networks: []
     restart: "no"
 
   ocr-service:
diff --git a/docker-compose.yml b/docker-compose.yml
index 7ebf907a..842f94e1 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -77,7 +77,7 @@ services:
   # created before the non-root ocr user was introduced in commit 1aca4c4a)
   # and guarantees /app/cache/.tmp exists for TMPDIR staging. See ADR-021.
   ocr-volume-init:
-    image: alpine:3
+    image: alpine:3.21
     command:
       - sh
       - -c
@@ -85,6 +85,7 @@ services:
     volumes:
       - ocr_models:/app/models
       - ocr_cache:/app/cache
+    networks: []
     restart: "no"
 
   # --- OCR: Python microservice (Surya + Kraken) ---