fix(infra): pin ocr-volume-init to alpine:3.21 and drop project network

alpine:3 is a moving tag — pinning to 3.21 makes builds reproducible and rollbacks possible. networks: [] removes the init container from the project network since it only needs volume access, not network access (least privilege). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-18 11:21:55 +02:00
parent 6839cf2a33
commit 3182da8d92
2 changed files with 4 additions and 2 deletions
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -134,7 +134,7 @@ services:
  # created before the non-root ocr user was introduced in commit 1aca4c4a)
  # and guarantees /app/cache/.tmp exists for TMPDIR staging. See ADR-021.
  ocr-volume-init:
-    image: alpine:3
+    image: alpine:3.21
    command:
      - sh
      - -c
@@ -142,6 +142,7 @@ services:
    volumes:
      - ocr-models:/app/models
      - ocr-cache:/app/cache
    networks: []
    restart: "no"
  ocr-service:
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -77,7 +77,7 @@ services:
  # created before the non-root ocr user was introduced in commit 1aca4c4a)
  # and guarantees /app/cache/.tmp exists for TMPDIR staging. See ADR-021.
  ocr-volume-init:
-    image: alpine:3
+    image: alpine:3.21
    command:
      - sh
      - -c
@@ -85,6 +85,7 @@ services:
    volumes:
      - ocr_models:/app/models
      - ocr_cache:/app/cache
    networks: []
    restart: "no"
  # --- OCR: Python microservice (Surya + Kraken) ---