ci(deploy): add --pull to docker compose build for CVE pickup

Without --pull, the host's Docker layer cache wins: if a CVE drops in node:20.19.0-alpine3.21 / postgres:16-alpine and the vendor re-publishes the same tag, the runner keeps serving the cached layer until the cache is manually cleared — a silent supply-chain blind spot. Adding --pull to both `compose build` invocations costs a single re-pull per run and lifts the base-image patch lag from "next host prune" to "next nightly". Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-11 13:10:59 +02:00
parent 7e430998b8
commit f2ec81547b
2 changed files with 9 additions and 2 deletions
--- a/.gitea/workflows/nightly.yml
+++ b/.gitea/workflows/nightly.yml
@@ -70,13 +70,17 @@ jobs:
          EOF

      - name: Build images
+        # `--pull` forces re-fetching pinned base images so a CVE
+        # re-publication of the same tag (e.g. node:20.19.0-alpine3.21,
+        # postgres:16-alpine) is picked up instead of being served
+        # from the host's stale Docker layer cache.
        run: |
          docker compose \
            -f docker-compose.prod.yml \
            -p archiv-staging \
            --env-file .env.staging \
            --profile staging \
-            build
+            build --pull

      - name: Deploy staging
        run: |
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -72,12 +72,15 @@ jobs:
          EOF

      - name: Build images
+        # `--pull` forces re-fetching pinned base images so a CVE
+        # re-publication of the same tag is picked up rather than served
+        # from the host's stale Docker layer cache.
        run: |
          docker compose \
            -f docker-compose.prod.yml \
            -p archiv-production \
            --env-file .env.production \
-            build
+            build --pull

      - name: Deploy production
        run: |