From f2ec81547ba54eb0a1f859514d89e6666a82ae9e Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Mon, 11 May 2026 13:10:59 +0200
Subject: [PATCH] ci(deploy): add --pull to docker compose build for CVE pickup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Without --pull, the host's Docker layer cache wins: if a CVE drops in
node:20.19.0-alpine3.21 / postgres:16-alpine and the vendor re-publishes
the same tag, the runner keeps serving the cached layer until the cache
is manually cleared — a silent supply-chain blind spot.

Adding --pull to both `compose build` invocations costs a single
re-pull per run and lifts the base-image patch lag from "next host
prune" to "next nightly".

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/nightly.yml | 6 +++++-
 .gitea/workflows/release.yml | 5 ++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/nightly.yml b/.gitea/workflows/nightly.yml
index 118dd54f..cbf10d39 100644
--- a/.gitea/workflows/nightly.yml
+++ b/.gitea/workflows/nightly.yml
@@ -70,13 +70,17 @@ jobs:
           EOF
 
       - name: Build images
+        # `--pull` forces re-fetching pinned base images so a CVE
+        # re-publication of the same tag (e.g. node:20.19.0-alpine3.21,
+        # postgres:16-alpine) is picked up instead of being served
+        # from the host's stale Docker layer cache.
         run: |
           docker compose \
             -f docker-compose.prod.yml \
             -p archiv-staging \
             --env-file .env.staging \
             --profile staging \
-            build
+            build --pull
 
       - name: Deploy staging
         run: |
diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index d4332ba9..9ae74ad6 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -72,12 +72,15 @@ jobs:
           EOF
 
       - name: Build images
+        # `--pull` forces re-fetching pinned base images so a CVE
+        # re-publication of the same tag is picked up rather than served
+        # from the host's stale Docker layer cache.
         run: |
           docker compose \
             -f docker-compose.prod.yml \
             -p archiv-production \
             --env-file .env.production \
-            build
+            build --pull
 
       - name: Deploy production
         run: |