f2ec81547b
Without --pull, the host's Docker layer cache wins: if a CVE drops in node:20.19.0-alpine3.21 / postgres:16-alpine and the vendor re-publishes the same tag, the runner keeps serving the cached layer until the cache is manually cleared — a silent supply-chain blind spot. Adding --pull to both `compose build` invocations costs a single re-pull per run and lifts the base-image patch lag from "next host prune" to "next nightly". Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
3.9 KiB
3.9 KiB