Add apt-get upgrade to core packages layer

Pair 'apt-get upgrade -y --no-install-recommends' with the existing update + install in the first RUN step. Picks up security/CVE fixes that land in the Debian repos between base-image rebuilds. Same layer as the install to avoid bloating history; combined with apt-get clean and rm -rf /var/lib/apt/lists/* at the end so no index cache is kept. Today this is a no-op (debian:trixie-slim is current: 0 upgraded). Future-proofs against the lag between a CVE fix being published and the next base-image rebuild.
2026-04-29 10:25:36 +02:00
parent 2c889b472e
commit e0b6c2082f
2 changed files with 8 additions and 1 deletions
@@ -19,6 +19,7 @@ Tags follow `v{opencode_version}[letter]` — bare tag for the first build on a
  - `curl --retry 5 --retry-delay 5 --retry-all-errors` on both the `-fsSL` GET requests and the `-sI` HEAD requests used for `/releases/latest` redirect resolution. 5 attempts with 5 s back-off eats most transient CDN hiccups without failing the build.
  - Added `[ -n "$V" ]` assertion after each version-resolution step. If the HEAD redirect ever fails to produce a tag name, the build fails fast with an empty-version message rather than trying to download `.../v//...` and producing a confusing 404.
  - Same hardening applied to the optional Go install block (go.dev JSON feed + tarball download) and the nodesource apt-repo setup script.
+- **Security:** Added `apt-get upgrade -y` to the core-packages RUN step. Picks up any security/CVE fixes published between `debian:trixie-slim` base-image rebuilds. Paired with the existing `update` and `install` in the same layer so image history isn't bloated. Today this produced `0 upgraded` (base image is current), but it future-proofs against the next CVE drop.

 ## v1.14.29 — 2026-04-28