Add apt-get upgrade to core packages layer

Pair 'apt-get upgrade -y --no-install-recommends' with the existing update + install in the first RUN step. Picks up security/CVE fixes that land in the Debian repos between base-image rebuilds. Same layer as the install to avoid bloating history; combined with apt-get clean and rm -rf /var/lib/apt/lists/* at the end so no index cache is kept. Today this is a no-op (debian:trixie-slim is current: 0 upgraded). Future-proofs against the lag between a CVE fix being published and the next base-image rebuild.
2026-04-29 10:25:36 +02:00
parent 2c889b472e
commit e0b6c2082f
2 changed files with 8 additions and 1 deletions
@@ -15,7 +15,12 @@ LABEL org.opencontainers.image.source="https://gitea.jordbo.se/joakimp/opencode-
 ENV DEBIAN_FRONTEND=noninteractive

 # ── Core system packages ─────────────────────────────────────────────
-RUN apt-get update && apt-get install -y --no-install-recommends \
+# apt-get upgrade picks up any security/CVE fixes published between
+# debian:trixie-slim base-image rebuilds. Paired with the index update
+# and the install in the same layer so we don't bloat image history.
+RUN apt-get update && \
+    apt-get upgrade -y --no-install-recommends && \
+    apt-get install -y --no-install-recommends \
    ca-certificates \
    curl \
    wget \
@@ -45,6 +50,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
    python3-pip \
    python3-venv \
    && ln -s /usr/bin/fdfind /usr/local/bin/fd \
+    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

 # ── Go-compiled tools (install from GitHub to avoid CVEs in Debian's old Go builds)