Periodically rebuild docker image

[pcrockett]

I noticed it's been a few months since the Docker image has been rebuilt. If there's a security update in the underlying Alpine image, it looks like those will only get picked up after a release.

Do you think it's worthwhile to trigger a Docker image rebuild every month or so, using a scheduled GitHub Action?

[djmitche]

I dislike the idea of releasing different docker images with the same tags. That's considered OK with the latest tag but makes users decide to either follow latest and maybe get broken on a random Tuesday, or pin to a release and maybe not get updates.

We should probably just do point releases periodically. I will self-assign this and hopefully do one soon (ideally in the next several days).

[pcrockett]

You know, my initial reaction was to totally agree. However after thinking about it some more, my opinion is changed. The widely-accepted best practice to avoid random breakage is on the consumer side:

• Users are encouraged to pin to SHA digests and have a controlled update routine.
• When users are OK with the risk associated with periodic automatic updates, they pin to tags.

So by not periodically rebuilding tags, we're actually going against widely-accepted expected behavior, and denying users the option of reasonably-stable automatic updates.

I'd also add that one would expect the 0.7 tag to receive periodic updates as well, since it always tracks 0.7.* releases.

[djmitche]

That's a fair point! I suppose we could do a periodic rebuild of latest from the latest release -- right now I believe it is from the latest commit on main.

I will add this to my list of assigned issues, as I understand GH actions are hard to hack on for those without admin access to the repo. But, if you've got any capacity to work on this I would love the help!

[pcrockett]

Thanks for being so receptive to the idea.

I'll put this on my list of things to do when I'm bored. Which seldom happens, unfortunately. Don't count on me 😄 . It would be fun to do though.

GH actions are hard to hack on for those without admin access to the repo

There's always the option of creating a temporary fork where you can have admin access to test things out. That's what I'd do at least, if I ever start working on it.