Merge pull request #263 from kaffolder7/feature/dependabot-version-updates

feat: automate dependency updates 🤖

.github/dependabot.yml

@@ -0,0 +1,47 @@
+version: 2
+updates:
+  # Track base image versions via .env.build
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    file-patterns:
+      - ".env.build"
+      - "node:*"  # Ensures Node.js images are correctly detected
+
+  # Monitor OS package versions in Dockerfile (Debian/Alpine)
+  - package-ecosystem: "gitsubmodule"  # Alternative method to track OS packages in Dockerfile
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "os-packages"
+    commit-message:
+      prefix: "os"
+      include: "scope"
+
+  # Monitor Node.js dependencies from package.json
+  # TODO: Uncomment below if we want to begin letting Dependabot monitor & open PRs for Node.js project dependencies
+  # - package-ecosystem: "npm"
+  #   directory: "/"
+  #   schedule:
+  #     interval: "weekly"
+  #   labels:
+  #     - "dependencies"
+  #     - "npm"
+  #   commit-message:
+  #     prefix: "npm"
+  #     include: "scope"
+
+  # Monitor GitHub Actions dependencies
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "actions"
+      include: "scope"

.github/workflows/publish-images.yml

@@ -1,4 +1,4 @@
-name: Publish Docker Image to Registries
+name: Publish Docker Images to Container Registries
 
 on:
   release:
@@ -7,8 +7,6 @@ on:
   workflow_dispatch:  # Allows for manual execution
 
 env:
-  ALPINE_VERSION: "23-alpine"
-  DEBIAN_VERSION: "23-slim"
   # Registry URLs
   DOCKERHUB_REGISTRY: docker.io
   GITHUB_REGISTRY: ghcr.io
@@ -39,9 +37,31 @@ jobs:
             exit 1
           )
 
+  check-dependabot-prs:
+    runs-on: ubuntu-latest
+    outputs:
+      has_dependabot_prs: ${{ steps.check.outputs.has_dependabot_prs }}
+    steps:
+      - name: Check for Open Dependabot PRs
+        id: check
+        run: |
+          PRS=$(gh pr list --repo ${{ github.repository }} --author "dependabot[bot]" --state open --json number --jq 'length')
+          echo "Open Dependabot PRs: $PRS"
+          if [ "$PRS" -gt 0 ]; then
+            echo "has_dependabot_prs=true" >> $GITHUB_ENV
+            exit 1  # Fail the workflow
+          else
+            echo "has_dependabot_prs=false" >> $GITHUB_ENV
+          fi
+          env:
+            GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   build-and-push-to-registries:
-    needs: check-lockfile  # Runs only after `check-lockfile` completes successfully
+    # Runs only after `check-lockfile` and `check-dependabot-prs` jobs complete successfully
+    needs: [check-lockfile, check-dependabot-prs]
     name: Push Docker images to Docker Hub and GitHub Container Registry
+    # Ensures that there are no open Dependabot PRs before building Docker images
+    if: needs.check-dependabot-prs.outputs.has_dependabot_prs == 'false'
     strategy:
       matrix:
         variant: [alpine, debian]
@@ -111,8 +131,22 @@ jobs:
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3.3.0
 
+      - name: Load environment variables from .env.build
+        run: |
+          # If .env.build is missing, use default full image names (should match Dockerfile ARG defaults)
+          export ALPINE_VERSION="node:23.7.0-alpine3.21"
+          export DEBIAN_VERSION="node:23.7.0-bookworm-slim"
+
+          # If .env.build exists, override fallback values with Dependabot-updated values
+          if [ -f .env.build ]; then
+            export $(grep -v '^#' .env.build | xargs)
+          fi
+
+          echo "ALPINE_VERSION=$ALPINE_VERSION" >> $GITHUB_ENV
+          echo "DEBIAN_VERSION=$DEBIAN_VERSION" >> $GITHUB_ENV
+
       # Build and push Docker image with Buildx to both registries (don't push on PR)
-      - name: Build and push Docker image
+      - name: Build and push Docker images
         id: build-and-push
         uses: docker/build-push-action@v6.13.0
         with:
@@ -138,7 +172,7 @@ jobs:
           echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
 
       # For use in other workflows (e.g. 'generate-readme', etc.)
-      - name: Save Build Version to Repository Variable
+      - name: Save release's build version number to repository variable
         if: matrix.variant == 'debian' && github.run_attempt == 1
         run: |
           # VERSION="${{ steps.meta.outputs.version }}"

Dockerfile

@@ -1,15 +1,15 @@
 # syntax=docker/dockerfile:1
 
-# Global build arguments
-ARG ALPINE_VERSION=23.7.0-alpine3.21
-ARG DEBIAN_VERSION=23.7.0-bookworm-slim
+# Global build arguments (defined default values in case `.env.build` isn't loaded)
+ARG ALPINE_VERSION=node:23.7.0-alpine3.21
+ARG DEBIAN_VERSION=node:23.7.0-bookworm-slim
 ARG VARIANT=debian
 
 #==========================================================#
 #                   STAGE 1: BUILD STAGE                    #
 #==========================================================#
 
-FROM node:${DEBIAN_VERSION} AS builder-debian
+FROM ${DEBIAN_VERSION} AS builder-debian
 RUN apt-get update && apt-get install -y \
         build-essential=12.9 \
         python3=3.11.2-1+b1 \
@@ -22,7 +22,7 @@ RUN apt-get update && apt-get install -y \
         iputils-ping=3:20221126-1+deb12u1 && \
     rm -rf /var/lib/apt/lists/*
 
-FROM node:${ALPINE_VERSION} AS builder-alpine
+FROM ${ALPINE_VERSION} AS builder-alpine
 RUN apk add --no-cache --update \
         build-base=0.5-r3 \
         python3=3.12.9-r0 \
@@ -31,7 +31,7 @@ RUN apk add --no-cache --update \
         g++=14.2.0-r4 \
         sqlite=3.48.0-r0 \
         sqlite-dev=3.48.0-r0 \
-        tzdata \
+        tzdata=2025a-r0 \
         iputils=20240905-r0
 
 FROM builder-${VARIANT} AS builder
@@ -58,9 +58,9 @@ COPY . .
 # TODO: Reevaluate permissions (possibly reduce?)...
 # Remove docs directory and ensure required directories exist
 RUN rm -rf src/routes/\(docs\) \
-    static/documentation \
+		static/documentation && \
     static/fonts/lato/full && \
-  mkdir -p uploads database && \
+	  mkdir -p uploads database && \
   # TODO: Consider changing below to `chmod -R u-rwX,g=rX,o= uploads database`
     chmod -R 750 uploads database
 
@@ -84,9 +84,9 @@ RUN apt-get update && apt-get install -y \
 
 FROM node:${ALPINE_VERSION} AS final-alpine
 RUN apk add --no-cache --update \
-  iputils=20240905-r0 \
-  sqlite=3.48.0-r0 \
-  tzdata
+	iputils=20240905-r0 \
+	sqlite=3.48.0-r0 \
+	tzdata=2025a-r0
 
 FROM final-${VARIANT} AS final