chore(deps): update debian:trixie-slim docker digest to 1caf1c7

.gitea/workflows/build.yml

@@ -1,23 +1,50 @@
-on: push
+name: Build Docker Image
+
+on:
+  push:
+    branches:
+      - master
+    # Renovate will push updates as commits
+    paths:
+      - "Dockerfile"
+
 jobs:
   build-docker:
     runs-on: ubuntu-latest
     container:
       image: catthehacker/ubuntu:act-latest
+
     steps:
+      # 1. Checkout repository
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      # 2. Set up Docker Buildx
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Login to DockerHub
+      # 3. Login to your registry
+      - name: Login to Docker registry
         uses: docker/login-action@v3
         with:
           registry: git.comprofix.com
           username: ${{ secrets.REGISTRY_USERNAME }}
           password: ${{ secrets.REGISTRY_TOKEN }}
 
-      - name: Build and push
+      # 4. Define timestamp tag
+      - name: Set Docker image tags
+        id: docker_tags
+        run: |
+          TIMESTAMP=$(date +'%Y.%m.%d-%H%M%S')
+          echo "tags=git.comprofix.com/mmckinnon/debian-latest:latest,git.comprofix.com/mmckinnon/debian-latest:$TIMESTAMP" >> $GITHUB_ENV
+
+      # 5. Build & push Docker image
+      - name: Build and push Docker image
         uses: docker/build-push-action@v6
         with:
+          context: .
           file: ./Dockerfile
           push: true
-          tags: git.comprofix.com/mmckinnon/debian-runner:latest
+          tags: ${{ env.tags }}

Dockerfile

@@ -1,41 +1,68 @@
-# Base image
+# =========================
-FROM debian:trixie-slim
+# Stage 1: Builder
+# =========================
+FROM debian:trixie-slim@sha256:1caf1c703c8f7e15dcf2e7769b35000c764e6f50e4d7401c355fb0248f3ddfdb AS builder
 
-# Set environment variables
 ENV DEBIAN_FRONTEND=noninteractive \
-    LANG=C.UTF-8 \
+    LANG=C.UTF-8
-    PATH=/usr/local/bundle/bin:$PATH
 
-# Install dependencies
+# Install build dependencies
 RUN apt-get update && apt-get install -y --no-install-recommends \
     curl \
     git \
     bash \
     openssh-client \
+    ca-certificates \
+    procps \
+    iproute2 \
+    netcat-traditional \
+    unzip \
+    iputils-ping \
     python3 \
-    python3-pip \
+    python3-venv \
     build-essential \
     zlib1g-dev \
     libffi-dev \
     libssl-dev \
-    ca-certificates \
+    ruby-full \
     && rm -rf /var/lib/apt/lists/*
 
 # Install Node.js 22
 RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
     && apt-get install -y nodejs \
-    && npm install -g npm
+    && npm install -g npm \
-
-# Install Ansible via pip
-RUN pip3 install --no-cache-dir ansible
-
-# Install Ruby and Jekyll
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    ruby-full \
-    && gem install bundler jekyll \
     && rm -rf /var/lib/apt/lists/*
 
-# Create workspace
+# Create Python virtual environment for Ansible
+RUN python3 -m venv /opt/venv \
+    && /opt/venv/bin/pip install --no-cache-dir --upgrade pip ansible
+
+# =========================
+# Stage 2: Final runtime image
+# =========================
+FROM debian:trixie-slim@sha256:1caf1c703c8f7e15dcf2e7769b35000c764e6f50e4d7401c355fb0248f3ddfdb
+
+ENV DEBIAN_FRONTEND=noninteractive \
+    LANG=C.UTF-8 \
+    PATH=/opt/venv/bin:$PATH
+
+# Install runtime dependencies only
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    bash \
+    openssh-client \
+    ca-certificates \
+    iputils-ping \
+    python3 \
+    python3-venv \
+    ruby-full \
+    nodejs \
+    git \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy built Python venv from builder
+COPY --from=builder /opt/venv /opt/venv
+
+# Set working directory
 WORKDIR /workspace
 
 # Default shell

renovate.json

@@ -0,0 +1,19 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    "renovatebot/renovate-config",
+    ":semanticCommitTypeAll(chore)"
+  ],
+  "automerge": true,
+  "automergeType": "branch",
+  "automergeStrategy": "rebase",
+  "commitBodyTable": true,
+  "ignoreTests": true,
+  "major": {
+    "automerge": false,
+    "dependencyDashboardApproval": true,
+    "commitMessagePrefix": "chore(deps-major): ",
+    "labels": ["dependencies", "breaking"]
+  }
+}