chore(deps): update ubuntu docker tag to v26

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
ubuntu	final	major	24.04 → 26.04

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying control-layer with    Cloudflare Pages

Latest commit:	a2f8175
Status:	✅  Deploy successful!
Preview URL:	https://1f233a6b.control-layer.pages.dev
Branch Preview URL:	https://renovate-ubuntu-26-x.control-layer.pages.dev

View logs

[doubleword-code]

Summary

This PR updates the Ubuntu base image for the runtime stage from ubuntu:24.04 to ubuntu:26.04. This is a routine dependency update to keep the Docker image current.

Verdict: Ready to approve — the change is minimal and low-risk for this use case.

Research notes

• Ubuntu 26.04 availability: Confirmed available on Docker Hub with tag 26.04 (codename "resolute"), last updated 8 days ago. Multi-arch support confirmed (linux/amd64, linux/arm/v7, linux/arm64/v8).
• Runtime dependencies: The Dockerfile installs only ca-certificates, curl, libxml2, and tzdata — all standard packages available across Ubuntu versions.
• Build vs Runtime: The Rust binary is compiled in the builder stage and copied to the runtime container, so the runtime image doesn't need build toolchains or compatibility layers.
• Non-root user: The ubuntu user exists by default in official Ubuntu images, so line 64 (chown -R ubuntu:ubuntu) and line 67 (USER ubuntu) will continue to work.

Suggested next steps

1. Approve and merge — This is a low-risk update suitable for merging.
2. Optional validation — If not already covered by CI, consider verifying the multi-platform Docker build succeeds with the new base image (docker buildx bake as documented in CLAUDE.md).

General findings

No issues found. The change is a single-line version bump that follows best practices:

• Pinned to a specific minor version (26.04 rather than latest or rolling)
• Minimal runtime surface area (only essential packages installed)
• No breaking changes expected for the static Rust binary runtime

[doubleword-code]

Summary

This PR updates the Ubuntu base image in the Dockerfile from ubuntu:24.04 to ubuntu:26.04 (the latest LTS release codenamed "resolute"). This is a routine dependency update from Renovate.

Verdict: Ready to approve - this is a low-risk, standard LTS upgrade.

Research notes

• Fetched Docker Hub ubuntu page: Confirmed ubuntu:26.04 (resolute) is a valid official image released April 2026, and is now the latest and rolling tag target
• Ubuntu 26.04 is the current LTS release, succeeding 24.04 (noble)
• Per Docker Hub docs, the unminimize command was moved to a separate package starting in Ubuntu 24.10, but this Dockerfile doesn't use unminimize, so no impact

Suggested next steps

1. Approve and merge - No changes required. The single-line update is correct and follows standard practice for keeping base images current.
2. Optional follow-up: Consider whether the GitHub Actions runners (depot-ubuntu-24.04 in .github/workflows/release.yml and build-staging.yml) should eventually be updated to match, though this is not required since the runner OS only affects the build environment, not the final runtime image.

General findings

No issues found. The change is:

• Minimal scope: Only one line changed (the FROM directive)
• Low risk: Runtime dependencies (ca-certificates, curl, libxml2, tzdata) are standard packages available across Ubuntu versions
• Compatible: Node.js 20.x installation via nodesource works on Ubuntu 26.04
• No cascading changes needed: Workflow files use depot-ubuntu-24.04 runners for the build environment, which is independent of the runtime base image

[doubleword-code]

Summary

This PR updates the Docker runtime base image from Ubuntu 24.04 LTS to Ubuntu 26.04 LTS (Resolute Raccoon). Ubuntu 26.04 was released on April 23, 2026, and is a valid LTS release available on Docker Hub.

Verdict: Approve with verification recommended - this is a routine dependency update with low risk, but should be tested before merging to production.

Research notes

• Fetched Ubuntu Releases - confirmed Ubuntu 26.04 LTS (Resolute Raccoon) is an official release from April 2026
• Fetched Docker Hub ubuntu:26.04 tag - confirmed the image is published and available (last pushed 9 days ago)
• Fetched cargo-chef documentation - the builder stage uses lukemathwalker/cargo-chef:latest-rust-1.93.0-slim which is Debian bookworm-based; glibc backward compatibility ensures binaries built on older glibc work on newer Ubuntu versions

Suggested next steps

1. Test the Docker build locally to verify the build completes successfully with Ubuntu 26.04
2. Verify runtime dependencies - confirm ca-certificates, curl, libxml2, and tzdata install without issues on Ubuntu 26.04
3. Run integration tests against the new image to ensure no regressions
4. Consider updating CI runners (depot-ubuntu-24.04) to match the target runtime version in a follow-up PR for consistency (not blocking)

General findings

• Binary compatibility: The Rust binary is compiled in a Debian bookworm-based builder stage and copied to the Ubuntu 26.04 runtime. glibc maintains backward compatibility, so this is not a concern.
• CI workflow alignment: The GitHub Actions workflows (build-staging.yml:22, release.yml:10, release.yml:94) currently use depot-ubuntu-24.04 runners. This doesn't affect the Docker build output but could be updated for consistency in a separate PR.
• docker-compose: No changes needed - the compose files reference the built image, not the base OS version.

[doubleword-code]

Summary

This PR updates the Docker runtime base image from ubuntu:24.04 (Noble Numbat LTS) to ubuntu:26.04 (Resolute Raccoon LTS). The change is a single-line modification in the Dockerfile.

Verdict: Approved with minor consideration noted below.

Research notes

• Ubuntu 26.04 LTS status: Confirmed via Docker Hub that ubuntu:26.04 tag exists and is an official LTS release ("Resolute Raccoon"). The image was last pushed 9 days ago with multi-architecture support (amd64, arm/v7, arm64).

• Ubuntu release pattern: Per Wikipedia's Ubuntu version history, Ubuntu releases follow a predictable schedule where every fourth release (April of even-numbered years) is an LTS release with 5 years of standard support. Ubuntu 26.04 LTS follows this pattern.

• Package compatibility: The Dockerfile installs minimal runtime dependencies (ca-certificates, curl, libxml2, tzdata). These are core packages that remain available across LTS versions.

• CI/CD impact: GitHub Actions workflows use depot-ubuntu-24.04 as the runner OS, but this is independent of the Docker base image. The Docker build occurs within the runner environment.

Suggested next steps

1. Monitor initial deployments - Since Ubuntu 26.04 is a recent LTS release, monitor the first few production deployments for any unexpected behavior related to library versions or system calls.

2. Consider pinning to specific patch version - For production stability, consider pinning to a specific patch release (e.g., ubuntu:26.04 is fine, but you could also use ubuntu:noble if you want rolling patch updates within the LTS series, though 26.04 already does this).

General findings

No blocking issues identified. The change is low-risk because:

• The application is a statically-linked Rust binary (built in the builder stage)
• Runtime dependencies are minimal and well-established packages
• The Dockerfile doesn't rely on Ubuntu-specific behaviors that might differ between versions

One non-blocking observation: The GitHub Actions workflows reference depot-ubuntu-24.04 runners. While this doesn't affect the built image, teams sometimes prefer to keep CI runner versions aligned with the container base version for consistency during debugging. This is optional and not required for correctness.

[doubleword-code]

Summary

This PR updates the Docker runtime base image from ubuntu:24.04 (Noble) to ubuntu:26.04 (Resolute Raccoon), which is the current LTS release as of April 2026. The change is minimal and follows standard dependency update practices.

Verdict: Ready to approve - no blocking issues identified.

Research notes

• Ubuntu 26.04 LTS release page - Confirmed as official LTS release (Resolute Raccoon) published April 2026
• Docker Hub ubuntu tags - Verified ubuntu:26.04 tag exists with multi-arch support (amd64, arm64, arm32v7, ppc64le, riscv64, s390x)
• docker-library/ubuntu README - Documents supported tags including 26.04, resolute, and latest

Suggested next steps

1. Verify the built image works as expected - After merge, ensure the staging deployment runs correctly with the new base image (standard practice for any base OS change)
2. Monitor Grype security scan results - The CI pipeline includes vulnerability scanning; verify that moving to 26.04 doesn't introduce new vulnerabilities (though typically newer LTS images have fewer CVEs)

General findings

CI runner compatibility: The GitHub Actions workflows use depot-ubuntu-24.04-* runners (lines 12, 102, 195, etc. in .github/workflows/ci.yaml). These are the VM hosts that execute the build pipeline and are independent of the container base image. The Dockerfile's FROM ubuntu:26.04 only affects the production container, not the CI environment. No changes needed to CI configuration.

Dependency considerations: The runtime stage explicitly installs all required packages (ca-certificates, curl, libxml2, tzdata), so the image doesn't depend on implicit Ubuntu 24.04 defaults that might differ in 26.04.

Builder stage unaffected: The builder stage still uses cargo-chef:latest-rust-1.93.0-slim, which is appropriate since the Rust compilation environment is separate from the runtime container.

[doubleword-code]

Summary

This PR updates the Docker runtime base image from ubuntu:24.04 to ubuntu:26.04 (Resolute Raccoon), the latest LTS released in April 2026. This is a routine dependency update that brings security patches and updated system libraries to the production container.

Verdict: Approved — The change is straightforward and low-risk for this use case.

Research notes

• Fetched Ubuntu releases page confirming Ubuntu 26.04 LTS (Resolute Raccoon) was released April 23, 2026 and is under standard support
• Reviewed cargo-chef base image tags on Docker Hub — the builder stage uses Debian Trixie-based images, not Ubuntu
• The GitHub Actions workflows (build-staging.yml, release.yml) use depot-ubuntu-24.04 runners, but this doesn't affect the container base image

Key observations

1. Statically-linked binary: The Rust binary is compiled with musl/glibc statically linked (via SQLX_OFFLINE=true and standard Rust compilation), so runtime glibc version differences between the Debian Trixie builder and Ubuntu 26.04 runtime are not a concern.

2. Runtime dependencies are minimal: The runtime stage only installs ca-certificates, curl, libxml2, and tzdata — all standard packages available in Ubuntu 26.04.

3. Multi-platform builds: The Dockerfile targets linux/amd64,linux/arm64 via Depot — Ubuntu 26.04 has full support for both architectures.

4. Very new release: Ubuntu 26.04 was released ~3 weeks ago (April 23, 2026). While LTS releases are well-tested, there's inherent risk in adopting immediately. However, for a containerized Rust application with minimal runtime dependencies, this risk is low.

Suggested next steps

No changes required. This PR can be merged as-is. Consider monitoring the first few production deployments for any unexpected behavior related to library version changes (particularly libxml2 or glibc), though this is unlikely given the static nature of Rust binaries.

General findings

None — the single-line change is correct and appropriate.

[doubleword-code]

Summary

This PR updates the Docker runtime base image from ubuntu:24.04 to ubuntu:26.04 (Resolute Raccoon LTS, released April 2026). The change is straightforward and appropriate for keeping the production environment current.

Verdict: Needs minor consideration before approval - see environment consistency note below.

Research Notes

• Ubuntu 26.04 availability: Confirmed on Docker Hub - the 26.04 tag exists and was recently updated
• Release status: Ubuntu 26.04 LTS (Resolute Raccoon) was officially released on April 23, 2026
• Runtime dependencies: The Dockerfile installs minimal runtime deps (ca-certificates, curl, libxml2, tzdata) - all standard packages available in Ubuntu 26.04
• CI environment mismatch: All GitHub Actions workflows currently use depot-ubuntu-24.04 runners, meaning CI tests run on Ubuntu 24.04 while production uses Ubuntu 26.04

General Findings

Environment Consistency: There's a mismatch between the CI testing environment (Ubuntu 24.04) and the production Docker image (Ubuntu 26.04). For a Rust application with a statically-compiled binary, this risk is low, but differences in glibc and runtime libraries could theoretically cause issues that wouldn't be caught in CI.

Suggested mitigation: Consider adding a Docker build verification step in CI that actually builds the Dockerfile (which would use Ubuntu 26.04) and optionally runs a smoke test against the container.

Suggested Next Steps

1. Verify the Docker image builds successfully with Ubuntu 26.04 in your local/staging environment before deploying to production
2. Consider updating CI runners to Ubuntu 26.04 or adding a Docker build step to catch any image-specific issues

[doubleword-code]

Summary

This PR updates the Ubuntu base image from 24.04 (Noble Numbat) to 26.04 (Resolute Raccoon) in the production Dockerfile. Both are LTS releases with long-term support windows.

Verdict: Approved pending acknowledgment of the image size increase noted below.

Research notes

• Ubuntu 26.04 LTS release info: Released April 2026, with standard security maintenance until May 2031 and expanded security maintenance (ESM) until April 2036 [Ubuntu release cycle]
• Docker Hub availability: The ubuntu:26.04 tag is published and actively maintained (last pushed 10 days ago), supporting amd64, arm/v7, and arm64/v8 architectures [Docker Hub tags]
• Image size comparison:
  • ubuntu:24.04: ~28.36 MB (amd64)
  • ubuntu:26.04: ~39.63 MB (amd64)
  • This represents approximately an 11 MB (~40%) increase in base image size

Suggested next steps

1. Acknowledge the image size tradeoff: The newer base image is ~11MB larger. For most deployments this is negligible, but worth noting for high-scale container orchestration scenarios.

2. Verify runtime compatibility after merge: Once merged, ensure the built container runs correctly in your staging environment. The statically-linked Rust binary should have no issues, but confirm that the installed runtime dependencies (ca-certificates, curl, libxml2, tzdata) behave as expected.

General findings

No blocking issues identified. This is a routine dependency update following Ubuntu's standard LTS release cadence. The change aligns with best practices for keeping base images current with security patches and long-term support coverage.

[doubleword-code]

Non-blocking: Base image size increase consideration.

Why it matters: According to Docker Hub data, ubuntu:26.04 is approximately 39.63 MB (amd64) compared to ubuntu:24.04 at 28.36 MB—an ~11 MB (~40%) increase. While this is acceptable for most deployments, it's worth being aware of for environments with many containers or bandwidth-constrained deployments.

Suggested fix: No code change required. Simply acknowledge this tradeoff. The newer LTS version provides updated security patches and extends the support window through 2031 (standard) and 2036 (with ESM).