fix: update Docker base images to Trixie and force pull latest images in nightly builds

[vjgit96]

Description

Updates Docker base images to Debian Trixie and adds pull: true to nightly build workflow to resolve CVE vulnerabilities.

This PR is created directly from main branch (not cherry-picked) to avoid future merge conflicts.

Changes

1. Dockerfile Updates (5 files)

• Builder stage: ghcr.io/astral-sh/uv:python3.12-bookworm-slim → ghcr.io/astral-sh/uv:python3.12-trixie-slim
• Runtime stage: python:3.12.13-slim-trixie → python:3.12-slim-trixie (unpinned for latest patches)

Files updated:

• docker/build_and_push_base.Dockerfile
• docker/build_and_push.Dockerfile
• docker/build_and_push_backend.Dockerfile
• docker/build_and_push_with_extras.Dockerfile
• docker/build_and_push_ep.Dockerfile

2. Workflow Update

• Added pull: true to 6 Docker build steps in .github/workflows/docker-nightly-build.yml
• Forces Docker to pull latest base images instead of using cached layers
• Ensures Trixie images are used even if Bookworm layers are cached

Why Both Changes Are Needed

1. Dockerfiles: Update references from Bookworm to Trixie (newer Debian stable)
2. Workflow: Force pull ensures we get latest Trixie images, not cached Bookworm layers
3. Main branch: Scheduled nightly builds run from main, so changes must be here

Testing

• Wait for tonight's scheduled nightly build (00:00 UTC)
• Verify CVE count reduction via Docker Scout scan
• Expected: ~124 CVEs → ~40-60 CVEs

Future Work (Phase 2)

As noted by @jordanrfrazier in #13014, we should eventually:

1. Pin to specific Python patch version (e.g., python:3.12.15-slim-trixie)
2. Remove pull: true from workflow (makes builds faster and more predictable)
3. Update pinned versions quarterly as part of maintenance

This PR is Phase 1 (temporary fix with pull: true). Phase 2 will come ~2 weeks after CVEs are confirmed fixed.

Related

• Similar changes on release-1.10.0: fix: update Docker base images to latest Python 3.12 and Debian Trixie to resolve CVEs #12990, fix: force pull latest base images in Docker nightly builds #13014
• This PR created fresh from main to avoid merge conflicts when release-1.10.0 merges back

Summary by CodeRabbit

Release Notes

• Chores
  • Updated container runtime environments and build images to the latest stable versions for enhanced reliability, security, and deployment consistency
  • Optimized the automated build and deployment process with improved image layer caching, resulting in faster build times and more efficient deployments
  • Modernized underlying system and Python dependencies across containerized environments

[coderabbitai]

Walkthrough

This PR adds the pull: true option to Docker build actions in the nightly build workflow to ensure fresh base images are pulled, and updates all Dockerfiles to use Debian Trixie-based builder images (replacing Bookworm variants) and unpinned Python runtime images (removing patch version pins).

Changes

Workflow Build Action Configuration

Layer / File(s)	Summary
Build Action Parameter .github/workflows/docker-nightly-build.yml	pull: true is added to docker/build-push-action@v6 configurations in 6 build steps across nightly-base, nightly-main, and nightly-main-all builds (both Docker Hub and GHCR registries).

Dockerfile Base Image Updates

Layer / File(s)	Summary
Builder Stage Images docker/build_and_push*.Dockerfile	Builder stage base image is updated from ghcr.io/astral-sh/uv:python3.12-bookworm-slim to ghcr.io/astral-sh/uv:python3.12-trixie-slim across all five Dockerfiles.
Runtime Stage Images docker/build_and_push*.Dockerfile	Runtime stage base image is updated from python:3.12.13-slim-trixie to python:3.12-slim-trixie (removing patch version pin) across all five Dockerfiles. No build steps, dependency installation, or runtime commands are modified.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 9

✅ Passed checks (9 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: updating Docker base images from Bookworm to Trixie and adding pull: true to force latest image pulls in nightly builds.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Test Coverage For New Implementations	✅ Passed	PR changes only Docker base images and CI workflow configuration. No new application code, functionality, or components introduced—test coverage check not applicable.
Test Quality And Coverage	✅ Passed	Infrastructure-only changes (Docker base images, CI/CD flags). No new code implementations requiring tests.
Test File Naming And Structure	✅ Passed	Check not applicable. PR only modifies Docker base images and GitHub Actions workflow. No test files added, modified, or deleted.
Excessive Mock Usage Warning	✅ Passed	Custom check for "Excessive Mock Usage Warning" is not applicable to this PR. The PR only modifies Docker base images and workflow configurations; it contains no test files or mock usage changes.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/docker-trixie-and-pull-latest-main

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docker/build_and_push_ep.Dockerfile`:
- Line 12: The comment about using python:3.12.3-slim is stale relative to the
actual Docker FROM line (FROM ghcr.io/astral-sh/uv:python3.12-trixie-slim AS
builder); update or remove that rationale so it reflects the current base image
(ghcr.io/astral-sh/uv:python3.12-trixie-slim) and, if keeping a note, explain
why this uv-based image is preferred vs. python:3.12.3-slim to avoid future
confusion.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: dcacba8c-d5ae-4537-8d9a-b4b79f790b2e

📥 Commits

Reviewing files that changed from the base of the PR and between f08885f and 08328ff.

📒 Files selected for processing (6)

• .github/workflows/docker-nightly-build.yml
• docker/build_and_push.Dockerfile
• docker/build_and_push_backend.Dockerfile
• docker/build_and_push_base.Dockerfile
• docker/build_and_push_ep.Dockerfile
• docker/build_and_push_with_extras.Dockerfile

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update stale base-image rationale comment near Line 12.

The note says to use python:3.12.3-slim, but the build now uses ghcr.io/astral-sh/uv:python3.12-trixie-slim. Please update/remove that note to avoid future confusion.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docker/build_and_push_ep.Dockerfile` at line 12, The comment about using
python:3.12.3-slim is stale relative to the actual Docker FROM line (FROM
ghcr.io/astral-sh/uv:python3.12-trixie-slim AS builder); update or remove that
rationale so it reflects the current base image
(ghcr.io/astral-sh/uv:python3.12-trixie-slim) and, if keeping a note, explain
why this uv-based image is preferred vs. python:3.12.3-slim to avoid future
confusion.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 52.99%. Comparing base (f08885f) to head (08328ff).

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #13015      +/-   ##
==========================================
- Coverage   53.02%   52.99%   -0.04%     
==========================================
  Files        2031     2031              
  Lines      183971   183971              
  Branches    26213    26213              
==========================================
- Hits        97545    97488      -57     
- Misses      85318    85375      +57     
  Partials     1108     1108              

Flag	Coverage Δ
backend	56.19% <ø> (-0.10%)	⬇️
frontend	52.90% <ø> (-0.03%)	⬇️
lfx	50.21% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.
see 40 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Frontend Unit Test Coverage Report

Coverage Summary

Lines	Statements	Branches	Functions
	35.26% (40427/114627)	68.08% (5580/8196)	35.87% (940/2620)

Unit Test Results

Tests	Skipped	Failures	Errors	Time
4007	0 💤	0 ❌	0 🔥	8m 15s ⏱️