ci: weekly scheduled container rebuild for fresh base layers#1374
Open
pjordanandrsn wants to merge 1 commit intomatter-js:mainfrom
Open
ci: weekly scheduled container rebuild for fresh base layers#1374pjordanandrsn wants to merge 1 commit intomatter-js:mainfrom
pjordanandrsn wants to merge 1 commit intomatter-js:mainfrom
Conversation
The python-matter-server container builds only on release: published, so the :stable tag drifts behind on python:3.12-slim-bookworm OS-package fixes between PyPI releases. A trivy scan on 2026-05-02 found 6 CRITICAL + 23 HIGH OS CVEs in :stable, all in slim-bookworm base packages. This adds a separate workflow that rebuilds weekly using the latest PyPI-published python-matter-server version. Independent of release.yml — never touches PyPI publishing or the version-validation logic. Existing release flow continues to work unchanged.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
The
ghcr.io/home-assistant-libs/python-matter-servercontainer is built and published only onrelease: published(viarelease.yml'sbuild-and-push-container-imagejob). Between releases, thepython:3.12-slim-bookwormbase accumulates security fixes that aren't picked up — the:stabletag drifts behind on OS-package CVEs.Latest published image scanned with trivy on
2026-05-02:All findings are in OS packages (libssl/libxml2/etc) shipped by the slim-bookworm base. Rebuilding the existing
Dockerfileagainst currentpython:3.12-slim-bookwormreduces these to 0 HIGH/CRITICAL without any source change.Change
Adds a new workflow
.github/workflows/rebuild-container.ymlthat:workflow_dispatchpython-matter-serverversion from PyPI (matches what release.yml does, just from a different signal)pull: true(forces fresh base) using the existingDockerfile:stable(and:major.minor.patch/:minor/:major) — exactly the same set of tagsrelease.ymlproducesThe new workflow is independent of
release.yml— it never touches PyPI publishing or the version-validation logic. Tagged release publishes still work exactly as before.Why a separate workflow
Adding
schedule:directly torelease.ymlwould also trigger thebuild-and-publish-pypijob, which has tag-format validation that would fail on a non-release-context run. A separate workflow avoids re-engineering that logic.Verified locally
docker build --pull --build-arg PYTHON_MATTER_SERVER=8.1.2 -t local/matter-server:rebuilt .against currentpython:3.12-slim-bookworm→ 0 HIGH/CRITICAL OS CVEs. Container starts clean,Matter Server successfully initialized.Adjustments welcome
:stableonly if preferred)latestis always a stable release per your existing release flow)