From fa4fe977cb38b4e08852e271d7fd9b654afed4d5 Mon Sep 17 00:00:00 2001 From: Jeremy Date: Sat, 23 May 2026 11:04:30 +0000 Subject: [PATCH] fix: force nightly Caddy rebuild through the correct cache key Ensure the nightly image does not reuse a stale Caddy builder layer, which was allowing the published image to keep reporting Caddy 2.11.2 even after the Dockerfile pin moved to 2.11.3. This change corrects the Buildx cache exclusion input so the nightly pipeline actually rebuilds the Caddy stage before publishing and scanning the image. That prevents the supply-chain checks and GitHub security reporting from being fed an outdated binary. --- .github/workflows/nightly-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml index d9c828f72..9dd03e066 100644 --- a/.github/workflows/nightly-build.yml +++ b/.github/workflows/nightly-build.yml @@ -226,7 +226,7 @@ jobs: ALPINE_IMAGE=${{ steps.alpine.outputs.image }} cache-from: type=gha cache-to: type=gha,mode=max - no-cache-filter: caddy-builder + no-cache-filters: caddy-builder provenance: true sbom: true