From 1c509fe093eae7edf3807bd80b084b866ef82cbe Mon Sep 17 00:00:00 2001
From: Jordan Anderson <paul.jordan.anderson@gmail.com>
Date: Sat, 2 May 2026 23:36:43 -0500
Subject: [PATCH] ci: weekly scheduled rebuild of master container images
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Currently the four images published by docker.yml rebuild only when a new
release is published. Between releases the :master tags drift behind on
python:3.13 / debian-bookworm OS-package fixes — a trivy scan of the
2025-10-17 images on 2026-05-02 found 154 CRITICAL + 754 HIGH OS CVEs
in each of ots_eud_handler{,_ssl}.

Adding a 'schedule:' trigger lets the existing matrix run weekly so the
:master tags stay current with base-layer fixes between releases. No
source change, no application risk — same Dockerfiles, fresher base.
---
 .github/workflows/docker.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 6258f9e9..7130fc88 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -4,6 +4,10 @@ on:
   release:
     types: [published]
   workflow_dispatch:
+  schedule:
+    # Weekly Sunday 04:00 UTC — rebuild :master with fresh base image to pick up
+    # security fixes in python:3.13 / debian-bookworm without waiting for a new release.
+    - cron: '0 4 * * 0'
 
 env:
   REGISTRY: ghcr.io