rusackas opened a new pull request, #40426: URL: https://github.com/apache/superset/pull/40426
### SUMMARY Adds a cron-triggered workflow that re-runs the Docker image build against the most-recent published release every Monday at 06:00 UTC (and on `workflow_dispatch` when an operator wants to force it). The Superset code being built doesn't change — but the base image layers (`python:*-slim-trixie` and the Debian OS packages underneath) **do** receive upstream security patches between Superset releases. Without a rebuild, `apache/superset:<latest>` ships those CVEs unfixed for as long as the inter-release gap (typically 3–6 weeks). ### Why this approach over the alternatives | Option | Problem | |---|---| | Tied to releases | Defeats the purpose — the gap we're trying to close *is* the inter-release window | | Swap to Chainguard / distroless | Would also close the gap, but at the cost of a backward-incompatible package-manager change for downstream operators who extend `apache/superset:<tag>` with their own `apt install` lines for custom drivers | | Daily cadence | Probably overkill — Debian's security tree updates on a roughly weekly rhythm | ### Implementation Deliberately reuses the same `supersetbot docker` invocation as `tag-release.yml`: - Same matrix of build presets (`dev`, `lean`, `py310`, `websocket`, `dockerize`, `py311`, `py312`) - Same `--context release --context-ref <tag> --force-latest` flags - Same checkout-by-release-tag, same multi-platform build So the resulting tags are byte-equivalent to what a manual release dispatch would produce — only the base layer changes. Concurrency group `docker-publish-latest-release` is shared with the release publisher so the two can't race each other on the Docker Hub push. ### Tag mutability note The rebuild overwrites both the rolling tags (`apache/superset:latest`) **and** the version-specific tag of the latest release (e.g. `apache/superset:5.0.0`). This is intentional and matches how the upstream `python:*-slim-trixie` images themselves behave — version tags reflect content + latest patches, not a frozen SHA. Users who need a frozen reference should pin by image digest (`apache/superset@sha256:...`). ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A — CI configuration only. ### TESTING INSTRUCTIONS After merge: 1. Trigger the workflow manually from the Actions tab (`Scheduled Docker image refresh` → "Run workflow") to confirm it picks up the latest release tag, builds all presets, and pushes successfully. 2. Inspect the resulting image on Docker Hub — the digest should differ from the previous build, but `docker run apache/superset:<tag> superset --help` (and equivalents) should behave identically. 3. Monitor the first scheduled run on the Monday after merge. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Migration is atomic, supports rollback & is backwards-compatible - [ ] Confirm DB migration upgrade and downgrade tested - [ ] Runtime estimates and downtime expectations provided - [ ] Introduces new feature or API - [ ] Removes existing feature or API -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
