feat: add Dependabot configuration for automated Docker updates and update base image to Debian bookworm

hungrybluedev · hungrybluedev · commit 5a19ae78841f · 2025-11-26T11:02:44.000Z
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,34 @@
+# Dependabot configuration for automated version updates
+# Documentation: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+#
+# Best Practices:
+# - Dependabot always targets the default branch (main)
+# - PRs are created for version updates (never pushes directly)
+# - Use branch protection rules to prevent direct pushes to main
+# - Group updates to reduce PR noise
+
+version: 2
+updates:
+  # Update Docker base images (Debian)
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "saturday"
+      time: "05:22"
+      timezone: "UTC"
+    open-pull-requests-limit: 3
+    labels:
+      - "dependencies"
+      - "docker"
+      - "automated"
+    commit-message:
+      prefix: "docker"
+      include: "scope"
+    reviewers:
+      - "hungrybluedev"
+    # Group all Docker updates together
+    groups:
+      docker-images:
+        patterns:
+          - "*"
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,8 @@
-FROM debian:stable-slim
+# Pinned versions for reproducibility
+# Debian: https://hub.docker.com/_/debian (bookworm = Debian 12)
+# Node.js LTS: https://nodejs.org (v24.x = current LTS)
+# Docker CLI: Latest stable from official Docker repository
+FROM debian:bookworm-20241111-slim
 
 ENV DEBIAN_FRONTEND=noninteractive
 ENV AGENT_TOOLSDIRECTORY=/opt/hostedtoolcache
@@ -41,9 +45,9 @@ RUN install -m 0755 -d /etc/apt/keyrings && \
   apt-get install -y docker-ce-cli docker-buildx-plugin docker-compose-plugin && \
   echo "Docker CLI installed: $(docker --version)"
 
-# Install Node.js LTS
+# Install Node.js LTS (pinned version)
 RUN mkdir -p "$AGENT_TOOLSDIRECTORY/node" && \
-  NODE_VERSION=$(curl -s https://nodejs.org/dist/index.json | jq -r '[.[] | select(.lts != false)][0].version') && \
+  NODE_VERSION="v24.11.1" && \
   echo "Installing Node.js $NODE_VERSION" && \
   NODEPATH="$AGENT_TOOLSDIRECTORY/node/${NODE_VERSION:1}/x64" && \
   mkdir -p "$NODEPATH" && \
