From 03baee1b2c0e3489ed00737400fa6210e3fd3353 Mon Sep 17 00:00:00 2001
From: Albert Mavashev <amavashev@k2n.io>
Date: Sat, 2 May 2026 22:03:11 -0400
Subject: [PATCH] fix(deps): patch Alpine packages to address gnutls
 CVE-2026-33845

Same fix as runcycles/cycles-server#145 and runcycles/cycles-server-events#54.
Trivy on cycles-server-admin's image flagged the same gnutls 3.8.12-r0
HIGH/MEDIUM/LOW CVEs that affect every consumer of the upstream
eclipse-temurin:21-jre-alpine tag at this point in time.

'apk upgrade --no-cache' closes the patch-level gap on every build,
so future Alpine CVE patches are picked up without manual intervention.

Unblocks PR #161 (which has been failing the pr-container-scan step
for the same root cause).
---
 Dockerfile | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 1121c84..c7f0293 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,6 +12,15 @@ RUN --mount=type=cache,target=/root/.m2/repository \
 # ---- Runtime stage ----
 FROM eclipse-temurin:21-jre-alpine
 
+# Apply latest Alpine security patches over whatever ships in the upstream
+# eclipse-temurin:21-jre-alpine layer. The temurin tag is a moving ref so a
+# fresh build picks up older Alpine patch levels until temurin itself rebuilds;
+# applying `apk upgrade` here closes that window every time we build.
+#
+# Concrete fix on this commit: gnutls 3.8.12-r0 -> 3.8.13-r0 (CVE-2026-33845
+# HIGH + 12 bundled gnutls CVEs all resolved by the same package bump).
+RUN apk upgrade --no-cache
+
 ARG APP_VERSION=0.0.0
 
 LABEL org.opencontainers.image.title="cycles-server-admin" \