refresh release base image and actions

mark-e-deyoung · mark-e-deyoung · commit 8b93e6691fa3 · 2026-05-04T18:35:22.000+02:00
diff --git a/.github/workflows/approved-issues-only.yml b/.github/workflows/approved-issues-only.yml
@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Enforce invite-only issue participation
-        uses: actions/github-script@v7
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
         with:
           script: |
             const owner = context.repo.owner;
diff --git a/.github/workflows/approved-prs-only.yml b/.github/workflows/approved-prs-only.yml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Enforce invite-only PR participation
-        uses: actions/github-script@v7
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
         with:
           script: |
             const owner = context.repo.owner;
diff --git a/.github/workflows/base-image.yml b/.github/workflows/base-image.yml
@@ -4,7 +4,7 @@ on:
   workflow_dispatch:
     inputs:
       base_version:
-        description: Base image version tag (e.g. base-2026-02-09)
+        description: Base image version tag (e.g. base-2026-05-04)
         required: true
       update_base_stable:
         description: Also move base-stable tag
@@ -26,9 +26,9 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 90
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
-      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
-      - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
+      - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -37,12 +37,15 @@ jobs:
       - name: Prepare base tags
         id: meta
         run: |
-          image="ghcr.io/${{ github.repository_owner }}/winebot-base"
+          owner_lc="$(printf '%s' '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')"
+          image="ghcr.io/${owner_lc}/winebot-base"
           version="${{ github.event.inputs.base_version }}"
           if [[ ! "$version" =~ ^[A-Za-z0-9._-]{1,128}$ ]]; then
             echo "Invalid base_version: $version" >&2
             exit 1
           fi
+          echo "image=${image}" >> "$GITHUB_OUTPUT"
+          echo "version=${version}" >> "$GITHUB_OUTPUT"
           {
             echo "tags<<EOF"
             echo "${image}:${version}"
@@ -53,13 +56,39 @@ jobs:
             echo "EOF"
           } >> "$GITHUB_OUTPUT"
 
-      - name: Build & push base-runtime
+      - name: Build base image for validation
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f
+        with:
+          context: .
+          file: docker/base.Dockerfile
+          target: final
+          load: true
+          push: false
+          tags: winebot-base:${{ steps.meta.outputs.version }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Scan base image (Trivy)
+        run: |
+          mkdir -p "${GITHUB_WORKSPACE}/.cache/trivy"
+          docker run --rm \
+            -v /var/run/docker.sock:/var/run/docker.sock \
+            -v "${GITHUB_WORKSPACE}/.cache/trivy:/root/.cache/trivy" \
+            aquasec/trivy:0.65.0 image \
+            --scanners vuln \
+            --format table \
+            --exit-code 1 \
+            --ignore-unfixed \
+            --severity CRITICAL,HIGH \
+            "winebot-base:${{ steps.meta.outputs.version }}"
+
+      - name: Build & push base image
         id: build
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f
         with:
           context: .
-          file: docker/Dockerfile
-          target: base-ready
+          file: docker/base.Dockerfile
+          target: final
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           cache-from: type=gha
@@ -68,14 +97,15 @@ jobs:
           sbom: true
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@430b6a704fe0c92f1b1261d84376a900f38d90ff
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003
 
       - name: Sign base digest
         env:
+          IMAGE: ${{ steps.meta.outputs.image }}
           DIGEST: ${{ steps.build.outputs.digest }}
         run: |
           if [ -z "$DIGEST" ]; then
             echo "Missing base digest from build" >&2
             exit 1
           fi
-          cosign sign --yes "ghcr.io/${{ github.repository_owner }}/winebot-base@${DIGEST}"
+          cosign sign --yes "${IMAGE}@${DIGEST}"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -29,7 +29,7 @@ jobs:
     name: Pre-flight (Lint & Unit)
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - name: Verify capability matrix references
         run: python3 scripts/ci/verify-capability-matrix.py
       - name: Build lint runner
diff --git a/.github/workflows/nightly-soak.yml b/.github/workflows/nightly-soak.yml
@@ -21,17 +21,17 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 90
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
-      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
 
       - name: Build REL image
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f
         with:
           context: .
           file: docker/Dockerfile
           target: intent-rel
           build-args: |
-            BASE_IMAGE=${{ vars.WINEBOT_BASE_IMAGE || 'ghcr.io/mark-e-deyoung/winebot-base:base-2026-02-09' }}
+            BASE_IMAGE=${{ vars.WINEBOT_BASE_IMAGE || 'ghcr.io/sempersupra/winebot-base:base-2026-05-04' }}
             BUILD_INTENT=rel
           load: true
           push: false
@@ -85,7 +85,7 @@ jobs:
           scripts/ci/generate-trust-pack.sh artifacts/trust-pack-nightly
 
       - name: Upload trust pack
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
         with:
           name: trust-pack-nightly
           path: artifacts/trust-pack-nightly
@@ -118,7 +118,7 @@ jobs:
 
       - name: Upload failure diagnostics artifact
         if: failure()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
         with:
           name: nightly-failure-diagnostics
           path: ${{ github.workspace }}/artifacts/nightly-failure
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -26,7 +26,7 @@ jobs:
     timeout-minutes: 5
     steps:
       - name: Validate release guardrails
-        uses: actions/github-script@v7
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
         with:
           script: |
             if (context.eventName !== "release") {
@@ -101,8 +101,8 @@ jobs:
           sudo rm -rf "/usr/local/share/boost"
           sudo rm -rf /usr/share/swift
           df -h
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
-      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
       - name: Set image tags (REL)
         id: meta_rel
         run: |
@@ -179,20 +179,20 @@ jobs:
             echo "${image}:sha-${GITHUB_SHA::7}-rel-runner"
             echo "EOF"
           } >> "$GITHUB_OUTPUT"
-      - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef
+      - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build & push
         id: build
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f
         with:
           context: .
           file: docker/Dockerfile
           target: intent-rel
           build-args: |
-            BASE_IMAGE=${{ vars.WINEBOT_BASE_IMAGE || 'ghcr.io/mark-e-deyoung/winebot-base:base-2026-02-13' }}
+            BASE_IMAGE=${{ vars.WINEBOT_BASE_IMAGE || 'ghcr.io/sempersupra/winebot-base:base-2026-05-04' }}
             BUILD_INTENT=rel
             VCS_REF=${{ github.sha }}
             BUILD_DATE=${{ github.run_id }}
@@ -205,13 +205,13 @@ jobs:
           sbom: true
       - name: Build & push REL-RUNNER
         id: build_runner
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f
         with:
           context: .
           file: docker/Dockerfile
           target: intent-rel-runner
           build-args: |
-            BASE_IMAGE=${{ vars.WINEBOT_BASE_IMAGE || 'ghcr.io/mark-e-deyoung/winebot-base:base-2026-02-13' }}
+            BASE_IMAGE=${{ vars.WINEBOT_BASE_IMAGE || 'ghcr.io/sempersupra/winebot-base:base-2026-05-04' }}
             BUILD_INTENT=rel-runner
             VCS_REF=${{ github.sha }}
             BUILD_DATE=${{ github.run_id }}
@@ -223,7 +223,7 @@ jobs:
           provenance: mode=max
           sbom: true
       - name: Install cosign
-        uses: sigstore/cosign-installer@430b6a704fe0c92f1b1261d84376a900f38d90ff
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003
       - name: Sign image digest (keyless OIDC)
         env:
           IMAGE: ${{ steps.meta_rel.outputs.image }}
@@ -261,7 +261,7 @@ jobs:
           sudo rm -rf /usr/share/swift
           df -h
       - name: Install cosign
-        uses: sigstore/cosign-installer@430b6a704fe0c92f1b1261d84376a900f38d90ff
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003
       - name: Verify signature
         env:
           IMAGE: ${{ needs.publish.outputs.image }}
diff --git a/.github/workflows/reusable-build-smoke-gate.yml b/.github/workflows/reusable-build-smoke-gate.yml
@@ -78,22 +78,22 @@ jobs:
           sudo rm -rf /usr/share/swift
           df -h
 
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
       - name: Verify capability matrix references
         if: ${{ inputs.verify_capability_matrix }}
         run: python3 scripts/ci/verify-capability-matrix.py
 
-      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
+      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
 
       - name: Build image for validation
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f
         with:
           context: .
           file: docker/Dockerfile
           target: ${{ inputs.image_target }}
           build-args: |
-            BASE_IMAGE=${{ vars.WINEBOT_BASE_IMAGE || 'ghcr.io/mark-e-deyoung/winebot-base:base-2026-02-13' }}
+            BASE_IMAGE=${{ vars.WINEBOT_BASE_IMAGE || 'ghcr.io/sempersupra/winebot-base:base-2026-05-04' }}
             BUILD_INTENT=${{ inputs.build_intent }}
             VCS_REF=${{ github.sha }}
             BUILD_DATE=${{ github.run_id }}
@@ -181,7 +181,7 @@ jobs:
 
       - name: Upload trust pack
         if: ${{ inputs.generate_trust_pack }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
         with:
           name: ${{ inputs.trust_pack_artifact_name }}
           path: ${{ inputs.trust_pack_dir }}
diff --git a/README.md b/README.md
@@ -94,6 +94,12 @@ See [docs/feature-capability-commit-map.md](docs/feature-capability-commit-map.m
 Auto-generate a draft from recent commit subjects:
 `./scripts/wb feature-map 200`
 
+Daily status / handoff:
+
+See latest status note: [archive/status/STATUS-2026-03-12.md](archive/status/STATUS-2026-03-12.md)
+
+Status history: [archive/status/](archive/status/)
+
 Test capability coverage matrix:
 
 See [docs/test-capability-matrix.md](docs/test-capability-matrix.md).
@@ -139,7 +145,7 @@ Base runtime can be pinned independently:
 
 `BASE_IMAGE=ghcr.io/<owner>/winebot-base:<base-version>`
 
-CI/release builds read repository variable `WINEBOT_BASE_IMAGE` (fallback is `ghcr.io/SemperSupra/winebot-base:base-2026-02-09`).
+CI/release builds read repository variable `WINEBOT_BASE_IMAGE` (fallback is `ghcr.io/sempersupra/winebot-base:base-2026-05-04`).
 
 In `rel` and `rel-runner`, default logging is capped (`WARN`). Enable bounded support mode for triage:
 
diff --git a/compose/docker-compose.yml b/compose/docker-compose.yml
@@ -43,7 +43,7 @@ x-winebot-base: &winebot_base
     dockerfile: docker/Dockerfile
     target: intent-${BUILD_INTENT:-rel}
     args:
-      BASE_IMAGE: ${BASE_IMAGE:-ghcr.io/mark-e-deyoung/winebot-base:base-2026-02-13}
+      BASE_IMAGE: ${BASE_IMAGE:-ghcr.io/sempersupra/winebot-base:base-2026-05-04}
       VCS_REF: ${VCS_REF:-local}
       BUILD_DATE: ${BUILD_DATE:-local}
       SOURCE_REPO: ${SOURCE_REPO:-https://github.com/sempersupra/winebot}
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -1,5 +1,5 @@
-# Pinned to debian:trixie-slim as of 2026-02-08
-ARG BASE_IMAGE=ghcr.io/sempersupra/winebot-base:base-2026-02-13
+# Pinned to digest-based Debian Trixie base published by .github/workflows/base-image.yml.
+ARG BASE_IMAGE=ghcr.io/sempersupra/winebot-base:base-2026-05-04
 ARG VCS_REF=unknown
 ARG BUILD_DATE=unknown
 ARG SOURCE_REPO="https://github.com/SemperSupra/WineBot"
@@ -27,8 +27,8 @@ RUN bash /download_tool.sh "AutoHotkey" \
 
 FROM tool-base AS builder-python
 RUN bash /download_tool.sh "Python" \
-    "https://www.python.org/ftp/python/3.13.12/python-3.13.12-embed-amd64.zip" \
-    "76f238f606250c87c6beac75dccd35ee99070a13490555936abb6cb64ecce3d0" \
+    "https://www.python.org/ftp/python/3.13.13/python-3.13.13-embed-amd64.zip" \
+    "8766a8775746235e23cf5aee5027ab1060bb981d93110577adcf3508aa0cbd55" \
     "/opt/winebot/windows-tools/Python" \
     && find /opt/winebot/windows-tools -name "*.txt" -delete
 
@@ -53,8 +53,18 @@ RUN id -u winebot >/dev/null 2>&1 || useradd -m -u 1000 -s /bin/bash winebot \
 # Keep base OS packages at patched security levels for release gates.
 RUN apt-get update \
     && apt-get install -y --no-install-recommends --only-upgrade \
+      imagemagick \
+      imagemagick-7-common \
+      imagemagick-7.q16 \
+      libmagickcore-7.q16-10 \
+      libmagickwand-7.q16-10 \
+      libngtcp2-16 \
       libpng16-16t64 \
+      libssl3t64 \
+      libtiff6 \
       libvpx9 \
+      openssl \
+      openssl-provider-legacy \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
diff --git a/docker/base.Dockerfile b/docker/base.Dockerfile
@@ -1,19 +1,19 @@
 # WineBot Base Image
-# Contains: Debian Trixie + Wine 10.0 + Xvfb + Python + Pre-warmed Prefix
-ARG BASE_IMAGE=debian:trixie-slim
+# Contains: digest-pinned Debian Trixie slim + Wine/X11/Python runtime + pre-warmed prefix.
+ARG BASE_IMAGE=debian@sha256:cedb1ef40439206b673ee8b33a46a03a0c9fa90bf3732f54704f99cb061d2c5a
 
 FROM ${BASE_IMAGE} AS base-system
 ENV DEBIAN_FRONTEND=noninteractive
 
-# 1. System Dependencies (Wine, X11, Python)
+# 1. Minimal runtime dependencies (Wine, X11 automation, recording, diagnostics).
 RUN if [ -f /etc/apt/sources.list ]; then \
         sed -i 's/ main/ main contrib non-free non-free-firmware/' /etc/apt/sources.list; \
     elif [ -f /etc/apt/sources.d/debian.sources ]; then \
         sed -i 's/Components: main/Components: main contrib non-free non-free-firmware/' /etc/apt/sources.d/debian.sources; \
     fi \
     && dpkg --add-architecture i386 \
     && apt-get update \
-    && apt-get -y upgrade \
+    && apt-get -y --with-new-pkgs upgrade \
     && apt-get install -y --no-install-recommends \
         wine wine64 wine32 cabextract \
         xvfb xauth xdotool wmctrl xinput \
@@ -22,6 +22,7 @@ RUN if [ -f /etc/apt/sources.list ]; then \
         imagemagick x11-utils procps ffmpeg \
         ca-certificates curl gosu unzip \
         python3 python3-pip gdb \
+    && apt-get -y --with-new-pkgs upgrade \
     && curl -sL -o /usr/local/bin/winetricks https://raw.githubusercontent.com/Winetricks/winetricks/20260125/src/winetricks \
     && chmod +x /usr/local/bin/winetricks \
     && apt-get clean && rm -rf /var/lib/apt/lists/*
diff --git a/requirements/requirements-devtest.txt b/requirements/requirements-devtest.txt
@@ -1,3 +1,3 @@
 # Extra Python dependencies for DEV/TEST intents (runtime deps come from requirements-rel.txt)
-pytest==9.0.2
+pytest==9.0.3
 openapi-spec-validator==0.7.2
diff --git a/requirements/requirements.txt b/requirements/requirements.txt
diff --git a/scripts/ci/check-rel-forbidden.sh b/scripts/ci/check-rel-forbidden.sh
diff --git a/tests/e2e/requirements.txt b/tests/e2e/requirements.txt
diff --git a/tests/test_build_intent_policy.py b/tests/test_build_intent_policy.py
