feat: add support for Alpine packages updates

Author: ChristophShyper

.github/workflows/reusable-auto-pull-request-create.yml

@@ -138,16 +138,12 @@ jobs:
             echo "EOF"
           } >> "$GITHUB_OUTPUT"
 
-      - name: Resolve CST image
+      - name: Get test image ref
         id: cst-image
         if: steps.cst-configs.outputs.has_tests == 'true'
         run: |
-          if task --list | grep -q "docker:image:test:ref"; then
-            IMAGE_REF="$(task docker:image:test:ref)"
-          else
-            VERSION="$(task version:get)"
-            IMAGE_REF="devopsinfra/${{ github.event.repository.name }}:${VERSION}-test"
-          fi
+          VERSION="$(task version:get)"
+          IMAGE_REF="devopsinfra/${{ github.event.repository.name }}:${VERSION}-test"
           echo "image=$IMAGE_REF" >> "$GITHUB_OUTPUT"
 
       - name: Run container structure tests

.github/workflows/reusable-cron-dependency-update.yml

@@ -145,17 +145,13 @@ jobs:
             echo "EOF"
           } >> "$GITHUB_OUTPUT"
 
-      - name: Resolve CST image
+      - name: Get test image ref
         id: cst-image
         if: (inputs.profile == 'actions' || inputs.profile == 'dockerized') && steps.cst-configs.outputs.has_tests == 'true'
         continue-on-error: true
         run: |
-          if task --list | grep -q "docker:image:test:ref"; then
-            IMAGE_REF="$(task docker:image:test:ref)"
-          else
-            VERSION="$(task version:get)"
-            IMAGE_REF="devopsinfra/${{ github.event.repository.name }}:${VERSION}-test"
-          fi
+          VERSION="$(task version:get)"
+          IMAGE_REF="devopsinfra/${{ github.event.repository.name }}:${VERSION}-test"
           echo "image=$IMAGE_REF" >> "$GITHUB_OUTPUT"
 
       - name: Run container structure tests

.github/workflows/reusable-manual-release-create.yml

@@ -119,18 +119,14 @@ jobs:
             echo "EOF"
           } >> "$GITHUB_OUTPUT"
 
-      - name: Resolve CST image
+      - name: Get test image ref
         id: cst-image
         if: ${{ inputs.build-and-push-only && (inputs.profile == 'actions' || inputs.profile == 'dockerized') && steps.cst-configs.outputs.has_tests == 'true' }}
         env:
           VERSION_SUFFIX: ''
         run: |
-          if task --list | grep -q "docker:image:test:ref"; then
-            IMAGE_REF="$(task docker:image:test:ref)"
-          else
-            VERSION="$(task version:get)"
-            IMAGE_REF="devopsinfra/${{ github.event.repository.name }}:${VERSION}"
-          fi
+          VERSION="$(task version:get)"
+          IMAGE_REF="devopsinfra/${{ github.event.repository.name }}:${VERSION}"
           echo "image=$IMAGE_REF" >> "$GITHUB_OUTPUT"
 
       - name: Run container structure tests

Taskfile.cicd.yml

@@ -110,11 +110,6 @@ tasks:
           exit $rc
         fi
 
-  version:get:
-    desc: Get current version
-    cmds:
-      - echo "{{.VERSION}}"
-
   dependency:update:
     desc: Check main dependency not covered by dependabot
     cmds:
@@ -281,42 +276,7 @@ tasks:
       - git config user.name "github-actions[bot]"
       - git config user.email "github-actions[bot]@users.noreply.github.com"
 
-  sync:all:
-    desc: Sync all common files
-    cmds:
-      - task sync:configs
-      - task sync:ignores
-      - task sync:taskfiles
-
-  sync:configs:
-    desc: Sync configuration files with devops-infra/.github
-    cmds:
-      - |
-        echo "▶️ Syncing configuration files from devops-infra/.github..."
-        curl -fsSL {{.CONFIGS_BASE_URL}}/.editorconfig -o ./.editorconfig
-        curl -fsSL {{.CONFIGS_BASE_URL}}/.pre-commit-config.yaml -o ./.pre-commit-config.yaml
-        curl -fsSL {{.CONFIGS_BASE_URL}}/.shellcheckrc -o ./.shellcheckrc
-        curl -fsSL {{.CONFIGS_BASE_URL}}/.yamllint.yml -o ./.yamllint.yml
-        git add .editorconfig .pre-commit-config.yaml .shellcheckrc .yamllint.yml
-        echo "✅ Synced configuration files"
-
-  sync:ignores:
-    desc: Sync ignore files with devops-infra/.github
-    cmds:
-      - |
-        echo "▶️ Syncing ignore files from devops-infra/.github..."
-        curl -fsSL {{.CONFIGS_BASE_URL}}/.gitignore -o ./.gitignore
-        git add .gitignore
-        echo "✅ Synced ignore files"
-
-  sync:taskfiles:
-    desc: Sync Taskfiles with devops-infra/.github
+  version:get:
+    desc: Get current version
     cmds:
-      - |
-        echo "▶️ Syncing Taskfiles from devops-infra/.github..."
-        curl -fsSL {{.TASKFILES_BASE_URL}}/Taskfile.yml -o ./Taskfile.yml
-        curl -fsSL {{.TASKFILES_BASE_URL}}/Taskfile.cicd.yml -o ./Taskfile.cicd.yml
-        curl -fsSL {{.TASKFILES_BASE_URL}}/Taskfile.scripts.yml -o ./Taskfile.scripts.yml
-        curl -fsSL {{.TASKFILES_BASE_URL}}/Taskfile.variables.yml -o ./Taskfile.variables.yml
-        git add Taskfile*.yml
-        echo "✅ Synced Taskfiles"
+      - echo "{{.VERSION}}"

Taskfile.yml

@@ -11,7 +11,6 @@ includes:
     taskfile: ./Taskfile.cicd.yml
     flatten: true
 
-
 tasks:
   default:
     desc: List tasks

templates/actions/configs/.dockerignore

@@ -2,6 +2,7 @@
 *
 
 # Include
+!alpine-packages.txt
 !Dockerfile
 !LICENSE
 !README.md

templates/actions/configs/alpine-packages.txt

@@ -0,0 +1 @@
+bash~=5.3

templates/actions/taskfiles/Taskfile.cicd.yml

@@ -90,11 +90,6 @@ tasks:
           exit $rc
         fi
 
-  version:get:
-    desc: Get current version
-    cmds:
-      - echo "{{.VERSION}}"
-
   dependency:update:
     desc: Check main dependency not covered by dependabot
     cmds:
@@ -272,44 +267,7 @@ tasks:
       - git config user.name "github-actions[bot]"
       - git config user.email "github-actions[bot]@users.noreply.github.com"
 
-  sync:all:
-    desc: Sync all common files
-    cmds:
-      - task sync:configs
-      - task sync:ignores
-      - task sync:taskfiles
-
-  sync:configs:
-    desc: Sync configuration files with devops-infra/.github
-    cmds:
-      - |
-        echo "▶️ Syncing configuration files from devops-infra/.github..."
-        curl -fsSL {{.CONFIGS_BASE_URL}}/.editorconfig -o ./.editorconfig
-        curl -fsSL {{.CONFIGS_BASE_URL}}/.hadolint.yaml -o ./.hadolint.yaml
-        curl -fsSL {{.CONFIGS_BASE_URL}}/.pre-commit-config.yaml -o ./.pre-commit-config.yaml
-        curl -fsSL {{.CONFIGS_BASE_URL}}/.shellcheckrc -o ./.shellcheckrc
-        curl -fsSL {{.CONFIGS_BASE_URL}}/.yamllint.yml -o ./.yamllint.yml
-        git add .editorconfig .hadolint.yaml .pre-commit-config.yaml .shellcheckrc .yamllint.yml
-        echo "✅ Synced configuration files"
-
-  sync:ignores:
-    desc: Sync ignore files with devops-infra/.github
-    cmds:
-      - |
-        echo "▶️ Syncing ignore files from devops-infra/.github..."
-        curl -fsSL {{.CONFIGS_BASE_URL}}/.gitignore -o ./.gitignore
-        curl -fsSL {{.CONFIGS_BASE_URL}}/.dockerignore -o ./.dockerignore
-        git add .gitignore .dockerignore
-        echo "✅ Synced ignore files"
-
-  sync:taskfiles:
-    desc: Sync Taskfiles with devops-infra/.github
+  version:get:
+    desc: Get current version
     cmds:
-      - |
-        echo "▶️ Syncing Taskfiles from devops-infra/.github..."
-        curl -fsSL {{.TASKFILES_BASE_URL}}/Taskfile.yml -o ./Taskfile.yml
-        curl -fsSL {{.TASKFILES_BASE_URL}}/Taskfile.cicd.yml -o ./Taskfile.cicd.yml
-        curl -fsSL {{.TASKFILES_BASE_URL}}/Taskfile.docker.yml -o ./Taskfile.docker.yml
-        curl -fsSL {{.TASKFILES_BASE_URL}}/Taskfile.variables.yml -o ./Taskfile.variables.yml
-        git add Taskfile*.yml
-        echo "✅ Synced Taskfiles"
+      - echo "{{.VERSION}}"

templates/actions/taskfiles/Taskfile.docker.yml

@@ -3,136 +3,3 @@ version: '3'
 silent: true
 
 tasks:
-  docker:image:test:ref:
-    desc: Print test image reference for CST
-    cmds:
-      - echo "{{.DOCKER_NAME}}:{{.VERSION_FULL}}{{.VERSION_SUFFIX}}"
-
-  docker:login:
-    desc: Login to hub.docker.com and ghcr.io
-    cmds:
-      - |
-        set -eu
-        docker_username='{{.DOCKER_USERNAME}}'
-        github_username='{{.GITHUB_USERNAME}}'
-        has_dockerhub=false
-        has_ghcr=false
-
-        if [ -n "$docker_username" ] && [ -n "${DOCKER_TOKEN:-}" ]; then
-          has_dockerhub=true
-        fi
-
-        if [ -n "$github_username" ] && [ -n "${GITHUB_TOKEN:-}" ]; then
-          has_ghcr=true
-        fi
-
-        if [ "$has_dockerhub" = false ] && [ "$has_ghcr" = false ]; then
-          echo "❌ No registry credentials provided. Set DOCKER_USERNAME/DOCKER_TOKEN or GITHUB_USERNAME/GITHUB_TOKEN."
-          exit 1
-        fi
-
-        if [ "$has_dockerhub" = true ]; then
-          echo "Logging into Docker Hub as $docker_username"
-          printf '%s' "${DOCKER_TOKEN}" | docker login -u "$docker_username" --password-stdin
-        else
-          echo "⚠️ Skipping Docker Hub login (missing DOCKER_USERNAME/DOCKER_TOKEN)"
-        fi
-
-        if [ "$has_ghcr" = true ]; then
-          echo "Logging into GHCR as $github_username"
-          printf '%s' "${GITHUB_TOKEN}" | docker login ghcr.io -u "$github_username" --password-stdin
-        else
-          echo "⚠️ Skipping GHCR login (missing GITHUB_USERNAME/GITHUB_TOKEN)"
-        fi
-
-  docker:cmds:
-    desc: Show full docker build command
-    cmds:
-      - echo -e '{{.DOCKER_BUILD_START}} {{.DOCKER_BUILD_FINISH}}' | {{.SED}} 's/--/ \\\n  --/g'
-
-  docker:build:
-    desc: Build Docker image
-    cmds:
-      - docker buildx create --use
-      - '{{.DOCKER_BUILD_START}} {{.DOCKER_BUILD_FINISH}}'
-
-  docker:build:inspect:
-    desc: Inspect built Docker image
-    cmds:
-      - |
-        image_inspect_out=$(docker image inspect {{.DOCKER_NAME}}:{{.VERSION_FULL}}{{.VERSION_SUFFIX}} | jq -r)
-        echo -e "\nℹ️ Docker image inspect:"
-        echo "$image_inspect_out" | jq
-
-  docker:push:
-    desc: Build and push Docker images
-    deps:
-      - task: docker:login
-    cmds:
-      - docker buildx create --use
-      - '{{.DOCKER_BUILD_START}} --push {{.DOCKER_BUILD_FINISH}}'
-
-  docker:push:inspect:
-    desc: Inspect built Docker image
-    cmds:
-      - |
-        set -eu
-        image="{{.DOCKER_NAME}}:{{.VERSION_FULL}}{{.VERSION_SUFFIX}}"
-
-        echo -e "\nℹ️ Trying local image inspect: $image"
-        set +e
-        image_inspect_out=$(docker image inspect "$image" 2>/dev/null || true)
-        rc=$?
-        set -e
-
-        # Validate that docker inspect returned a non-empty array with an Id
-        has_local=0
-        if [ "$rc" -eq 0 ] && [ -n "$image_inspect_out" ]; then
-          if echo "$image_inspect_out" | jq -e 'type=="array" and (length > 0) and \
-              (.[0].Id != null and .[0].Id != "")' >/dev/null 2>&1; then
-            has_local=1
-          fi
-        fi
-
-        if [ "$has_local" -eq 1 ]; then
-          echo -e "\n✅ Local image found. Docker image inspect:"
-          echo "$image_inspect_out" | jq
-          image_sha=$(echo "$image_inspect_out" | jq -r '.[0].Id // empty')
-          if [ -n "$image_sha" ]; then
-            echo -e "\nℹ️ Docker manifest inspect (local):"
-            docker manifest inspect "${image}@${image_sha}" | jq || true
-          fi
-          exit 0
-        fi
-
-        echo -e "\nℹ️ Local image not found or inspect returned empty; inspecting remote with buildx imagetools..."
-        set +e
-        raw=$(docker buildx imagetools inspect --raw "$image" 2>/dev/null || true)
-        set -e
-
-        if [ -z "$raw" ]; then
-          echo "❌ Failed to inspect remote image with buildx imagetools: $image"
-          exit 1
-        fi
-
-        echo -e "\n✅ Remote manifest/index (raw):"
-        echo "$raw" | jq
-
-        echo -e "\nℹ️ Attempting to pull and inspect per-platform manifests:"
-        echo "$raw" | jq -r '.manifests[]?.digest' | while IFS= read -r digest; do
-          if [ -z "$digest" ] || [ "$digest" = "null" ]; then
-            continue
-          fi
-          ref="${image%@*}@${digest}"
-          echo -e "\nℹ️ Pulling $ref (may fail for some registries)..."
-          set +e
-          docker pull "$ref" >/dev/null 2>&1 || true
-          pulled_rc=$?
-          set -e
-          if [ "$pulled_rc" -eq 0 ]; then
-            echo "ℹ️ Inspecting pulled image $ref"
-            docker image inspect "$ref" | jq || true
-          else
-            echo "⚠️ Could not pull $ref; skipping image inspect"
-          fi
-        done