Fix CVE-2026-22184 and auto-track base image tags in digest workflow (#21333)

* Fix CVE-2026-22184: bump Alpine-based Dockerfiles

This ensures the zlib
package is updated from 1.3.1-r2 to 1.3.2-r0, fixing CVE-2026-22184
detected by the daily vulnerability scan.

Co-authored-by: Ona <no-reply@ona.com>

* Add tag-based base image updates to digest workflow

The daily update-image-digest workflow only updated images pinned with
@sha256: digests. Dockerfiles using tag-based references like
node:22.22.0-alpine or caddy/caddy:2.11-alpine were not tracked,
causing them to go stale and accumulate vulnerabilities.

Add a new step that uses crane ls to find the latest patch release for
tracked base images (node, caddy/caddy) and updates FROM lines in
Dockerfiles accordingly.

Co-authored-by: Ona <no-reply@ona.com>

* Add apk upgrade --no-cache to Dockerfiles for immediate zlib fix

Base image tags (node:22.22.1-alpine, caddy/caddy:2.11.2-alpine) still
ship zlib 1.3.1-r2. The fix (1.3.2-r0) is available in Alpine repos but
the upstream images haven't been rebuilt yet. Running apk upgrade in the
Dockerfile ensures the fix is picked up at build time regardless.

This matches the existing pattern in ide-proxy and proxy Dockerfiles.

Co-authored-by: Ona <no-reply@ona.com>

---------

Co-authored-by: Ona <no-reply@ona.com>

Author: geropl

.github/workflows/update-image-digest.yml

@@ -72,6 +72,54 @@ jobs:
           sed -i -e "s/^\(\s*ImageDigest\s*=\s*\)\".*\"/\1\"$redisImageDigest\"/" install/installer/pkg/components/redis/constants.go
           sed -i -e "s/^\(\s*ExporterImageDigest\s*=\s*\)\".*\"/\1\"$redisExporterDigest\"/" install/installer/pkg/components/redis/constants.go
           go fmt install/installer/pkg/components/redis/constants.go
+      - name: Update base image tags in Dockerfiles
+        shell: bash
+        run: |
+          # Updates FROM lines in Dockerfiles that use tag-based references (not @sha256: pinned).
+          # For each tracked image, finds the latest patch release matching the same major.minor
+          # prefix and suffix, then updates all Dockerfiles that reference an older version.
+          #
+          # Entry format: "image|tag_grep_in_dockerfile|tag_ls_filter"
+          #   - image: the registry image name (e.g. "node", "caddy/caddy")
+          #   - tag_grep_in_dockerfile: grep -oP regex to extract the current tag from FROM lines
+          #   - tag_ls_filter: grep -E regex to filter crane ls output for candidate tags
+
+          declare -a TRACKED_IMAGES=(
+            "node|22\\.22\\.[0-9]+-alpine|^22\\.22\\.[0-9]+-alpine$"
+            "node|22\\.22\\.[0-9]+$|^22\\.22\\.[0-9]+$"
+            "caddy/caddy|2\\.11[0-9.]*-alpine|^2\\.11(\\.[0-9]+)?-alpine$"
+          )
+
+          for entry in "${TRACKED_IMAGES[@]}"; do
+            IFS='|' read -r image tag_grep tag_ls_filter <<< "$entry"
+            echo "Checking for updates: ${image} (filter: ${tag_ls_filter})"
+
+            # List all tags matching the pattern and pick the highest version
+            latest_tag=$(crane ls "$image" 2>/dev/null \
+              | grep -E "$tag_ls_filter" \
+              | sort -V \
+              | tail -1 || true)
+
+            if [ -z "$latest_tag" ]; then
+              echo "  No matching tags found, skipping"
+              continue
+            fi
+
+            echo "  Latest tag: ${image}:${latest_tag}"
+
+            # Escape slashes in image name for use in grep/sed
+            image_escaped="${image//\//\\/}"
+
+            # Find and update Dockerfiles with older versions of this image
+            while IFS= read -r -d '' file; do
+              current=$(grep -oP "(?<=FROM ${image_escaped}:)${tag_grep}" "$file" 2>/dev/null | head -1 || true)
+              if [ -n "$current" ] && [ "$current" != "$latest_tag" ]; then
+                echo "  Updating ${file}: ${image}:${current} -> ${image}:${latest_tag}"
+                sed -i "s|FROM ${image}:${current}|FROM ${image}:${latest_tag}|g" "$file"
+              fi
+            done < <(find "$(pwd)/components" -type f \( -name "Dockerfile*" -o -name "leeway.Dockerfile" \) -print0)
+          done
+
       - name: Check workspace
         id: create_pr
         shell: bash

components/dashboard/leeway.Dockerfile

@@ -22,7 +22,8 @@ COPY components-gitpod-protocol--gitpod-schema/gitpod-schema.json /www/static/sc
 FROM caddy:builder AS caddy-builder
 RUN xcaddy build v2.11.0-beta.2 --output /caddy
 
-FROM caddy/caddy:2.11-alpine
+FROM caddy/caddy:2.11.2-alpine
+RUN apk upgrade --no-cache
 
 COPY --from=caddy-builder /caddy /usr/bin/caddy
 COPY components-dashboard--static/conf/Caddyfile /etc/caddy/Caddyfile

components/gitpod-db/leeway.Dockerfile

@@ -17,12 +17,9 @@ FROM node:22.22.0-alpine as proxy
 RUN wget https://storage.googleapis.com/cloudsql-proxy/v1.37.6/cloud_sql_proxy.linux.amd64 -O /bin/cloud_sql_proxy \
  && chmod +x /bin/cloud_sql_proxy
 
-FROM node:22.22.0-alpine
-
-# Install bash
-RUN apk update && \
-    apk add bash && \
-    rm -rf /var/cache/apk/*
+FROM node:22.22.1-alpine
+RUN apk upgrade --no-cache \
+    && apk add --no-cache bash
 
 ENV NODE_OPTIONS=--unhandled-rejections=warn
 COPY migrate.sh /app/migrate.sh

components/server/leeway.Dockerfile

@@ -14,7 +14,8 @@ COPY components-server--app /installer/
 WORKDIR /app
 RUN /installer/install.sh
 
-FROM node:22.22.0-alpine
+FROM node:22.22.1-alpine
+RUN apk upgrade --no-cache
 ENV NODE_OPTIONS="--unhandled-rejections=warn --max_old_space_size=2048"
 
 EXPOSE 3000

components/ws-manager-bridge/leeway.Dockerfile

@@ -14,7 +14,8 @@ COPY components-ws-manager-bridge--app /installer/
 WORKDIR /app
 RUN /installer/install.sh
 
-FROM node:22.22.0-alpine
+FROM node:22.22.1-alpine
+RUN apk upgrade --no-cache
 ENV NODE_OPTIONS=--unhandled-rejections=warn
 EXPOSE 3000
 COPY --from=builder --chown=node:node /app /app/