devops-infra · ChristophShyper · Jun 4, 2026 · Jun 4, 2026
@@ -7,4 +7,4 @@
 !README.md
 !entrypoint.sh
 !scripts
-!pip
+!alpine-packages.txt
@@ -1,35 +1,41 @@
-FROM ubuntu:questing-20251217
+FROM alpine:3.23.4
 
-# Disable interactive mode
-ENV DEBIAN_FRONTEND=noninteractive
+ARG TARGETARCH
+ARG HUB_VERSION=2.14.2
 
 # Copy all needed files
 COPY entrypoint.sh /
 COPY scripts/ /scripts/
+COPY alpine-packages.txt /tmp/alpine-packages.txt
 
 # Install needed packages
-SHELL ["/bin/bash", "-euxo", "pipefail", "-c"]
-# hadolint ignore=DL3008
-RUN chmod +x /entrypoint.sh /scripts/replace-template-diff.sh /scripts/split_content_bytes.py ;\
-  apt-get update -y ;\
-  apt-get install --no-install-recommends -y \
-    curl \
-    gpg-agent \
-    software-properties-common ;\
-  echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections ;\
-  add-apt-repository ppa:git-core/ppa ;\
-  curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg ;\
-  chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg ;\
-  echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null ;\
-  apt-get update -y ;\
-  apt-get install --no-install-recommends -y \
-    git \
-    gh \
-    hub \
-    jq \
-    python3 ;\
-  apt-get clean ;\
-  rm -rf /var/lib/apt/lists/*
+SHELL ["/bin/sh", "-euxo", "pipefail", "-c"]
+# hadolint ignore=DL3018
+RUN set -eux; \
+  xargs -r apk add --no-cache < /tmp/alpine-packages.txt; \
+  chmod +x /entrypoint.sh /scripts/replace-template-diff.sh /scripts/split_content_bytes.py; \
+  targetarch="${TARGETARCH:-}"; \
+  if [ -z "${targetarch}" ]; then \
+    case "$(uname -m)" in \
+      x86_64) targetarch="amd64" ;; \
+      aarch64|arm64) targetarch="arm64" ;; \
+      *) echo "Unsupported host architecture: $(uname -m)"; exit 1 ;; \
+    esac; \
+  fi; \
+  case "${targetarch}" in amd64|arm64) ;; *) echo "Unsupported TARGETARCH: ${targetarch}"; exit 1 ;; esac; \
+  hub_archive="hub-linux-${targetarch}-${HUB_VERSION}.tgz"; \
+  hub_url="https://github.com/mislav/hub/releases/download/v${HUB_VERSION}/${hub_archive}"; \
+  curl -fsSL "${hub_url}" -o /tmp/hub.tgz; \
+  tar -xzf /tmp/hub.tgz -C /tmp; \
+  install -m 0755 "/tmp/hub-linux-${targetarch}-${HUB_VERSION}/bin/hub" /usr/bin/hub; \
+  gh --version; \
+  test -x /usr/bin/hub; \
+  git --version; \
+  jq --version; \
+  python3 --version; \
+  rm -rf /var/cache/*; \
+  rm -rf /root/.cache/*; \
+  rm -rf /tmp/*
 
 # Finish up
 WORKDIR /github/workspace

@@ -44,9 +44,9 @@ tasks:
       - task: scripts:lint:yamllint
 
   dependency:update:
-    desc: 'No-op: no dedicated dependency updater configured for this profile'
+    desc: Update repository dependencies not covered by Dependabot
     cmds:
-      - task: scripts:dependency:update
+      - task: scripts:packages:update
 
   version:set:
     desc: Update version in README.md and action.yml

@@ -75,12 +75,9 @@ tasks:
         fi
 
   dependency:update:
-    desc: 'No-op: no dedicated dependency updater configured for this profile'
+    desc: Update dependency metadata for this repository
     cmds:
-      - |
-        echo "INFO: No dedicated dependency updater configured for this repository profile."
-        echo "INFO: Dependabot handles GitHub Actions and package metadata updates."
-        echo "INFO: Keep this task as a safe no-op until a repo-specific dependency updater is defined."
+      - task: packages:update
 
   version:get:
     desc: Get current version
@@ -255,7 +252,22 @@ tasks:
           exit 0
         fi
 
-        base_image="$(sed -nE 's/^FROM[[:space:]]+([^[:space:]]+).*/\1/p' Dockerfile | head -1)"
+        base_image="$(awk '
+          toupper($1) == "FROM" {
+            i = 2
+            while (i <= NF && $i ~ /^--/) {
+              i++
+            }
+            if (i <= NF) {
+              image = $i
+            }
+          }
+          END {
+            if (image != "") {
+              print image
+            }
+          }
+        ' Dockerfile)"
         if [ -z "$base_image" ]; then
           echo "INFO: Could not resolve base image; nothing to update"
           exit 0
@@ -339,12 +351,16 @@ tasks:
           fi
 
           pkg="$(printf '%s' "$line" | sed -E 's/^([a-zA-Z0-9+_.-]+).*/\1/')"
+          search_pkg="$pkg"
+          if [ "$pkg" = "gh" ]; then
+            search_pkg="github-cli"
+          fi
           current_minor=""
           if printf '%s' "$line" | grep -Eq '^[a-zA-Z0-9+_.-]+(=~|~=)[0-9]+\.[0-9]+$'; then
             current_minor="$(printf '%s' "$line" | sed -E 's/^[a-zA-Z0-9+_.-]+(=~|~=)([0-9]+\.[0-9]+).*$/\2/')"
           fi
 
-          latest_full="$(lookup_latest "$pkg" || true)"
+          latest_full="$(lookup_latest "$search_pkg" || true)"
           if [ -z "$latest_full" ]; then
             echo "WARN: Could not resolve latest version for $pkg; keeping $line"
             echo "$line" >> "$tmp_out"

@@ -0,0 +1,6 @@
+bash~=5.3
+curl~=8.19
+github-cli~=2.83
+git~=2.52
+jq~=1.8
+python3~=3.12
@@ -4,25 +4,22 @@ commandTests:
   - name: OS version check
     command: cat
     args: [/etc/os-release]
-    expectedOutput: [VERSION_ID="25\.10"]
+    expectedOutput: [VERSION_ID=3\.23]
 
   - name: Required tools installed
     command: bash
     args:
       - -lc
       - command -v bash >/dev/null 2>&1 && command -v git >/dev/null 2>&1 && command -v gh >/dev/null 2>&1 && command -v hub >/dev/null 2>&1 && command -v jq >/dev/null 2>&1 && command -v curl >/dev/null 2>&1
 
-  - name: Apt cache cleaned
+  - name: Temporary and APK cache cleaned
     command: bash
     args:
       - -lc
-      - test ! -d /var/lib/apt/lists || test -z "$(find /var/lib/apt/lists -mindepth 1 -maxdepth 1 2>/dev/null)"
-
-  - name: Keyring file present
-    command: bash
-    args:
-      - -lc
-      - test -f /usr/share/keyrings/githubcli-archive-keyring.gpg
+      - >-
+        test ! -f /tmp/alpine-packages.txt &&
+        (test ! -d /var/cache/apk || test -z "$(find /var/cache/apk -mindepth 1 -maxdepth 1 2>/dev/null)") &&
+        (test ! -d /root/.cache || test -z "$(find /root/.cache -mindepth 1 -maxdepth 1 2>/dev/null)")
 fileExistenceTests:
   - name: entrypoint exists
     path: /entrypoint.sh