release: 3.4.8

.github/renovate.json5

@@ -9,6 +9,7 @@
   schedule: ["before 8am on thursday"],
   branchPrefix: "renovate-",
   dependencyDashboardHeader: "View repository job log [here](https://app.renovatebot.com/dashboard#github/cmur2/dyndnsd).",
+  separateMinorPatch: true,
   commitMessagePrefix: "project: ",
   commitMessageAction: "update",
   commitMessageTopic: "{{depName}}",
@@ -19,6 +20,12 @@
       matchManagers: ["bundler"],
       enabled: false,
     },
+    // prevent minor updates to Alpine 3.14 due to https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.14.0#faccessat2
+    {
+      matchManagers: ["dockerfile"],
+      matchUpdateTypes: ["minor"],
+      enabled: false,
+    },
     // Commit message formats
     {
       matchDatasources: ["docker"],

.github/workflows/ci.yml

@@ -31,13 +31,3 @@ jobs:
     - name: Lint and Test
       run: |
         bundle exec rake ci
-
-    # https://github.com/marketplace/actions/build-and-push-docker-images
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v1
-
-    - name: Test building Docker image for dyndnsd
-      uses: docker/build-push-action@v2
-      with:
-        context: .
-        file: docker/ci/Dockerfile

.gitignore

@@ -3,3 +3,4 @@
 pkg/*
 .yardoc
 hadolint
+trivy

CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## 3.4.8 (December 11th, 2021)
+
+OTHER:
+
+- re-release 3.4.7 to rebuild Docker image with security vulnerabilities fixes
+
+## 3.4.7 (November 19th, 2021)
+
+OTHER:
+
+- re-release 3.4.6 to rebuild Docker image with security vulnerabilities fixes
+
 ## 3.4.6 (November 19th, 2021)
 
 OTHER:

Rakefile

@@ -24,14 +24,32 @@ end
 # renovate: datasource=github-tags depName=hadolint/hadolint
 hadolint_version = 'v2.8.0'
 
-desc 'Run hadolint for Dockerfile linting'
-task :hadolint do
-  sh "wget -q -O ./hadolint https://github.com/hadolint/hadolint/releases/download/#{hadolint_version}/hadolint-Linux-x86_64"
-  sh 'chmod a+x ./hadolint'
-  sh './hadolint --ignore DL3018 docker/Dockerfile'
+# renovate: datasource=github-tags depName=aquasecurity/trivy
+trivy_version = 'v0.21.2'
+
+namespace :docker do
+  desc 'Lint Dockerfile'
+  task :lint do
+    sh "if [ ! -e ./hadolint ]; then wget -q -O ./hadolint https://github.com/hadolint/hadolint/releases/download/#{hadolint_version}/hadolint-Linux-x86_64; fi"
+    sh 'chmod a+x ./hadolint'
+    sh './hadolint --ignore DL3018 docker/Dockerfile'
+    sh './hadolint --ignore DL3018 --ignore DL3028 docker/ci/Dockerfile'
+  end
+
+  desc 'Build CI Docker image'
+  task :build do
+    sh 'docker build -t cmur2/dyndnsd:ci -f docker/ci/Dockerfile .'
+  end
+
+  desc 'Scan CI Docker image for vulnerabilities'
+  task :scan do
+    ver = trivy_version.gsub('v', '')
+    sh "if [ ! -e ./trivy ]; then wget -q -O - https://github.com/aquasecurity/trivy/releases/download/v#{ver}/trivy_#{ver}_Linux-64bit.tar.gz | tar -xzf - trivy; fi"
+    sh './trivy cmur2/dyndnsd:ci'
+  end
 end
 
 task default: [:rubocop, :spec, 'bundle:audit', :solargraph]
 
 desc 'Run all tasks desired for CI'
-task ci: ['solargraph:init', :default, :hadolint, :build]
+task ci: ['solargraph:init', :default, 'docker:lint', :build, 'docker:build']

docker/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.13.6
+FROM alpine:3.13.7
 
 EXPOSE 5353 8080
 

docker/ci/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.13.6
+FROM alpine:3.13.7
 
 EXPOSE 5353 8080
 

lib/dyndnsd/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Dyndnsd
-  VERSION = '3.4.6'
+  VERSION = '3.4.8'
 end