Thanks for the alert, I've published an updated image. Do you know a way to get notified when Tomcat update their images?

(We aren't using Docker images like this in production at GBIF.)

There used to be a setting in docker hub automated builds where you could link to another image, and updates to it would trigger a rebuild. Unfortunately, it looks like it was removed (docker/hub-feedback#1717).

Hi,
I propose to look at GitHub actions&Dependabot. As an example, let me provide this repository , the main idea is:

1. refer to the base image with tag including SHA https://github.com/krkabol/php-fpm-noroot-socket/blob/main/Dockerfile
2. setup Dependabot to regulary check updates of base image https://github.com/krkabol/php-fpm-noroot-socket/blob/main/.github/dependabot.yml. When new image is published, a Merge request is created.
3. and ideally stop publishing images manually and use GA to build&publish - https://github.com/krkabol/php-fpm-noroot-socket/blob/main/.github/workflows/publish.yml (publishing the image in GitHub registry, able to DockerHub also)

I can prepare pull request when interested

best
Petr

Thank you @krkabol

Yes please, feel free to submit a PR.

Note images aren't published manually, they are built by GBIF's Jenkins server: https://builds.gbif.org/job/ipt/

If you change that to use Github Actions, we'll need to work out the necessary authentication to update the images on docker.gbif.org, as well as hub.docker.com.

sorry, I've mixed two topics - point 1+2 target the "automated base image update checks" of this issue and I will focus on it in PR. For point 3 @MattBlissett:

You are right, I see now the build is done by Jenkins, not sure about publishing as two dependent but different stages. According to this note in the repository I got an impression that publishing to registries is not automated, which is what GA can combine very well (automated build + automated push). Compared to hook or trigger after push to the repository, GAs bring less complexity and more clarity and above all preserve the integrity of the code and its processing. If a change in code (or branch logic etc) requires a change in CI, these changes are bundled in one commit which is very advantageous compared to a detached Jenkins solution.

So much of my mental digression - I don't want to change your established practices by leaps and bounds, I'm just sharing my current positive experience where GA has dramatically transformed the availability of quality CI. Authentication to any registry is simple, just providing credentials as secrets.
best
P

Please see https://docs.renovatebot.com/docker/ - Dependabot and Renovate bot are doing the same job. The core solution is to include sha digest to the FROM cmd, using whichever bot.