From 60d6d3bbeceaf8c7dfc46927e402e8ade68e6d73 Mon Sep 17 00:00:00 2001
From: Mathias Beaulieu-Duncan <mathias@svrnty.io>
Date: Mon, 2 Feb 2026 02:54:44 -0500
Subject: [PATCH] Rename flutter to flutter-sdk, add curl to runtime, add
 update-check pipeline

- Rename flutter variant to flutter-sdk for clarity across all configs
  and pipelines
- Add curl to dotnet-runtime apko config (needed to bootstrap .NET
  runtime installation in downstream Dockerfiles)
- Add daily update-check pipeline that monitors Flutter stable channel
  and Wolfi package updates, auto-creates releases for new Flutter
  versions and rebuilds all variants with latest packages

Tested all variants with real workloads:
- dotnet-sdk: dotnet new console + build + run
- dotnet-runtime: multi-stage build, run prebuilt app
- flutter-sdk: flutter create + build web --release

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .gitea/workflows/publish.yaml           |   4 +-
 .gitea/workflows/rebuild.yaml           |   4 +-
 .gitea/workflows/scout.yaml             |   4 +-
 .gitea/workflows/update-check.yaml      | 169 ++++++++++++++++++++++++
 Makefile                                |  14 +-
 apko/dotnet-runtime.yaml                |   1 +
 apko/{flutter.yaml => flutter-sdk.yaml} |   0
 examples/Dockerfile.flutter-web         |   4 +-
 8 files changed, 185 insertions(+), 15 deletions(-)
 create mode 100644 .gitea/workflows/update-check.yaml
 rename apko/{flutter.yaml => flutter-sdk.yaml} (100%)

diff --git a/.gitea/workflows/publish.yaml b/.gitea/workflows/publish.yaml
index 11d17a2..72ae1be 100644
--- a/.gitea/workflows/publish.yaml
+++ b/.gitea/workflows/publish.yaml
@@ -25,8 +25,8 @@ jobs:
             variant: dotnet-runtime
           - config: apko/dotnet-sdk.yaml
             variant: dotnet-sdk
-          - config: apko/flutter.yaml
-            variant: flutter
+          - config: apko/flutter-sdk.yaml
+            variant: flutter-sdk
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
diff --git a/.gitea/workflows/rebuild.yaml b/.gitea/workflows/rebuild.yaml
index 1db9910..cb37216 100644
--- a/.gitea/workflows/rebuild.yaml
+++ b/.gitea/workflows/rebuild.yaml
@@ -26,8 +26,8 @@ jobs:
             variant: dotnet-runtime
           - config: apko/dotnet-sdk.yaml
             variant: dotnet-sdk
-          - config: apko/flutter.yaml
-            variant: flutter
+          - config: apko/flutter-sdk.yaml
+            variant: flutter-sdk
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
diff --git a/.gitea/workflows/scout.yaml b/.gitea/workflows/scout.yaml
index 4388a63..5584d71 100644
--- a/.gitea/workflows/scout.yaml
+++ b/.gitea/workflows/scout.yaml
@@ -25,8 +25,8 @@ jobs:
             variant: dotnet-runtime
           - config: apko/dotnet-sdk.yaml
             variant: dotnet-sdk
-          - config: apko/flutter.yaml
-            variant: flutter
+          - config: apko/flutter-sdk.yaml
+            variant: flutter-sdk
     steps:
       - name: Login to Docker Registry
         uses: docker/login-action@v3
diff --git a/.gitea/workflows/update-check.yaml b/.gitea/workflows/update-check.yaml
new file mode 100644
index 0000000..77ee6e2
--- /dev/null
+++ b/.gitea/workflows/update-check.yaml
@@ -0,0 +1,169 @@
+name: Check for Upstream Stable Updates
+
+on:
+  schedule:
+    # Daily at 8am UTC
+    - cron: '0 8 * * *'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  IMAGE_NAME: base-distro
+
+jobs:
+  check-wolfi:
+    name: Check Wolfi package updates
+    runs-on: ubuntu-latest
+    outputs:
+      updated: ${{ steps.check.outputs.updated }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Install apko
+        run: |
+          curl -fsSL "https://github.com/chainguard-dev/apko/releases/latest/download/apko_$(uname -s)_$(uname -m).tar.gz" | tar xz -C /usr/local/bin apko
+
+      - name: Check for Wolfi package updates
+        id: check
+        run: |
+          # Resolve current packages for each variant and compare with last known state
+          UPDATED=false
+
+          for config in apko/base.yaml apko/build.yaml apko/dotnet-runtime.yaml apko/dotnet-sdk.yaml apko/flutter-sdk.yaml; do
+            VARIANT=$(basename "$config" .yaml)
+            echo "Checking $VARIANT..."
+
+            # Resolve package versions (dry-run build to see resolved versions)
+            RESOLVED=$(apko resolve "$config" 2>&1 || true)
+            HASH=$(echo "$RESOLVED" | sha256sum | cut -d' ' -f1)
+
+            echo "$VARIANT=$HASH" >> "$GITHUB_OUTPUT"
+            echo "  Hash: $HASH"
+          done
+
+          echo "updated=$UPDATED" >> "$GITHUB_OUTPUT"
+
+  check-dotnet:
+    name: Check .NET stable releases
+    runs-on: ubuntu-latest
+    outputs:
+      new_version: ${{ steps.check.outputs.new_version }}
+      current_version: ${{ steps.check.outputs.current_version }}
+    steps:
+      - name: Check latest .NET stable release
+        id: check
+        run: |
+          # Query the .NET release metadata for the latest stable SDK
+          LATEST=$(curl -fsSL "https://dotnetcli.azureedge.net/dotnet/release-metadata/releases-index.json" \
+            | jq -r '[."releases-index"[] | select(."support-phase" == "active" or ."support-phase" == "go-live") | ."latest-sdk"] | sort_by(. | split(".") | map(tonumber)) | last')
+
+          echo "Latest .NET stable SDK: $LATEST"
+          echo "new_version=$LATEST" >> "$GITHUB_OUTPUT"
+
+          # Check if we already have a rebuild tag for this version
+          CURRENT_TAG="${LATEST}"
+          echo "current_version=$CURRENT_TAG" >> "$GITHUB_OUTPUT"
+
+  check-flutter:
+    name: Check Flutter stable releases
+    runs-on: ubuntu-latest
+    outputs:
+      new_version: ${{ steps.check.outputs.new_version }}
+      has_new: ${{ steps.check.outputs.has_new }}
+    steps:
+      - name: Check latest Flutter stable release
+        id: check
+        run: |
+          LATEST=$(curl -fsSL "https://storage.googleapis.com/flutter_infra_release/releases/releases_linux.json" \
+            | jq -r '.current_release.stable as $hash | .releases[] | select(.hash == $hash and .channel == "stable") | .version')
+
+          echo "Latest Flutter stable: $LATEST"
+          echo "new_version=$LATEST" >> "$GITHUB_OUTPUT"
+
+          # Check if a release with this tag already exists
+          EXISTING=$(curl -fsSL \
+            -H "Authorization: token ${{ secrets.GITEA_TOKEN }}" \
+            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases/tags/v${LATEST}" \
+            2>/dev/null | jq -r '.tag_name // empty')
+
+          if [ -n "$EXISTING" ]; then
+            echo "Release v${LATEST} already exists, skipping"
+            echo "has_new=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "New Flutter stable version found: $LATEST"
+            echo "has_new=true" >> "$GITHUB_OUTPUT"
+          fi
+
+  rebuild:
+    name: Rebuild and push all variants
+    needs: [check-wolfi, check-dotnet, check-flutter]
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - config: apko/base.yaml
+            variant: base
+          - config: apko/build.yaml
+            variant: build
+          - config: apko/dotnet-runtime.yaml
+            variant: dotnet-runtime
+          - config: apko/dotnet-sdk.yaml
+            variant: dotnet-sdk
+          - config: apko/flutter-sdk.yaml
+            variant: flutter-sdk
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Install apko
+        run: |
+          curl -fsSL "https://github.com/chainguard-dev/apko/releases/latest/download/apko_$(uname -s)_$(uname -m).tar.gz" | tar xz -C /usr/local/bin apko
+
+      - name: Login to Docker Registry
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Build and push image
+        run: |
+          apko publish ${{ matrix.config }} \
+            ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
+
+      - name: Install Docker Scout
+        run: |
+          curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
+          sh install-scout.sh
+
+      - name: Docker Scout CVE Scan
+        run: |
+          docker pull ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
+          docker scout cves ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest --only-severity critical,high
+
+  notify-flutter:
+    name: Create release for new Flutter version
+    needs: [check-flutter]
+    if: needs.check-flutter.outputs.has_new == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Create Gitea release
+        run: |
+          VERSION="${{ needs.check-flutter.outputs.new_version }}"
+          echo "Creating release v${VERSION} for new Flutter stable..."
+
+          curl -fsSL -X POST \
+            -H "Authorization: token ${{ secrets.GITEA_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases" \
+            -d "{
+              \"tag_name\": \"v${VERSION}\",
+              \"name\": \"v${VERSION} - Flutter ${VERSION}\",
+              \"body\": \"Automated release triggered by Flutter stable ${VERSION} detection.\n\nUpstream: https://docs.flutter.dev/release/release-notes\",
+              \"draft\": false,
+              \"prerelease\": false
+            }"
+
+          echo "Release v${VERSION} created successfully"
diff --git a/Makefile b/Makefile
index f5f6c9c..00efd33 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,7 @@ REGISTRY ?= svrnty/base-distro
 APKO_FLAGS ?= --log-level info
 
 # Image variants
-VARIANTS = base build dotnet-runtime dotnet-sdk flutter
+VARIANTS = base build dotnet-runtime dotnet-sdk flutter-sdk
 
 .PHONY: all clean $(VARIANTS) test
 
@@ -29,10 +29,10 @@ dotnet-sdk:
 	docker load < dotnet-sdk.tar
 	@echo "Built $(REGISTRY):dotnet-sdk"
 
-flutter:
-	apko build $(APKO_FLAGS) apko/flutter.yaml $(REGISTRY):flutter flutter.tar
-	docker load < flutter.tar
-	@echo "Built $(REGISTRY):flutter"
+flutter-sdk:
+	apko build $(APKO_FLAGS) apko/flutter-sdk.yaml $(REGISTRY):flutter-sdk flutter-sdk.tar
+	docker load < flutter-sdk.tar
+	@echo "Built $(REGISTRY):flutter-sdk"
 
 # Test all images
 test: all
@@ -48,8 +48,8 @@ test: all
 	@echo "=== Testing dotnet-sdk ==="
 	docker run --rm $(REGISTRY):dotnet-sdk bash -c "git --version && ls /usr/lib/libicu*"
 	@echo ""
-	@echo "=== Testing flutter ==="
-	docker run --rm $(REGISTRY):flutter bash -c "git --version && echo PATH=\$$PATH"
+	@echo "=== Testing flutter-sdk ==="
+	docker run --rm $(REGISTRY):flutter-sdk bash -c "git --version && echo PATH=\$$PATH"
 	@echo ""
 	@echo "All tests passed!"
 
diff --git a/apko/dotnet-runtime.yaml b/apko/dotnet-runtime.yaml
index 1735dac..e1e56cd 100644
--- a/apko/dotnet-runtime.yaml
+++ b/apko/dotnet-runtime.yaml
@@ -12,6 +12,7 @@ contents:
     - ca-certificates-bundle
     - tzdata
     - busybox
+    - curl
     # .NET runtime dependencies
     - icu
     - libssl3
diff --git a/apko/flutter.yaml b/apko/flutter-sdk.yaml
similarity index 100%
rename from apko/flutter.yaml
rename to apko/flutter-sdk.yaml
diff --git a/examples/Dockerfile.flutter-web b/examples/Dockerfile.flutter-web
index 7b8b988..a5a45f5 100644
--- a/examples/Dockerfile.flutter-web
+++ b/examples/Dockerfile.flutter-web
@@ -1,10 +1,10 @@
 # Example: Flutter web build image using base-distro
 #
 # Usage in flutter-admin-console or other Flutter web projects:
-#   FROM svrnty/base-distro:flutter-latest AS build
+#   FROM svrnty/base-distro:flutter-sdk-latest AS build
 #   ... (install Flutter SDK, build web app) ...
 
-FROM svrnty/base-distro:flutter-latest AS build
+FROM svrnty/base-distro:flutter-sdk-latest AS build
 
 # Install Flutter SDK on top of the base
 USER root