From 3aa55f7590549f515f544b8d12a52ee21b4f9273 Mon Sep 17 00:00:00 2001
From: Mathias Beaulieu-Duncan <mathias@svrnty.io>
Date: Tue, 3 Feb 2026 04:19:56 -0500
Subject: [PATCH] Add Wolfi base image update detection

- Check base image digests daily against stored values
- Trigger prerelease rebuild when Wolfi updates detected
- Store digests in .base-digests file

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .base-digests                      |  3 ++
 .gitea/workflows/update-check.yaml | 72 +++++++++++++++++++++++++++++-
 2 files changed, 74 insertions(+), 1 deletion(-)
 create mode 100644 .base-digests

diff --git a/.base-digests b/.base-digests
new file mode 100644
index 0000000..4923cce
--- /dev/null
+++ b/.base-digests
@@ -0,0 +1,3 @@
+web=sha256:5af7f00d3e64f3deba365a1c4dc2a57cf173e2d763f656771ad834c8cbfbec28
+android=sha256:489f3cbd316bd66d3475430b69e1b32f87606a63f8837c3588b04da83b7509ff
+linux=sha256:2c77cba8eb20114f45d7b9d97d5d6773fa542c72cb6252d6f1c00de9fb4c7e95
diff --git a/.gitea/workflows/update-check.yaml b/.gitea/workflows/update-check.yaml
index 6993690..634b06f 100644
--- a/.gitea/workflows/update-check.yaml
+++ b/.gitea/workflows/update-check.yaml
@@ -1,4 +1,4 @@
-name: Check for Flutter SDK and Android SDK Updates
+name: Check for Flutter SDK, Android SDK, and Base Image Updates
 
 on:
   schedule:
@@ -96,6 +96,76 @@ jobs:
 
           echo "needs_update=${NEEDS_UPDATE}" >> $GITHUB_OUTPUT
 
+      - name: Check Wolfi base image updates
+        id: base_images
+        run: |
+          # Get current digests from Docker Hub
+          WEB_DIGEST=$(curl -s "https://hub.docker.com/v2/repositories/svrnty/base-distro/tags/flutter-sdk-latest" | jq -r '.digest // empty')
+          ANDROID_DIGEST=$(curl -s "https://hub.docker.com/v2/repositories/svrnty/base-distro/tags/flutter-sdk-android-latest" | jq -r '.digest // empty')
+          LINUX_DIGEST=$(curl -s "https://hub.docker.com/v2/repositories/svrnty/base-distro/tags/flutter-sdk-linux-latest" | jq -r '.digest // empty')
+
+          echo "Current base image digests:"
+          echo "  web: ${WEB_DIGEST}"
+          echo "  android: ${ANDROID_DIGEST}"
+          echo "  linux: ${LINUX_DIGEST}"
+
+          # Load stored digests
+          STORED_WEB=$(grep '^web=' .base-digests 2>/dev/null | cut -d= -f2 || echo "")
+          STORED_ANDROID=$(grep '^android=' .base-digests 2>/dev/null | cut -d= -f2 || echo "")
+          STORED_LINUX=$(grep '^linux=' .base-digests 2>/dev/null | cut -d= -f2 || echo "")
+
+          # Compare
+          NEEDS_REBUILD=false
+          if [ -n "$WEB_DIGEST" ] && [ "$WEB_DIGEST" != "$STORED_WEB" ]; then
+            echo "Web base image updated"
+            NEEDS_REBUILD=true
+          fi
+          if [ -n "$ANDROID_DIGEST" ] && [ "$ANDROID_DIGEST" != "$STORED_ANDROID" ]; then
+            echo "Android base image updated"
+            NEEDS_REBUILD=true
+          fi
+          if [ -n "$LINUX_DIGEST" ] && [ "$LINUX_DIGEST" != "$STORED_LINUX" ]; then
+            echo "Linux base image updated"
+            NEEDS_REBUILD=true
+          fi
+
+          echo "needs_rebuild=${NEEDS_REBUILD}" >> $GITHUB_OUTPUT
+          echo "web_digest=${WEB_DIGEST}" >> $GITHUB_OUTPUT
+          echo "android_digest=${ANDROID_DIGEST}" >> $GITHUB_OUTPUT
+          echo "linux_digest=${LINUX_DIGEST}" >> $GITHUB_OUTPUT
+
+      - name: Trigger rebuild for base image updates
+        if: steps.base_images.outputs.needs_rebuild == 'true' && steps.existing.outputs.exists == 'true'
+        run: |
+          VERSION="${{ steps.flutter.outputs.version }}"
+          echo "Base image updated, triggering rebuild for Flutter ${VERSION}"
+
+          # Update stored digests
+          cat > .base-digests << EOF
+          web=${{ steps.base_images.outputs.web_digest }}
+          android=${{ steps.base_images.outputs.android_digest }}
+          linux=${{ steps.base_images.outputs.linux_digest }}
+          EOF
+
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add .base-digests
+          git commit -m "Update base image digests (Wolfi security update)"
+          git push
+
+          # Trigger rebuild by creating a prerelease
+          curl -fsSL -X POST \
+            -H "Authorization: token ${{ secrets.GITEA_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases" \
+            -d "{
+              \"tag_name\": \"${VERSION}-rebuild-$(date +%Y%m%d)\",
+              \"name\": \"Security rebuild ${VERSION}\",
+              \"body\": \"Automated rebuild for Wolfi base image security updates\",
+              \"draft\": false,
+              \"prerelease\": true
+            }"
+
       - name: Create release for new Flutter version
         if: steps.existing.outputs.exists == 'false' && steps.flutter.outputs.version != ''
         run: |