Update base image digests (Wolfi security update)

- Full release (3.38.9): creates web-3.38.9 + web-latest
- Prerelease (3.38.9-rebuild-20260203): creates web-3.38.9-rebuild-20260203 + web-dev
- Versioned tags never get overwritten after initial publish

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.base-digests

@@ -0,0 +1,3 @@
+web=sha256:cce6d72541facea17321cb7f76fc8947c54335a3675cabe64214efad366240f4
+android=sha256:489f3cbd316bd66d3475430b69e1b32f87606a63f8837c3588b04da83b7509ff
+linux=sha256:2c77cba8eb20114f45d7b9d97d5d6773fa542c72cb6252d6f1c00de9fb4c7e95

.gitea/workflows/publish.yaml

@@ -5,7 +5,7 @@ on:
     types: [published, prereleased]
 
 permissions:
-  contents: read
+  contents: write
 
 env:
   IMAGE_NAME: flutter-sdk
@@ -33,16 +33,18 @@ jobs:
         id: version
         run: |
           if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then
-            # Pre-release: fetch latest stable version, tag as dev
-            FLUTTER_VERSION=$(curl -fsSL https://storage.googleapis.com/flutter_infra_release/releases/releases_linux.json \
-              | jq -r '.current_release.stable as $hash | .releases[] | select(.hash == $hash and .channel == "stable") | .version')
-            echo "flutter_version=${FLUTTER_VERSION}" >> $GITHUB_OUTPUT
-            echo "tag=${{ matrix.variant }}-dev" >> $GITHUB_OUTPUT
-            echo "Using latest Flutter stable ${FLUTTER_VERSION} for pre-release test"
+            # Pre-release: use release tag as version, don't overwrite existing tags
+            # Extract base Flutter version for build-arg (e.g., 3.38.9 from 3.38.9-rebuild-20260203)
+            BASE_VERSION=$(echo "${{ github.event.release.tag_name }}" | grep -oP '^[0-9]+\.[0-9]+\.[0-9]+')
+            echo "flutter_version=${BASE_VERSION}" >> $GITHUB_OUTPUT
+            echo "tag=${{ matrix.variant }}-${{ github.event.release.tag_name }}" >> $GITHUB_OUTPUT
+            echo "secondary_tag=${{ matrix.variant }}-dev" >> $GITHUB_OUTPUT
+            echo "Pre-release: building Flutter ${BASE_VERSION}, tagging as ${{ github.event.release.tag_name }}"
           else
             # Full release: use the release tag as the Flutter version
             echo "flutter_version=${{ github.event.release.tag_name }}" >> $GITHUB_OUTPUT
-            echo "tag=${{ matrix.variant }}-latest" >> $GITHUB_OUTPUT
+            echo "tag=${{ matrix.variant }}-${{ github.event.release.tag_name }}" >> $GITHUB_OUTPUT
+            echo "secondary_tag=${{ matrix.variant }}-latest" >> $GITHUB_OUTPUT
           fi
 
       - name: Set up QEMU
@@ -67,7 +69,7 @@ jobs:
           load: true
           build-args: |
             FLUTTER_VERSION=${{ steps.version.outputs.flutter_version }}
-          tags: ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.version.outputs.flutter_version }}
+          tags: ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.tag }}
 
       - name: Install Docker Scout
         run: |
@@ -76,7 +78,7 @@ jobs:
 
       - name: Docker Scout CVE Scan
         run: |
-          docker scout cves ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.version.outputs.flutter_version }} --only-severity critical,high
+          docker scout cves ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.tag }} --only-severity critical,high
 
       - name: Build and push with attestations
         uses: docker/build-push-action@v5
@@ -90,10 +92,45 @@ jobs:
           build-args: |
             FLUTTER_VERSION=${{ steps.version.outputs.flutter_version }}
           tags: |
-            ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.version.outputs.flutter_version }}
             ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.tag }}
+            ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.secondary_tag }}
           labels: |
             org.opencontainers.image.title=${{ env.IMAGE_NAME }}
             org.opencontainers.image.description=${{ matrix.description }}
-            org.opencontainers.image.version=${{ matrix.variant }}-${{ steps.version.outputs.flutter_version }}
+            org.opencontainers.image.version=${{ steps.version.outputs.tag }}
             org.opencontainers.image.revision=${{ github.sha }}
+
+  sync-readme:
+    needs: build-and-push
+    if: github.event.release.prerelease == false && !contains(github.event.release.tag_name, 'test')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Update README badges
+        run: |
+          FLUTTER="${{ github.event.release.tag_name }}"
+          ANDROID_SDK=$(grep -oP 'ANDROID_BUILD_TOOLS=\K[0-9.]+' Dockerfile.android || echo "")
+
+          if [ -n "$ANDROID_SDK" ]; then
+            sed -i "s|Android%20SDK-[0-9.]*-green|Android%20SDK-${ANDROID_SDK}-green|g" README.md
+          fi
+
+          if [ -n "$FLUTTER" ]; then
+            sed -i "s|web--[0-9.]*-blue|web--${FLUTTER}-blue|g" README.md
+            sed -i "s|android--[0-9.]*-blue|android--${FLUTTER}-blue|g" README.md
+            sed -i "s|linux--[0-9.]*-blue|linux--${FLUTTER}-blue|g" README.md
+            sed -i "s|/web-[0-9.]*?|/web-${FLUTTER}?|g" README.md
+            sed -i "s|/android-[0-9.]*?|/android-${FLUTTER}?|g" README.md
+            sed -i "s|/linux-[0-9.]*?|/linux-${FLUTTER}?|g" README.md
+          fi
+
+      - name: Commit and push
+        run: |
+          git diff --quiet README.md && exit 0
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add README.md
+          git commit -m "Update README badges to Flutter ${{ github.event.release.tag_name }}"
+          git push

.gitea/workflows/sync-readme-badges.yaml

@@ -1,68 +0,0 @@
-name: Sync README Badges
-
-on:
-  workflow_run:
-    workflows: ["Build and Push Flutter SDK Image"]
-    types:
-      - completed
-  workflow_dispatch:
-
-jobs:
-  sync-badges:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Extract versions from Dockerfiles
-        id: versions
-        run: |
-          # Android SDK build-tools version
-          ANDROID_SDK=$(grep -oP 'ANDROID_BUILD_TOOLS=\K[0-9.]+' Dockerfile.android || echo "")
-          echo "android_sdk=${ANDROID_SDK}" >> $GITHUB_OUTPUT
-          echo "Android SDK: ${ANDROID_SDK}"
-
-          # Flutter version (from ARG default)
-          FLUTTER=$(grep -oP 'ARG FLUTTER_VERSION=\K[0-9.]+' Dockerfile.android || echo "")
-          echo "flutter=${FLUTTER}" >> $GITHUB_OUTPUT
-          echo "Flutter: ${FLUTTER}"
-
-      - name: Update README badges
-        run: |
-          ANDROID_SDK="${{ steps.versions.outputs.android_sdk }}"
-          FLUTTER="${{ steps.versions.outputs.flutter }}"
-
-          if [ -n "$ANDROID_SDK" ]; then
-            # Update Android SDK badge version
-            sed -i "s|Android%20SDK-[0-9.]*-green|Android%20SDK-${ANDROID_SDK}-green|g" README.md
-            echo "Updated Android SDK badge to ${ANDROID_SDK}"
-          fi
-
-          if [ -n "$FLUTTER" ]; then
-            # Update Flutter version in variant badges and size badges
-            sed -i "s|web--[0-9.]*-blue|web--${FLUTTER}-blue|g" README.md
-            sed -i "s|android--[0-9.]*-blue|android--${FLUTTER}-blue|g" README.md
-            sed -i "s|linux--[0-9.]*-blue|linux--${FLUTTER}-blue|g" README.md
-            sed -i "s|/web-[0-9.]*?|/web-${FLUTTER}?|g" README.md
-            sed -i "s|/android-[0-9.]*?|/android-${FLUTTER}?|g" README.md
-            sed -i "s|/linux-[0-9.]*?|/linux-${FLUTTER}?|g" README.md
-            echo "Updated Flutter version badges to ${FLUTTER}"
-          fi
-
-      - name: Check for changes
-        id: changes
-        run: |
-          if git diff --quiet README.md; then
-            echo "changed=false" >> $GITHUB_OUTPUT
-          else
-            echo "changed=true" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Commit and push
-        if: steps.changes.outputs.changed == 'true'
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-          git add README.md
-          git commit -m "Update README badges to match Dockerfile versions"
-          git push

.gitea/workflows/update-check.yaml

@@ -1,4 +1,4 @@
-name: Check for Flutter SDK and Android SDK Updates
+name: Check for Flutter SDK, Android SDK, and Base Image Updates
 
 on:
   schedule:
@@ -96,6 +96,76 @@ jobs:
 
           echo "needs_update=${NEEDS_UPDATE}" >> $GITHUB_OUTPUT
 
+      - name: Check Wolfi base image updates
+        id: base_images
+        run: |
+          # Get current digests from Docker Hub
+          WEB_DIGEST=$(curl -s "https://hub.docker.com/v2/repositories/svrnty/base-distro/tags/flutter-sdk-latest" | jq -r '.digest // empty')
+          ANDROID_DIGEST=$(curl -s "https://hub.docker.com/v2/repositories/svrnty/base-distro/tags/flutter-sdk-android-latest" | jq -r '.digest // empty')
+          LINUX_DIGEST=$(curl -s "https://hub.docker.com/v2/repositories/svrnty/base-distro/tags/flutter-sdk-linux-latest" | jq -r '.digest // empty')
+
+          echo "Current base image digests:"
+          echo "  web: ${WEB_DIGEST}"
+          echo "  android: ${ANDROID_DIGEST}"
+          echo "  linux: ${LINUX_DIGEST}"
+
+          # Load stored digests
+          STORED_WEB=$(grep '^web=' .base-digests 2>/dev/null | cut -d= -f2 || echo "")
+          STORED_ANDROID=$(grep '^android=' .base-digests 2>/dev/null | cut -d= -f2 || echo "")
+          STORED_LINUX=$(grep '^linux=' .base-digests 2>/dev/null | cut -d= -f2 || echo "")
+
+          # Compare
+          NEEDS_REBUILD=false
+          if [ -n "$WEB_DIGEST" ] && [ "$WEB_DIGEST" != "$STORED_WEB" ]; then
+            echo "Web base image updated"
+            NEEDS_REBUILD=true
+          fi
+          if [ -n "$ANDROID_DIGEST" ] && [ "$ANDROID_DIGEST" != "$STORED_ANDROID" ]; then
+            echo "Android base image updated"
+            NEEDS_REBUILD=true
+          fi
+          if [ -n "$LINUX_DIGEST" ] && [ "$LINUX_DIGEST" != "$STORED_LINUX" ]; then
+            echo "Linux base image updated"
+            NEEDS_REBUILD=true
+          fi
+
+          echo "needs_rebuild=${NEEDS_REBUILD}" >> $GITHUB_OUTPUT
+          echo "web_digest=${WEB_DIGEST}" >> $GITHUB_OUTPUT
+          echo "android_digest=${ANDROID_DIGEST}" >> $GITHUB_OUTPUT
+          echo "linux_digest=${LINUX_DIGEST}" >> $GITHUB_OUTPUT
+
+      - name: Trigger rebuild for base image updates
+        if: steps.base_images.outputs.needs_rebuild == 'true' && steps.existing.outputs.exists == 'true'
+        run: |
+          VERSION="${{ steps.flutter.outputs.version }}"
+          echo "Base image updated, triggering rebuild for Flutter ${VERSION}"
+
+          # Update stored digests
+          cat > .base-digests << EOF
+          web=${{ steps.base_images.outputs.web_digest }}
+          android=${{ steps.base_images.outputs.android_digest }}
+          linux=${{ steps.base_images.outputs.linux_digest }}
+          EOF
+
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add .base-digests
+          git commit -m "Update base image digests (Wolfi security update)"
+          git push
+
+          # Trigger rebuild by creating a prerelease
+          curl -fsSL -X POST \
+            -H "Authorization: token ${{ secrets.GITEA_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases" \
+            -d "{
+              \"tag_name\": \"${VERSION}-rebuild-$(date +%Y%m%d)\",
+              \"name\": \"Security rebuild ${VERSION}\",
+              \"body\": \"Automated rebuild for Wolfi base image security updates\",
+              \"draft\": false,
+              \"prerelease\": true
+            }"
+
       - name: Create release for new Flutter version
         if: steps.existing.outputs.exists == 'false' && steps.flutter.outputs.version != ''
         run: |

DOCKERHUB.md

@@ -0,0 +1,131 @@
+# Flutter SDK Docker Images
+
+<a href="https://git.openharbor.io/svrnty/docker-flutter-sdk" target="_blank"><img src="https://img.shields.io/badge/Git-Repository-orange?logo=gitea" alt="Git Repository"></a>
+<a href="https://wolfi.dev" target="_blank"><img src="https://img.shields.io/badge/Base-Wolfi-purple?logo=linux" alt="Wolfi"></a>
+
+Lightweight Flutter SDK images for CI/CD pipelines. Built on [Wolfi](https://wolfi.dev), a security-focused Linux distribution designed for containers.
+
+## Variants
+
+- `web` - Web/WASM builds
+- `android` - Android APK/AAB builds
+- `linux` - Linux desktop builds
+
+All variants support `linux/amd64` and `linux/arm64`.
+
+## Why Wolfi?
+
+[Wolfi](https://wolfi.dev) is a lightweight Linux distribution built specifically for containers. It provides:
+
+- **Minimal footprint** - Only essential packages, nothing extra
+- **Daily security updates** - Patches applied quickly
+- **Designed for containers** - No legacy cruft from traditional distros
+
+## Features
+
+- **Lightweight** - Optimized for fast CI/CD pulls
+- **Secure** - Built on Wolfi with continuous vulnerability scanning
+- **Multi-arch** - Supports both `linux/amd64` and `linux/arm64`
+- **Non-root** - Runs as unprivileged user (UID 65532)
+- **Supply chain security** - SBOM and SLSA provenance attestations included
+
+## Dockerfile Examples
+
+### Web App (WASM)
+
+```dockerfile
+FROM svrnty/flutter-sdk:web-latest AS build
+WORKDIR /app
+COPY . .
+RUN flutter pub get && flutter build web --wasm --release
+
+# Cache-busting: append version to JS/WASM references
+RUN VERSION=$(date +%s) && cd build/web && \
+    sed -i "s|flutter_bootstrap\.js\"|flutter_bootstrap.js?v=${VERSION}\"|g" index.html && \
+    sed -i "s|main\.dart\.js\"|main.dart.js?v=${VERSION}\"|g" flutter_bootstrap.js && \
+    sed -i "s|main\.dart\.mjs\"|main.dart.mjs?v=${VERSION}\"|g" flutter_bootstrap.js && \
+    sed -i "s|main\.dart\.wasm\"|main.dart.wasm?v=${VERSION}\"|g" flutter_bootstrap.js
+
+FROM ghcr.io/static-web-server/static-web-server:2 AS sws
+FROM scratch
+COPY --from=sws /static-web-server /static-web-server
+COPY --from=build /app/build/web /public
+COPY sws.toml /sws.toml
+EXPOSE 8080
+USER 65534
+ENTRYPOINT ["/static-web-server", "--config-file", "/sws.toml"]
+```
+
+**sws.toml** - Required headers for WASM multi-threading:
+
+```toml
+[general]
+host = "0.0.0.0"
+port = 8080
+root = "/public"
+page-fallback = "/public/index.html"
+compression = true
+
+[[advanced.headers]]
+source = "**"
+[advanced.headers.headers]
+Cross-Origin-Opener-Policy = "same-origin"
+Cross-Origin-Embedder-Policy = "require-corp"
+```
+
+### Android APK
+
+```dockerfile
+FROM svrnty/flutter-sdk:android-latest AS build
+WORKDIR /app
+COPY . .
+RUN flutter pub get && flutter build apk --release
+
+FROM scratch
+COPY --from=build /app/build/app/outputs/flutter-apk/app-release.apk /
+```
+
+### Linux Desktop
+
+```dockerfile
+FROM svrnty/flutter-sdk:linux-latest AS build
+WORKDIR /app
+COPY . .
+RUN flutter pub get && flutter build linux --release
+
+FROM debian:bookworm-slim
+RUN apt-get update && apt-get install -y libgtk-3-0 && rm -rf /var/lib/apt/lists/*
+COPY --from=build /app/build/linux/arm64/release/bundle /app
+ENTRYPOINT ["/app/my_app"]
+```
+
+## CI/CD (Gitea/GitHub Actions)
+
+```yaml
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    container:
+      image: svrnty/flutter-sdk:android-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: flutter pub get
+      - run: flutter build apk --release
+```
+
+## Tags
+
+- `<variant>-latest` - Latest stable Flutter release
+- `<variant>-<version>` - Specific Flutter version (e.g., `android-3.29.0`)
+
+## Automatic Updates
+
+Images are automatically rebuilt when:
+- New Flutter stable versions are released
+- Base image security updates are available
+
+Every build is scanned and includes supply chain attestations (SBOM, SLSA provenance).
+
+## License
+
+MIT

README.md

@@ -34,17 +34,46 @@ Lightweight Flutter SDK images for CI/CD pipelines. Built on [Wolfi](https://wol
 
 ## Dockerfile Examples
 
-### Web App
+### Web App (WASM)
 
 ```dockerfile
 FROM svrnty/flutter-sdk:web-latest AS build
-COPY . /app
 WORKDIR /app
-RUN flutter pub get && flutter build web --release
+COPY . .
+RUN flutter pub get && flutter build web --wasm --release
 
-FROM nginx:alpine
-COPY --from=build /app/build/web /usr/share/nginx/html
-EXPOSE 80
+# Cache-busting: append version to JS/WASM references
+RUN VERSION=$(date +%s) && cd build/web && \
+    sed -i "s|flutter_bootstrap\.js\"|flutter_bootstrap.js?v=${VERSION}\"|g" index.html && \
+    sed -i "s|main\.dart\.js\"|main.dart.js?v=${VERSION}\"|g" flutter_bootstrap.js && \
+    sed -i "s|main\.dart\.mjs\"|main.dart.mjs?v=${VERSION}\"|g" flutter_bootstrap.js && \
+    sed -i "s|main\.dart\.wasm\"|main.dart.wasm?v=${VERSION}\"|g" flutter_bootstrap.js
+
+FROM ghcr.io/static-web-server/static-web-server:2 AS sws
+FROM scratch
+COPY --from=sws /static-web-server /static-web-server
+COPY --from=build /app/build/web /public
+COPY sws.toml /sws.toml
+EXPOSE 8080
+USER 65534
+ENTRYPOINT ["/static-web-server", "--config-file", "/sws.toml"]
+```
+
+**sws.toml** - Required headers for WASM multi-threading:
+
+```toml
+[general]
+host = "0.0.0.0"
+port = 8080
+root = "/public"
+page-fallback = "/public/index.html"
+compression = true
+
+[[advanced.headers]]
+source = "**"
+[advanced.headers.headers]
+Cross-Origin-Opener-Policy = "same-origin"
+Cross-Origin-Embedder-Policy = "require-corp"
 ```
 
 ### Android APK
@@ -63,20 +92,19 @@ COPY --from=build /app/build/app/outputs/flutter-apk/app-release.apk /
 
 ```dockerfile
 FROM svrnty/flutter-sdk:linux-latest AS build
-COPY . /app
 WORKDIR /app
+COPY . .
 RUN flutter pub get && flutter build linux --release
 
-FROM ubuntu:22.04
+FROM debian:bookworm-slim
 RUN apt-get update && apt-get install -y libgtk-3-0 && rm -rf /var/lib/apt/lists/*
-COPY --from=build /app/build/linux/x64/release/bundle /app
+COPY --from=build /app/build/linux/arm64/release/bundle /app
 ENTRYPOINT ["/app/my_app"]
 ```
 
-## CI/CD
+## CI/CD (Gitea/GitHub Actions)
 
 ```yaml
-# GitHub Actions / Gitea Actions
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -88,15 +116,6 @@ jobs:
       - run: flutter build apk --release
 ```
 
-```yaml
-# GitLab CI
-build:
-  image: svrnty/flutter-sdk:android-latest
-  script:
-    - flutter pub get
-    - flutter build apk --release
-```
-
 ## Tags
 
 - `<variant>-latest` - Latest stable Flutter release