Update base image digests (Wolfi security update)

- Full release (3.38.9): creates web-3.38.9 + web-latest
- Prerelease (3.38.9-rebuild-20260203): creates web-3.38.9-rebuild-20260203 + web-dev
- Versioned tags never get overwritten after initial publish

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.base-digests

@@ -0,0 +1,3 @@
+web=sha256:cce6d72541facea17321cb7f76fc8947c54335a3675cabe64214efad366240f4
+android=sha256:489f3cbd316bd66d3475430b69e1b32f87606a63f8837c3588b04da83b7509ff
+linux=sha256:2c77cba8eb20114f45d7b9d97d5d6773fa542c72cb6252d6f1c00de9fb4c7e95

.gitea/workflows/publish.yaml

@@ -5,7 +5,7 @@ on:
     types: [published, prereleased]
 
 permissions:
-  contents: read
+  contents: write
 
 env:
   IMAGE_NAME: flutter-sdk
@@ -33,16 +33,18 @@ jobs:
         id: version
         run: |
           if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then
-            # Pre-release: fetch latest stable version, tag as dev
-            FLUTTER_VERSION=$(curl -fsSL https://storage.googleapis.com/flutter_infra_release/releases/releases_linux.json \
-              | jq -r '.current_release.stable as $hash | .releases[] | select(.hash == $hash and .channel == "stable") | .version')
-            echo "flutter_version=${FLUTTER_VERSION}" >> $GITHUB_OUTPUT
-            echo "tag=${{ matrix.variant }}-dev" >> $GITHUB_OUTPUT
-            echo "Using latest Flutter stable ${FLUTTER_VERSION} for pre-release test"
+            # Pre-release: use release tag as version, don't overwrite existing tags
+            # Extract base Flutter version for build-arg (e.g., 3.38.9 from 3.38.9-rebuild-20260203)
+            BASE_VERSION=$(echo "${{ github.event.release.tag_name }}" | grep -oP '^[0-9]+\.[0-9]+\.[0-9]+')
+            echo "flutter_version=${BASE_VERSION}" >> $GITHUB_OUTPUT
+            echo "tag=${{ matrix.variant }}-${{ github.event.release.tag_name }}" >> $GITHUB_OUTPUT
+            echo "secondary_tag=${{ matrix.variant }}-dev" >> $GITHUB_OUTPUT
+            echo "Pre-release: building Flutter ${BASE_VERSION}, tagging as ${{ github.event.release.tag_name }}"
           else
             # Full release: use the release tag as the Flutter version
             echo "flutter_version=${{ github.event.release.tag_name }}" >> $GITHUB_OUTPUT
-            echo "tag=${{ matrix.variant }}-latest" >> $GITHUB_OUTPUT
+            echo "tag=${{ matrix.variant }}-${{ github.event.release.tag_name }}" >> $GITHUB_OUTPUT
+            echo "secondary_tag=${{ matrix.variant }}-latest" >> $GITHUB_OUTPUT
           fi
 
       - name: Set up QEMU
@@ -67,7 +69,7 @@ jobs:
           load: true
           build-args: |
             FLUTTER_VERSION=${{ steps.version.outputs.flutter_version }}
-          tags: ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.version.outputs.flutter_version }}
+          tags: ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.tag }}
 
       - name: Install Docker Scout
         run: |
@@ -76,7 +78,7 @@ jobs:
 
       - name: Docker Scout CVE Scan
         run: |
-          docker scout cves ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.version.outputs.flutter_version }} --only-severity critical,high
+          docker scout cves ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.tag }} --only-severity critical,high
 
       - name: Build and push with attestations
         uses: docker/build-push-action@v5
@@ -90,10 +92,45 @@ jobs:
           build-args: |
             FLUTTER_VERSION=${{ steps.version.outputs.flutter_version }}
           tags: |
-            ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.version.outputs.flutter_version }}
             ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.tag }}
+            ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.secondary_tag }}
           labels: |
             org.opencontainers.image.title=${{ env.IMAGE_NAME }}
             org.opencontainers.image.description=${{ matrix.description }}
-            org.opencontainers.image.version=${{ matrix.variant }}-${{ steps.version.outputs.flutter_version }}
+            org.opencontainers.image.version=${{ steps.version.outputs.tag }}
             org.opencontainers.image.revision=${{ github.sha }}
+
+  sync-readme:
+    needs: build-and-push
+    if: github.event.release.prerelease == false && !contains(github.event.release.tag_name, 'test')
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Update README badges
+        run: |
+          FLUTTER="${{ github.event.release.tag_name }}"
+          ANDROID_SDK=$(grep -oP 'ANDROID_BUILD_TOOLS=\K[0-9.]+' Dockerfile.android || echo "")
+
+          if [ -n "$ANDROID_SDK" ]; then
+            sed -i "s|Android%20SDK-[0-9.]*-green|Android%20SDK-${ANDROID_SDK}-green|g" README.md
+          fi
+
+          if [ -n "$FLUTTER" ]; then
+            sed -i "s|web--[0-9.]*-blue|web--${FLUTTER}-blue|g" README.md
+            sed -i "s|android--[0-9.]*-blue|android--${FLUTTER}-blue|g" README.md
+            sed -i "s|linux--[0-9.]*-blue|linux--${FLUTTER}-blue|g" README.md
+            sed -i "s|/web-[0-9.]*?|/web-${FLUTTER}?|g" README.md
+            sed -i "s|/android-[0-9.]*?|/android-${FLUTTER}?|g" README.md
+            sed -i "s|/linux-[0-9.]*?|/linux-${FLUTTER}?|g" README.md
+          fi
+
+      - name: Commit and push
+        run: |
+          git diff --quiet README.md && exit 0
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add README.md
+          git commit -m "Update README badges to Flutter ${{ github.event.release.tag_name }}"
+          git push

.gitea/workflows/update-check.yaml

@@ -1,4 +1,4 @@
-name: Check for Flutter SDK and Android SDK Updates
+name: Check for Flutter SDK, Android SDK, and Base Image Updates
 
 on:
   schedule:
@@ -96,6 +96,76 @@ jobs:
 
           echo "needs_update=${NEEDS_UPDATE}" >> $GITHUB_OUTPUT
 
+      - name: Check Wolfi base image updates
+        id: base_images
+        run: |
+          # Get current digests from Docker Hub
+          WEB_DIGEST=$(curl -s "https://hub.docker.com/v2/repositories/svrnty/base-distro/tags/flutter-sdk-latest" | jq -r '.digest // empty')
+          ANDROID_DIGEST=$(curl -s "https://hub.docker.com/v2/repositories/svrnty/base-distro/tags/flutter-sdk-android-latest" | jq -r '.digest // empty')
+          LINUX_DIGEST=$(curl -s "https://hub.docker.com/v2/repositories/svrnty/base-distro/tags/flutter-sdk-linux-latest" | jq -r '.digest // empty')
+
+          echo "Current base image digests:"
+          echo "  web: ${WEB_DIGEST}"
+          echo "  android: ${ANDROID_DIGEST}"
+          echo "  linux: ${LINUX_DIGEST}"
+
+          # Load stored digests
+          STORED_WEB=$(grep '^web=' .base-digests 2>/dev/null | cut -d= -f2 || echo "")
+          STORED_ANDROID=$(grep '^android=' .base-digests 2>/dev/null | cut -d= -f2 || echo "")
+          STORED_LINUX=$(grep '^linux=' .base-digests 2>/dev/null | cut -d= -f2 || echo "")
+
+          # Compare
+          NEEDS_REBUILD=false
+          if [ -n "$WEB_DIGEST" ] && [ "$WEB_DIGEST" != "$STORED_WEB" ]; then
+            echo "Web base image updated"
+            NEEDS_REBUILD=true
+          fi
+          if [ -n "$ANDROID_DIGEST" ] && [ "$ANDROID_DIGEST" != "$STORED_ANDROID" ]; then
+            echo "Android base image updated"
+            NEEDS_REBUILD=true
+          fi
+          if [ -n "$LINUX_DIGEST" ] && [ "$LINUX_DIGEST" != "$STORED_LINUX" ]; then
+            echo "Linux base image updated"
+            NEEDS_REBUILD=true
+          fi
+
+          echo "needs_rebuild=${NEEDS_REBUILD}" >> $GITHUB_OUTPUT
+          echo "web_digest=${WEB_DIGEST}" >> $GITHUB_OUTPUT
+          echo "android_digest=${ANDROID_DIGEST}" >> $GITHUB_OUTPUT
+          echo "linux_digest=${LINUX_DIGEST}" >> $GITHUB_OUTPUT
+
+      - name: Trigger rebuild for base image updates
+        if: steps.base_images.outputs.needs_rebuild == 'true' && steps.existing.outputs.exists == 'true'
+        run: |
+          VERSION="${{ steps.flutter.outputs.version }}"
+          echo "Base image updated, triggering rebuild for Flutter ${VERSION}"
+
+          # Update stored digests
+          cat > .base-digests << EOF
+          web=${{ steps.base_images.outputs.web_digest }}
+          android=${{ steps.base_images.outputs.android_digest }}
+          linux=${{ steps.base_images.outputs.linux_digest }}
+          EOF
+
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add .base-digests
+          git commit -m "Update base image digests (Wolfi security update)"
+          git push
+
+          # Trigger rebuild by creating a prerelease
+          curl -fsSL -X POST \
+            -H "Authorization: token ${{ secrets.GITEA_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/releases" \
+            -d "{
+              \"tag_name\": \"${VERSION}-rebuild-$(date +%Y%m%d)\",
+              \"name\": \"Security rebuild ${VERSION}\",
+              \"body\": \"Automated rebuild for Wolfi base image security updates\",
+              \"draft\": false,
+              \"prerelease\": true
+            }"
+
       - name: Create release for new Flutter version
         if: steps.existing.outputs.exists == 'false' && steps.flutter.outputs.version != ''
         run: |

DOCKERHUB.md

@@ -0,0 +1,131 @@
+# Flutter SDK Docker Images
+
+<a href="https://git.openharbor.io/svrnty/docker-flutter-sdk" target="_blank"><img src="https://img.shields.io/badge/Git-Repository-orange?logo=gitea" alt="Git Repository"></a>
+<a href="https://wolfi.dev" target="_blank"><img src="https://img.shields.io/badge/Base-Wolfi-purple?logo=linux" alt="Wolfi"></a>
+
+Lightweight Flutter SDK images for CI/CD pipelines. Built on [Wolfi](https://wolfi.dev), a security-focused Linux distribution designed for containers.
+
+## Variants
+
+- `web` - Web/WASM builds
+- `android` - Android APK/AAB builds
+- `linux` - Linux desktop builds
+
+All variants support `linux/amd64` and `linux/arm64`.
+
+## Why Wolfi?
+
+[Wolfi](https://wolfi.dev) is a lightweight Linux distribution built specifically for containers. It provides:
+
+- **Minimal footprint** - Only essential packages, nothing extra
+- **Daily security updates** - Patches applied quickly
+- **Designed for containers** - No legacy cruft from traditional distros
+
+## Features
+
+- **Lightweight** - Optimized for fast CI/CD pulls
+- **Secure** - Built on Wolfi with continuous vulnerability scanning
+- **Multi-arch** - Supports both `linux/amd64` and `linux/arm64`
+- **Non-root** - Runs as unprivileged user (UID 65532)
+- **Supply chain security** - SBOM and SLSA provenance attestations included
+
+## Dockerfile Examples
+
+### Web App (WASM)
+
+```dockerfile
+FROM svrnty/flutter-sdk:web-latest AS build
+WORKDIR /app
+COPY . .
+RUN flutter pub get && flutter build web --wasm --release
+
+# Cache-busting: append version to JS/WASM references
+RUN VERSION=$(date +%s) && cd build/web && \
+    sed -i "s|flutter_bootstrap\.js\"|flutter_bootstrap.js?v=${VERSION}\"|g" index.html && \
+    sed -i "s|main\.dart\.js\"|main.dart.js?v=${VERSION}\"|g" flutter_bootstrap.js && \
+    sed -i "s|main\.dart\.mjs\"|main.dart.mjs?v=${VERSION}\"|g" flutter_bootstrap.js && \
+    sed -i "s|main\.dart\.wasm\"|main.dart.wasm?v=${VERSION}\"|g" flutter_bootstrap.js
+
+FROM ghcr.io/static-web-server/static-web-server:2 AS sws
+FROM scratch
+COPY --from=sws /static-web-server /static-web-server
+COPY --from=build /app/build/web /public
+COPY sws.toml /sws.toml
+EXPOSE 8080
+USER 65534
+ENTRYPOINT ["/static-web-server", "--config-file", "/sws.toml"]
+```
+
+**sws.toml** - Required headers for WASM multi-threading:
+
+```toml
+[general]
+host = "0.0.0.0"
+port = 8080
+root = "/public"
+page-fallback = "/public/index.html"
+compression = true
+
+[[advanced.headers]]
+source = "**"
+[advanced.headers.headers]
+Cross-Origin-Opener-Policy = "same-origin"
+Cross-Origin-Embedder-Policy = "require-corp"
+```
+
+### Android APK
+
+```dockerfile
+FROM svrnty/flutter-sdk:android-latest AS build
+WORKDIR /app
+COPY . .
+RUN flutter pub get && flutter build apk --release
+
+FROM scratch
+COPY --from=build /app/build/app/outputs/flutter-apk/app-release.apk /
+```
+
+### Linux Desktop
+
+```dockerfile
+FROM svrnty/flutter-sdk:linux-latest AS build
+WORKDIR /app
+COPY . .
+RUN flutter pub get && flutter build linux --release
+
+FROM debian:bookworm-slim
+RUN apt-get update && apt-get install -y libgtk-3-0 && rm -rf /var/lib/apt/lists/*
+COPY --from=build /app/build/linux/arm64/release/bundle /app
+ENTRYPOINT ["/app/my_app"]
+```
+
+## CI/CD (Gitea/GitHub Actions)
+
+```yaml
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    container:
+      image: svrnty/flutter-sdk:android-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: flutter pub get
+      - run: flutter build apk --release
+```
+
+## Tags
+
+- `<variant>-latest` - Latest stable Flutter release
+- `<variant>-<version>` - Specific Flutter version (e.g., `android-3.29.0`)
+
+## Automatic Updates
+
+Images are automatically rebuilt when:
+- New Flutter stable versions are released
+- Base image security updates are available
+
+Every build is scanned and includes supply chain attestations (SBOM, SLSA provenance).
+
+## License
+
+MIT

Dockerfile.android

@@ -28,7 +28,12 @@ RUN mkdir -p "${ANDROID_HOME}/cmdline-tools" && \
       "platforms;android-${ANDROID_COMPILE_SDK}" \
       "build-tools;${ANDROID_BUILD_TOOLS}" && \
     # Remove lint-psi to eliminate protobuf-java 2.6.1 CVEs (saves 86MB)
-    rm -rf "${ANDROID_HOME}/cmdline-tools/latest/lib/external/lint-psi"
+    rm -rf "${ANDROID_HOME}/cmdline-tools/latest/lib/external/lint-psi" && \
+    # Upgrade commons-lang3 from 3.16.0 to 3.18.0 to fix CVE-2025-48924
+    rm -f "${ANDROID_HOME}/cmdline-tools/latest/lib/external/org/apache/commons/commons-lang3/3.16.0/commons-lang3-3.16.0.jar" && \
+    mkdir -p "${ANDROID_HOME}/cmdline-tools/latest/lib/external/org/apache/commons/commons-lang3/3.18.0" && \
+    curl -fsSL "https://repo1.maven.org/maven2/org/apache/commons/commons-lang3/3.18.0/commons-lang3-3.18.0.jar" \
+      -o "${ANDROID_HOME}/cmdline-tools/latest/lib/external/org/apache/commons/commons-lang3/3.18.0/commons-lang3-3.18.0.jar"
 
 # Clone Flutter SDK from git (supports both amd64 and arm64)
 RUN git clone --depth 1 --branch ${FLUTTER_VERSION} https://github.com/flutter/flutter.git /opt/flutter && \

Dockerfile.linux

@@ -8,6 +8,9 @@ LABEL org.opencontainers.image.version="${FLUTTER_VERSION}"
 
 USER 0
 
+# Remove rav1e to eliminate CVE in paste crate (not needed for Flutter)
+RUN rm -f /usr/bin/rav1e /usr/lib/librav1e.so* /var/lib/db/sbom/rav1e-*.spdx.json
+
 # Clone Flutter SDK from git (supports both amd64 and arm64)
 RUN git clone --depth 1 --branch ${FLUTTER_VERSION} https://github.com/flutter/flutter.git /opt/flutter && \
     git config --global --add safe.directory /opt/flutter && \

README.md

@@ -0,0 +1,134 @@
+# Flutter SDK Docker Images
+
+<a href="https://git.openharbor.io/svrnty/docker-flutter-sdk" target="_blank"><img src="https://img.shields.io/badge/Git-Repository-orange?logo=gitea" alt="Git Repository"></a>
+<a href="https://hub.docker.com/r/svrnty/flutter-sdk" target="_blank"><img src="https://img.shields.io/badge/Docker%20Hub-svrnty%2Fflutter--sdk-blue?logo=docker" alt="Docker Hub"></a>
+<a href="https://hub.docker.com/r/svrnty/flutter-sdk" target="_blank"><img src="https://img.shields.io/docker/pulls/svrnty/flutter-sdk?logo=docker" alt="Docker Pulls"></a>
+<a href="https://developer.android.com/tools/releases/build-tools" target="_blank"><img src="https://img.shields.io/badge/Android%20SDK-36.1.0-green?logo=android" alt="Android SDK"></a>
+<a href="https://wolfi.dev" target="_blank"><img src="https://img.shields.io/badge/Base-Wolfi-purple?logo=linux" alt="Wolfi"></a>
+
+Lightweight Flutter SDK images for CI/CD pipelines. Built on [Wolfi](https://wolfi.dev), a security-focused Linux distribution designed for containers.
+
+## Images
+
+| Variant | Use Case | Size | Arch |
+|---------|----------|------|------|
+| <a href="https://hub.docker.com/r/svrnty/flutter-sdk/tags?name=web" target="_blank"><img src="https://img.shields.io/badge/flutter--sdk-web--3.38.9-blue?logo=docker" alt="web-3.38.9"></a> | Web/WASM builds | <img src="https://img.shields.io/docker/image-size/svrnty/flutter-sdk/web-3.38.9?label=&logo=docker" alt="size"> | <a href="https://hub.docker.com/r/svrnty/flutter-sdk/tags?name=web" target="_blank"><img src="https://img.shields.io/badge/amd64-E65100" alt="amd64"></a> &nbsp; <a href="https://hub.docker.com/r/svrnty/flutter-sdk/tags?name=web" target="_blank"><img src="https://img.shields.io/badge/arm64-2e7d32" alt="arm64"></a> |
+| <a href="https://hub.docker.com/r/svrnty/flutter-sdk/tags?name=android" target="_blank"><img src="https://img.shields.io/badge/flutter--sdk-android--3.38.9-blue?logo=docker" alt="android-3.38.9"></a> | Android APK/AAB builds | <img src="https://img.shields.io/docker/image-size/svrnty/flutter-sdk/android-3.38.9?label=&logo=docker" alt="size"> | <a href="https://hub.docker.com/r/svrnty/flutter-sdk/tags?name=android" target="_blank"><img src="https://img.shields.io/badge/amd64-E65100" alt="amd64"></a> &nbsp; <a href="https://hub.docker.com/r/svrnty/flutter-sdk/tags?name=android" target="_blank"><img src="https://img.shields.io/badge/arm64-2e7d32" alt="arm64"></a> |
+| <a href="https://hub.docker.com/r/svrnty/flutter-sdk/tags?name=linux" target="_blank"><img src="https://img.shields.io/badge/flutter--sdk-linux--3.38.9-blue?logo=docker" alt="linux-3.38.9"></a> | Linux desktop builds | <img src="https://img.shields.io/docker/image-size/svrnty/flutter-sdk/linux-3.38.9?label=&logo=docker" alt="size"> | <a href="https://hub.docker.com/r/svrnty/flutter-sdk/tags?name=linux" target="_blank"><img src="https://img.shields.io/badge/amd64-E65100" alt="amd64"></a> &nbsp; <a href="https://hub.docker.com/r/svrnty/flutter-sdk/tags?name=linux" target="_blank"><img src="https://img.shields.io/badge/arm64-2e7d32" alt="arm64"></a> |
+
+## Why Wolfi?
+
+[Wolfi](https://wolfi.dev) is a lightweight Linux distribution built specifically for containers. It provides:
+
+- **Minimal footprint** - Only essential packages, nothing extra
+- **Daily security updates** - Patches applied quickly
+- **Designed for containers** - No legacy cruft from traditional distros
+
+## Features
+
+- **Lightweight** - Optimized for fast CI/CD pulls
+- **Secure** - Built on Wolfi with continuous vulnerability scanning
+- **Multi-arch** - Supports both `linux/amd64` and `linux/arm64`
+- **Non-root** - Runs as unprivileged user (UID 65532)
+- **Supply chain security** - SBOM and SLSA provenance attestations included
+
+## Dockerfile Examples
+
+### Web App (WASM)
+
+```dockerfile
+FROM svrnty/flutter-sdk:web-latest AS build
+WORKDIR /app
+COPY . .
+RUN flutter pub get && flutter build web --wasm --release
+
+# Cache-busting: append version to JS/WASM references
+RUN VERSION=$(date +%s) && cd build/web && \
+    sed -i "s|flutter_bootstrap\.js\"|flutter_bootstrap.js?v=${VERSION}\"|g" index.html && \
+    sed -i "s|main\.dart\.js\"|main.dart.js?v=${VERSION}\"|g" flutter_bootstrap.js && \
+    sed -i "s|main\.dart\.mjs\"|main.dart.mjs?v=${VERSION}\"|g" flutter_bootstrap.js && \
+    sed -i "s|main\.dart\.wasm\"|main.dart.wasm?v=${VERSION}\"|g" flutter_bootstrap.js
+
+FROM ghcr.io/static-web-server/static-web-server:2 AS sws
+FROM scratch
+COPY --from=sws /static-web-server /static-web-server
+COPY --from=build /app/build/web /public
+COPY sws.toml /sws.toml
+EXPOSE 8080
+USER 65534
+ENTRYPOINT ["/static-web-server", "--config-file", "/sws.toml"]
+```
+
+**sws.toml** - Required headers for WASM multi-threading:
+
+```toml
+[general]
+host = "0.0.0.0"
+port = 8080
+root = "/public"
+page-fallback = "/public/index.html"
+compression = true
+
+[[advanced.headers]]
+source = "**"
+[advanced.headers.headers]
+Cross-Origin-Opener-Policy = "same-origin"
+Cross-Origin-Embedder-Policy = "require-corp"
+```
+
+### Android APK
+
+```dockerfile
+FROM svrnty/flutter-sdk:android-latest AS build
+COPY . /app
+WORKDIR /app
+RUN flutter pub get && flutter build apk --release
+
+FROM scratch
+COPY --from=build /app/build/app/outputs/flutter-apk/app-release.apk /
+```
+
+### Linux Desktop
+
+```dockerfile
+FROM svrnty/flutter-sdk:linux-latest AS build
+WORKDIR /app
+COPY . .
+RUN flutter pub get && flutter build linux --release
+
+FROM debian:bookworm-slim
+RUN apt-get update && apt-get install -y libgtk-3-0 && rm -rf /var/lib/apt/lists/*
+COPY --from=build /app/build/linux/arm64/release/bundle /app
+ENTRYPOINT ["/app/my_app"]
+```
+
+## CI/CD (Gitea/GitHub Actions)
+
+```yaml
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    container:
+      image: svrnty/flutter-sdk:android-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: flutter pub get
+      - run: flutter build apk --release
+```
+
+## Tags
+
+- `<variant>-latest` - Latest stable Flutter release
+- `<variant>-<version>` - Specific Flutter version (e.g., `android-3.38.9`)
+
+## Automatic Updates
+
+Images are automatically rebuilt when:
+- New Flutter stable versions are released
+- Base image security updates are available
+
+Every build is scanned and includes supply chain attestations (SBOM, SLSA provenance).
+
+## License
+
+MIT