ci: schedule a weekly Docker image rebuild against the latest release

[rusackas]

SUMMARY

Adds a cron-triggered workflow that re-runs the Docker image build against the most-recent published release every Monday at 06:00 UTC (and on workflow_dispatch when an operator wants to force it). The Superset code being built doesn't change — but the base image layers (python:*-slim-trixie and the Debian OS packages underneath) do receive upstream security patches between Superset releases. Without a rebuild, apache/superset:<latest> ships those CVEs unfixed for as long as the inter-release gap (typically 3–6 weeks).

Why this approach over the alternatives

Option	Problem
Tied to releases	Defeats the purpose — the gap we're trying to close is the inter-release window
Swap to Chainguard / distroless	Would also close the gap, but at the cost of a backward-incompatible package-manager change for downstream operators who extend apache/superset:<tag> with their own apt install lines for custom drivers
Daily cadence	Probably overkill — Debian's security tree updates on a roughly weekly rhythm

Implementation

Deliberately reuses the same supersetbot docker invocation as tag-release.yml:

• Same matrix of build presets (dev, lean, py310, websocket, dockerize, py311, py312)
• Same --context release --context-ref <tag> --force-latest flags
• Same checkout-by-release-tag, same multi-platform build

So the resulting tags are byte-equivalent to what a manual release dispatch would produce — only the base layer changes. Concurrency group docker-publish-latest-release is shared with the release publisher so the two can't race each other on the Docker Hub push.

Tag mutability note

The rebuild overwrites both the rolling tags (apache/superset:latest) and the version-specific tag of the latest release (e.g. apache/superset:5.0.0). This is intentional and matches how the upstream python:*-slim-trixie images themselves behave — version tags reflect content + latest patches, not a frozen SHA. Users who need a frozen reference should pin by image digest (apache/superset@sha256:...).

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

N/A — CI configuration only.

TESTING INSTRUCTIONS

After merge:

1. Trigger the workflow manually from the Actions tab (Scheduled Docker image refresh → "Run workflow") to confirm it picks up the latest release tag, builds all presets, and pushes successfully.
2. Inspect the resulting image on Docker Hub — the digest should differ from the previous build, but docker run apache/superset:<tag> superset --help (and equivalents) should behave identically.
3. Monitor the first scheduled run on the Monday after merge.

ADDITIONAL INFORMATION

• Has associated issue:
• Required feature flags:
• Changes UI
• Includes DB Migration (follow approval process in SIP-59)
  • Migration is atomic, supports rollback & is backwards-compatible
  • Confirm DB migration upgrade and downgrade tested
  • Runtime estimates and downtime expectations provided
• Introduces new feature or API
• Removes existing feature or API

[bito-code-review]

Bito Automatic Review Skipped - Files Excluded

Bito didn't auto-review this change because all changed files are in the exclusion list for automatic reviews. No action is needed if you didn't intend for the agent to review it. Otherwise, to manually trigger a review, type /review in a comment and save.
You can change the excluded files settings here, or contact your Bito workspace admin at evan@preset.io.

[netlify]

✅ Deploy Preview for superset-docs-preview ready!

Name	Link
🔨 Latest commit	3212243
🔍 Latest deploy log	https://app.netlify.com/projects/superset-docs-preview/deploys/6a1512ff58e0af0008048063
😎 Deploy Preview	https://deploy-preview-40426--superset-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codeant-ai-for-open-source]

🟠 Architect Review — HIGH

The workflow comments assume Docker tag pushes are serialized with the release publisher, but only this new workflow defines concurrency.group: docker-publish-latest-release. .github/workflows/tag-release.yml has no concurrency block, so GitHub Actions will not coordinate the two workflows and they can still race on apache/superset:latest and versioned release tags.

Suggestion: Add the same concurrency group (docker-publish-latest-release) to .github/workflows/tag-release.yml (or centralize both callers through a reusable workflow that sets it) so both Docker-publishing workflows participate in the same lock and cannot race on the shared tags.

Fix in Cursor | Fix in VSCode Claude

(Use Cmd/Ctrl + Click for best experience)

Prompt for AI Agent 🤖

This is an **Architect / Logical Review** comment left during a code review. These reviews are first-class, important findings — not optional suggestions. Do NOT dismiss this as a 'big architectural change' just because the title says architect review; most of these can be resolved with a small, localized fix once the intent is understood.

**Path:** .github/workflows/scheduled-docker-image-refresh.yml
**Line:** 37:39
**Comment:**
	*HIGH: The workflow comments assume Docker tag pushes are serialized with the release publisher, but only this new workflow defines `concurrency.group: docker-publish-latest-release`. `.github/workflows/tag-release.yml` has no `concurrency` block, so GitHub Actions will not coordinate the two workflows and they can still race on `apache/superset:latest` and versioned release tags.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.
If a suggested approach is provided above, use it as the authoritative instruction. If no explicit code suggestion is given, you MUST still draft and apply your own minimal, localized fix — do not punt back with 'no suggestion provided, review manually'. Keep the change as small as possible: add a guard clause, gate on a loading state, reorder an await, wrap in a conditional, etc. Do not refactor surrounding code or expand scope beyond the finding.
Once fix is implemented, also check other comments on the same PR, and ask user if the user wants to fix the rest of the comments as well. if said yes, then fetch all the comments validate the correctness and implement a minimal fix

[bito-code-review]

The PR comment file contains only one comment row (line 2) with empty content. I cannot analyze or act on this data. Please ensure the PR comments file contains the necessary data for review.