chore: Update Docker images to latest releases

[gocanto]

Summary

• update the Caddy build argument to use version 2.10.2 across docker-compose and the Caddy Dockerfile
• bump the Go builder base image to golang:1.25.3-alpine3.22 and refresh the runtime Alpine digest
• upgrade supporting services to migrate/migrate:v4.19.0 and postgres:17.6-alpine3.22

Testing

• make format

---

https://chatgpt.com/codex/tasks/task_e_68ee0fe49e748333b7f274153e4663c1

Summary by CodeRabbit

• New Features

  • None.

• Bug Fixes

  • Improved stability through updated container bases and configurations.

• Chores

  • Upgraded underlying container images to latest patch releases for enhanced security and reliability.
  • Aligned local and production build configurations to a consistent version.
  • Refreshed database and migration containers to current stable versions.
  • Updated OS base images to improve build reproducibility and reduce vulnerabilities.

• Documentation

  • None.

• Refactor

  • None.

[gemini-code-assist]

Summary of Changes

Hello @gocanto, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on updating several core Docker images and their versions used within the project's development and deployment configurations. The changes ensure that the application leverages the most recent stable releases for its Caddy proxy, Go build environment, database migration tooling, and PostgreSQL database. This systematic update aims to enhance security, improve performance, and provide access to the latest features offered by these critical components.

Highlights

• Caddy Version Update: The Caddy proxy server has been updated to version 2.10.2 across both the caddy/Dockerfile and docker-compose.yml configurations, ensuring the latest stable release is used for both production and local environments.
• Go Builder Image Upgrade: The Go builder base image in docker/dockerfile-api has been bumped to golang:1.25.3-alpine3.22, along with a refresh of the runtime Alpine digest, providing an updated and potentially more secure build environment for the Go application.
• Database Migration Tool Update: The migrate/migrate service in docker-compose.yml has been upgraded to v4.19.0, incorporating the latest features and fixes for database schema management.
• PostgreSQL Database Image Update: The PostgreSQL database image in docker-compose.yml has been updated to postgres:17.6-alpine3.22, bringing the latest stable version of PostgreSQL with an Alpine base for a smaller footprint.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Walkthrough

Version updates across container build and runtime configurations: Caddy default version bumped to 2.10.2, Go builder and Alpine base images updated in the API Dockerfile, and docker-compose services updated for Caddy, migrate, and Postgres images. No logic or control-flow changes.

Changes

Cohort / File(s)	Summary of Changes
Caddy version alignment caddy/Dockerfile, docker-compose.yml	Bumped CADDY_VERSION to 2.10.2 in Dockerfile and compose build args (caddy_prod, caddy_local).
Compose service image bumps docker-compose.yml	Updated images: migrate/migrate v4.18.3 → v4.19.0; postgres 17.3-alpine → 17.6-alpine3.22; set caddy_local from latest → 2.10.2.
API Dockerfile base images docker/dockerfile-api	Updated builder base image golang 1.25.1-alpine → 1.25.3-alpine3.22; final Alpine base image digest updated for 3.22.

Sequence Diagram(s)

(no diagram)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• chore: upgrade to Go 1.25.1 #93 — Also updates docker/dockerfile-api to Go 1.25.1; related to this PR’s subsequent bump to 1.25.3.
• fix: Ensure api-runner image includes build tools #135 — Modifies docker/dockerfile-api to add build tools and use it for api-runner; overlaps in the same Dockerfile.

Poem

I thump my paws, updates in a row,
Tags hop forward—Caddy, Go!
Alpine peaks with fresher snow,
Migrate, Postgres, onward we go.
In tidy burrows, images align—
Ship it swift, in perfect time. 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title concisely and clearly summarizes the primary purpose of the pull request, which is updating Docker image versions across various configuration files, and uses conventional “chore:” prefix without unnecessary detail.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch gus/update-docker-compose-and-dockerfile-images-2025-10-14

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates several Docker images to their latest versions, including Caddy, Go, Postgres, and migrate. The changes are well-executed, and pinning the Caddy version for the local environment instead of using latest is a great improvement for reproducibility. I have one suggestion to further improve maintainability by centralizing the Caddy version in your docker-compose.yml to avoid duplication and potential environment drift. Overall, these are solid updates.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

docker-compose.yml (2)

1-244: Consider comprehensive testing beyond formatting.

The PR description mentions running make format as the testing approach. For Docker image version upgrades, consider additional verification:

• Build all services successfully
• Run integration tests with the new images
• Verify database migrations work with PostgreSQL 17.6
• Test that the application starts and serves requests correctly

Have these steps been performed? If not, consider adding them to the testing checklist before merging.

---

191-191: Confirmed postgres:17.6-alpine3.22; no breaking changes. 17.6 (2025-08-14) adds security fixes and bug fixes. If you use BRIN numeric_minmax_multi_ops indexes, reindex them after upgrade.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4ac0bb6 and f92817e.

📒 Files selected for processing (3)

• caddy/Dockerfile (1 hunks)
• docker-compose.yml (4 hunks)
• docker/dockerfile-api (2 hunks)

🔇 Additional comments (4)

docker-compose.yml (2)

158-158: migrate/migrate:v4.19.0 exists with no breaking changes Tag verified on Docker Hub; release notes list only bug fixes, dependency updates, and added Go 1.25 support—safe to upgrade.

---

36-36: Good practice: pinning Caddy to v2.10.2 (verified)
Caddy v2.10.2 (hotfix release 2025-08-23) is available; it fixes logger ordering (#7198), ACME DNS regression (#7199), and nested token import issues (#7189), aligning local and prod images.

caddy/Dockerfile (1)

6-6: Caddy v2.10.2 verified
Exists as of Aug 23 2025; hotfix release addressing critical regressions in logger initialization, acme_dns in httpcaddyfile, and nested {block} token imports. No additional known issues in the official changelog.

docker/dockerfile-api (1)

37-37: Verify Go builder image tag and scan for vulnerabilities.
I couldn’t find golang:1.25.3-alpine3.22 on Docker Hub; please confirm the tag exists (e.g. docker pull) and scan the final image (Trivy/Snyk/etc) for CVEs (Go 1.25.3 fixes CVE-2023-44487 but other vulnerabilities may apply).

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify Alpine base image digest.

The Alpine base image digest has been updated. Please confirm that this digest corresponds to the correct alpine:3.22 image and check for any security advisories.

---

🏁 Script executed:

#!/bin/bash
# Description: Verify the Alpine 3.22 image digest and check for security advisories

# Fetch the latest digest for alpine:3.22 from Docker Hub
echo "Fetching digest for alpine:3.22..."
curl -s "https://hub.docker.com/v2/repositories/library/alpine/tags/3.22" | jq -r '.digest'

# Check for security advisories
echo -e "\nChecking for security advisories..."
gh api graphql -f query='
{
  securityVulnerabilities(first: 5, ecosystem: ALPINE, package: "alpine") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Length of output: 623

---

Update Alpine base image digest and scan for vulnerabilities

• Replace the pinned digest on line 85 with sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412
• Run a container vulnerability scan (e.g. trivy image alpine:3.22@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412) and resolve any critical CVEs

🤖 Prompt for AI Agents

In docker/dockerfile-api around line 85, replace the current Alpine 3.22 image
digest with
sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 and then
run a container vulnerability scan (for example: trivy image
alpine:3.22@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412)
and address any critical/high CVEs found by updating packages, switching to a
patched base image, or applying mitigations before committing the change.