Problem
`Dockerfile` uses `python:3.12-slim` and `ghcr.io/astral-sh/uv:latest`. Tags are mutable; builds are not reproducible and have no automated update channel.
Proposal
- Pin both images to immutable digests (`python:3.12-slim@sha256:...`, `ghcr.io/astral-sh/uv:@sha256:...`).
- Add `.github/dependabot.yml` with `docker`, `pip` (via `pyproject.toml`/`uv.lock`), and `github-actions` ecosystems.
- CI should run a vulnerability scan (`docker scout cves` or `trivy image`) on the built image.
Acceptance
- Dependabot opens PRs for Python, GH Actions, and base-image updates.
- Release workflow also tags `latest` only from `main`.
Problem
`Dockerfile` uses `python:3.12-slim` and `ghcr.io/astral-sh/uv:latest`. Tags are mutable; builds are not reproducible and have no automated update channel.
Proposal
Acceptance