feat: semi-automated Alpine base image minor/major update workflow

[Copilot]

Alpine minor/major version bumps require coordinated updates across the FROM image tag, Renovate comment prefixes (alpine_X_Y/), and all pinned package versions — none of which Renovate handles atomically.

Changes

.github/workflows/update-alpine.yml (new)

• Runs daily (0 6 * * * UTC) + workflow_dispatch
• Queries Docker Hub for latest Alpine X.Y.Z; compares major/minor only against current Dockerfile — ignores patch bumps (handled by Renovate)
• Idempotent: skips if update branch already exists remotely
• Spins up a temporary alpine:<new-version> container and runs apk search -e <pkg> for every tracked package to resolve current versions in the new Alpine repo
• Applies three surgical sed passes to the Dockerfile:
  1. FROM image tags → new version
  2. depName=alpine_3_22/ renovate comment prefixes → depName=alpine_3_23/ (keeps Renovate functional for subsequent patch tracking)
  3. All pinned ARG/ENV version values → queried package versions (no-op per package if not found, surfaced as CI failure)
• Pushes branch chore/update-alpine-X.Y.Z off dev and opens a PR; existing test-pr.yml CI gates merge

renovate.json (modified)

• Added rule to disable Renovate for Alpine minor and major updates — prevents conflicting duplicate PRs
• Alpine patch auto-merge and all other package version tracking via Renovate comments are unchanged

{
  "matchPackageNames": ["alpine"],
  "matchUpdateTypes": ["minor", "major"],
  "enabled": false
}

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}