Skip to content

Upgrade Node.js base image to 22.22.1-alpine3.23 & harden CI permissions#82

Merged
jfrench9 merged 1 commit intomainfrom
chore/upgrade-image
Mar 22, 2026
Merged

Upgrade Node.js base image to 22.22.1-alpine3.23 & harden CI permissions#82
jfrench9 merged 1 commit intomainfrom
chore/upgrade-image

Conversation

@jfrench9
Copy link
Member

@jfrench9 jfrench9 commented Mar 22, 2026

Summary

This PR upgrades the project's Docker base image and enhances the security posture of our GitHub Actions workflows.

Changes

Docker (Dockerfile)

  • Upgraded Node.js base image from the previous version to node:22.22.1-alpine3.23, bringing in the latest LTS patches and Alpine security fixes.
  • Enhanced container security by upgrading system packages within the image (e.g., apk upgrade or equivalent), reducing the attack surface from known CVEs in outdated Alpine packages.

GitHub Workflows

  • .github/workflows/claude.yml: Added explicit permissions block to follow the principle of least privilege for CI job steps.
  • .github/workflows/create-release.yml: Added explicit permissions declarations for job steps, ensuring the release workflow only requests the access scopes it actually needs (6 lines added).

Key Improvements

  • Security: Pinning a specific Node.js + Alpine version and upgrading system packages mitigates supply-chain and known-vulnerability risks. Explicit workflow permissions prevent over-privileged GitHub Actions tokens.
  • Reproducibility: Locking to 22.22.1-alpine3.23 ensures deterministic builds across environments.

Breaking Changes

  • None expected. Node.js 22.x is the active LTS line and Alpine 3.23 is backward-compatible. However, if any native dependencies rely on specific musl/libc behavior from an older Alpine, there could be edge cases.

Testing Notes for Reviewers

  1. Build the Docker image locally and verify the application starts correctly: 
    docker build -t app-test .
docker run --rm -p 3000:3000 app-test
  2. Verify CI workflows: Check that both the claude.yml and create-release.yml workflows execute successfully with the new permissions. Look for any 403/permission-denied errors in Actions logs.
  3. Run the full test suite inside the container to confirm Node.js 22.22.1 compatibility.
  4. Smoke test the release workflow (or review a dry-run) to ensure the permissions block doesn't restrict any required operations (e.g., creating tags, publishing releases, writing packages).

Browser Compatibility Considerations

  • No impact. These changes are entirely infrastructure/CI-level (Docker base image and GitHub Actions configuration). There are no frontend, runtime, or bundle changes that would affect browser behavior or compatibility.

🤖 Generated with Claude Code

Branch Info:

  • Source: chore/upgrade-image
  • Target: main
  • Type: feature

Co-Authored-By: Claude noreply@anthropic.com

@jfrench9
Update Dockerfile to use Node.js 22.22.1-alpine3.23 and enhance secur…
a9ab4ab 
…ity by upgrading system packages. Modify GitHub workflows to specify permissions for job steps.
@jfrench9 jfrench9 merged commit 40dac7b into main Mar 22, 2026
3 checks passed
@jfrench9 jfrench9 deleted the chore/upgrade-image branch March 22, 2026 05:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jfrench9