From a9ab4ab228380f7e036f0b86863e859c94ab59b4 Mon Sep 17 00:00:00 2001
From: "Joseph T. French" <joey@harbinger.finance>
Date: Sun, 22 Mar 2026 00:14:30 -0500
Subject: [PATCH] Update Dockerfile to use Node.js 22.22.1-alpine3.23 and
 enhance security by upgrading system packages. Modify GitHub workflows to
 specify permissions for job steps.

---
 .github/workflows/claude.yml         | 2 ++
 .github/workflows/create-release.yml | 6 ++++++
 Dockerfile                           | 8 ++++----
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
index c880214..332d3e5 100644
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -13,6 +13,8 @@ on:
 jobs:
   check-runner-availability:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       runners_available: ${{ steps.check.outputs.runners_available }}
       runner_type: ${{ steps.check.outputs.runner_type }}
diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
index d7fc39f..f57068f 100644
--- a/.github/workflows/create-release.yml
+++ b/.github/workflows/create-release.yml
@@ -27,6 +27,8 @@ jobs:
   create-branch:
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions:
+      contents: write
     outputs:
       new_version: ${{ steps.new-version.outputs.new_version }}
       branch_name: ${{ steps.new-version.outputs.branch_name }}
@@ -146,6 +148,7 @@ jobs:
   check-deploy-method:
     needs: create-tag
     runs-on: ubuntu-latest
+    permissions: {}
     outputs:
       use_dispatch: ${{ steps.check.outputs.use_dispatch }}
     steps:
@@ -172,6 +175,7 @@ jobs:
       (inputs.deploy_to == 'staging' || inputs.deploy_to == 'all')
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions: {}
     outputs:
       run_id: ${{ steps.dispatch.outputs.run_id }}
     steps:
@@ -211,6 +215,7 @@ jobs:
       (needs.deploy-staging-dispatch.result == 'success' || needs.deploy-staging-dispatch.result == 'skipped')
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    permissions: {}
     outputs:
       run_id: ${{ steps.dispatch.outputs.run_id }}
     steps:
@@ -295,6 +300,7 @@ jobs:
     if: always()
     runs-on: ubuntu-latest
     timeout-minutes: 2
+    permissions: {}
     steps:
       - name: Create summary
         env:
diff --git a/Dockerfile b/Dockerfile
index 755a0f6..f5f1e24 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
 # --- Build Stage ---
-FROM public.ecr.aws/docker/library/node:22.21.1-alpine AS builder
+FROM public.ecr.aws/docker/library/node:22.22.1-alpine3.23 AS builder
 WORKDIR /app
 
 # Install git for private repository access
@@ -23,12 +23,12 @@ RUN if [ -f next-build.tar.gz ]; then \
   fi
 
 # --- Production Stage ---
-FROM public.ecr.aws/docker/library/node:22.21.1-alpine AS runner
+FROM public.ecr.aws/docker/library/node:22.22.1-alpine3.23 AS runner
 WORKDIR /app
 ENV NODE_ENV=production
 
-# Install git for private repository access
-RUN apk add --no-cache git
+# Install git and upgrade system packages for security patches
+RUN apk upgrade --no-cache && apk add --no-cache git
 
 # Create non-root user before copying files (enables --chown)
 RUN addgroup -g 1001 -S appgroup && adduser -S appuser -u 1001 -G appgroup