Add weekly Docker image refresh workflow for security updates

[tillrohrmann]

Implement automatic refresh of Docker images to include latest base image security updates without rebuilding binaries:

• Add docker/Dockerfile.refresh for lightweight image rebuilds
• Add .github/workflows/docker-refresh.yml scheduled weekly workflow
• Add OCI labels (base.name, base.digest) for change detection
• Add date-suffixed tags (e.g., 1.6.0-20260204) for all builds
• Add automatic 'latest' tag detection (only for newest semver release)
• Skip refresh if base image unchanged or source image doesn't exist

The refresh workflow:

• Runs weekly on main and release-* branches
• Extracts version from Cargo.toml to find latest patch release
• Compares base image digests to detect changes
• Pushes to both GHCR and DockerHub

Closes #4329

[pcholakov]

Thanks so much for jumping on this, @tillrohrmann! I like the date-based suffixed tags; this will work well for Cloud.

To go with this, it might be useful to also have a weekly security-focused cargo update automatic PR created against the latest release branch. E.g., I believe we currently ship a vendored OpenSSL librdkafka dependency which won't get picked up or updated by this workflow.

Long term, it might be super useful to publish an SBOM for Restate images to aid deployment-time scanning. Apparently https://github.com/rust-secure-code/cargo-auditable can bake dependency metadata directly into ELF binaries.

[jackkleeman]

#4331 added a new file and dir in the images (a symlnk) which we need to also carry over

[tillrohrmann]

Thanks so much for jumping on this, @tillrohrmann! I like the date-based suffixed tags; this will work well for Cloud.

To go with this, it might be useful to also have a weekly security-focused cargo update automatic PR created against the latest release branch. E.g., I believe we currently ship a vendored OpenSSL librdkafka dependency which won't get picked up or updated by this workflow.

Long term, it might be super useful to publish an SBOM for Restate images to aid deployment-time scanning. Apparently https://github.com/rust-secure-code/cargo-auditable can bake dependency metadata directly into ELF binaries.

These sound like really great ideas for follow-up issues. I will open corresponding issues for tracking them.

#4331 added a new file and dir in the images (a symlnk) which we need to also carry over

Thanks for the pointer @jackkleeman. Updating Dockerfile.refresh accordingly.

[tillrohrmann]

@jackkleeman I've addressed all open comments. It's ready for another review.

[tillrohrmann]

One related question: Should we change the default image pull policy of the helm charts to always so that people get the security updates on rollouts, crashes, etc.? If yes, then we should probably also update the defaults of the operator.

[jackkleeman]

One related question: Should we change the default image pull policy of the helm charts to always so that people get the security updates on rollouts, crashes, etc.? If yes, then we should probably also update the defaults of the operator.

probably not ideal as if the registry is down then your pod wont start

[jackkleeman]

i worry slightly that the latest tag logic may not work for other repos that use docker.yml. but we shall soon see!

[tillrohrmann]

i worry slightly that the latest tag logic may not work for other repos that use docker.yml. but we shall soon see!

Fair point. Let's see.