Skip to content

docker: bump postgres from 18.4-alpine to 18.4-alpine#603

Merged
bgentry merged 1 commit into
masterfrom
dependabot/docker_compose/postgres-18.4-alpine
Jul 2, 2026
Merged

docker: bump postgres from 18.4-alpine to 18.4-alpine#603
bgentry merged 1 commit into
masterfrom
dependabot/docker_compose/postgres-18.4-alpine

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps postgres from 18.4-alpine to 18.4-alpine.

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps postgres from 18.4-alpine to 18.4-alpine.

---
updated-dependencies:
- dependency-name: postgres
  dependency-version: 18.4-alpine
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file docker labels Jul 1, 2026

@bgentry bgentry left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 Codex review: Security review looks good to me.

I reviewed this as a dependency-upgrade supply-chain/security pass for the dev postgres:18.4-alpine image digest refresh at head 5f0f82cd3b102fa5e7e4b678fc0500805563e1db.

Scope reviewed:

  • docker-compose.dev.yaml image reference change.
  • Official Docker Hub library/postgres source and pinned digest behavior.
  • Live Docker Hub manifest-list digest verification with skopeo inspect --raw.
  • CI status, with the known Dependabot riverproui image-publish/OIDC failure treated separately from dependency safety.

No blocking supply-chain issue found. The update keeps the image source on official Docker Hub library/postgres, keeps the same 18.4-alpine tag, and only refreshes the pinned dev Compose digest from sha256:96d56f7... to sha256:1b1689b....

I independently verified that the current raw manifest-list digest for docker.io/library/postgres:18.4-alpine is sha256:1b1689b20d16a014a3d195653381cf2caa75a41a92d93b255a9d6ea29fd353aa, matching the PR.

The remaining failed riverproui image checks are consistent with the known Dependabot OIDC/publish limitation, while the ordinary JS/Go checks and riverui image jobs passed.

@bgentry bgentry merged commit 10bca81 into master Jul 2, 2026
16 of 18 checks passed
@bgentry bgentry deleted the dependabot/docker_compose/postgres-18.4-alpine branch July 2, 2026 14:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file docker

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant