Optimise image rebuilding

[pabzm]

Since today our image are rebuilt weekly.

Most of the time this will make sense because the upstream image changed, but sometimes the runner will run in vain. In order to prevent that we could use Renovate to check if the upstream images actually changed.

(Idea originally by @thomascube in #270 (comment))

[waja]

Just pulling new base image might be good. But newly released (security) patches are normally not released to the docker images, until a new minor release of the distribution is released.
Even if it is not recommended at some places, pulling security fixes by kinda apt update && apt -y upgrade pull them before a minor distribution release.

[pabzm]

The Debian images at the base of our images ancestry are at least updated monthly (the Alpine images only more infrequently), but you're right, we probably should upgrade packages in our build process.

[thomascube]

Even if it is not recommended at some places, pulling security fixes by kinda apt update && apt -y upgrade pull them before a minor distribution release.

In my opinion it's the job of the base image provider to release updates and security fixes and the consumers (we) can/should rely on this -> separation of concerns.

[pabzm]

@thomascube I agree, but as long as upstream doesn't do that I would still prefer to have up-to-date images. And as we call them "production-ready" they should be solid – no matter who did what.