From 3e9d3c2abd5df93766a621b43a79c4616c960d79 Mon Sep 17 00:00:00 2001
From: loks0n <22452787+loks0n@users.noreply.github.com>
Date: Sun, 3 May 2026 14:34:07 +0100
Subject: [PATCH] Run apk upgrade in final image to patch musl and xz CVEs

Resolves CVE-2025-26519 (musl qsort stack corruption), the musl iconv
GB18030 DoS, and the xz index-decoding buffer overflow (CVE-2026-34743,
fixed in xz-libs 5.8.3-r0).

The compile stage already ran apk upgrade, but the runtime stage didn't,
so the published image was shipping unpatched libs from the base.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 CHANGES.md | 17 +++++++++++++++++
 Dockerfile |  2 ++
 2 files changed, 19 insertions(+)

diff --git a/CHANGES.md b/CHANGES.md
index 884de84..ad9ad1f 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,5 +1,22 @@
 # CHANGELOG
 
+## Version 1.3.1
+
+### Fix
+
+* Run `apk upgrade` in the final image to pull patched `musl` and `xz-libs` — resolves CVE-2025-26519 (musl `qsort` stack corruption), the musl `iconv` GB18030 DoS, and the `xz` index-decoding buffer overflow (CVE-2026-34743, fixed in `xz-libs` 5.8.3-r0). The compile stage already ran `apk upgrade`, but the runtime stage didn't, so the published image was shipping unpatched libs from the base.
+
+## Version 1.3.0
+
+### Change
+
+* Pin Swoole base image to `phpswoole/swoole:6.2.0-php8.5-alpine` (released 6.2.0, was previously tracking nightly `php8.5-alpine`) for reproducible builds
+* `tests.yaml` PHP assertion bumped to 8.5.4 and Swoole assertion pinned to 6.2.0 to match the pinned base
+
+### Fix
+
+* Manifest workflow tag reference — `manifest_build_and_push_on_tag` now uses `github.ref_name` instead of `github.event.release.tag_name`, which is empty on plain tag-push events and broke the `1.2.2` tag run with `docker manifest create: invalid reference format`
+
 ## Version 1.2.2
 
 ### Remove
diff --git a/Dockerfile b/Dockerfile
index f36976a..f9eaa7f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -183,6 +183,8 @@ LABEL php_build_date=$PHP_BUILD_DATE
 
 RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && \
   echo $TZ > /etc/timezone && \
+  apk update && \
+  apk upgrade --no-cache && \
   apk add --no-cache \
     brotli \
     certbot \