Merge pull request #679 from mamba-org/sync-dev-2025-12-07

 dependency updates 2025-12-07

Author: wholtz

.github/ISSUE_TEMPLATE/issue-template.md

@@ -6,9 +6,14 @@ labels: ''
 assignees: ''
 
 ---
+You are at the right place to submit an issue about the *dockerization* of micromamba.
+If you have an issue about the micromamba program, then this is not the correct place
+to submit your issue. Please submit micromamba issues in the
+[mamba/libmamba/micromamba issue tracker](https://github.com/mamba-org/mamba/issues).
 
-You are at the right place to submit an issue about the *dockerization* of micromamba. If you have an issue about the micromamba program, then this is not the correct place to submit your issue. Please submit micromamba issues in the [mamba/libmamba/micromamba issue tracker](https://github.com/mamba-org/mamba/issues).
+Please read our [FAQ](https://github.com/mamba-org/micromamba-docker/blob/main/FAQ.md)
+before you create an issue.
 
-Please read our [FAQ](https://github.com/mamba-org/micromamba-docker/blob/main/FAQ.md) before you create an issue.
-
-This repo also has [Discussions](https://github.com/mamba-org/micromamba-docker/discussions) enabled and that may be a more appropriate location if you want to have a more open ended conversation.
+This repo also has [Discussions](https://github.com/mamba-org/micromamba-docker/discussions)
+enabled and that may be a more appropriate location if you want to have a more open
+ended conversation.

.github/PULL_REQUEST_TEMPLATE/pull_request_template.md

@@ -1 +1 @@
-Please include an entry in CHANGELOG.md with most pull requests!
+# Please include an entry in CHANGELOG.md with most pull requests

.github/dependabot.yaml

@@ -3,4 +3,6 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "weekly"
+      interval: "daily"
+    cooldown:
+      default-days: 4

.github/workflows/push_latest.yml

@@ -8,65 +8,65 @@ on:
     tags:
       - 'v*'
 
+permissions:
+  contents: read
+
 env:
-  DEFAULT_BASE_IMAGE: 'debian:12-slim'
-  LATEST_DEBIAN_BASE_IMAGE: 'debian:12'
-  LATEST_DEBIAN_SLIM_BASE_IMAGE: 'debian:12-slim'
-  LATEST_UBUNTU_BASE_IMAGE: 'ubuntu:24.04'
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: 'true'
+  DEFAULT_BASE_IMAGE: 'debian:13-slim'
+  LATEST_DEBIAN_BASE_IMAGE: 'debian:13'
+  LATEST_DEBIAN_SLIM_BASE_IMAGE: 'debian:13-slim'
+  LATEST_UBUNTU_BASE_IMAGE: 'ubuntu:25.10'
   LATEST_AMAZON_BASE_IMAGE: 'public.ecr.aws/amazonlinux/amazonlinux:2023'
-  LATEST_ALPINE_BASE_IMAGE: 'frolvlad/alpine-glibc:alpine-3.20'
-  LATEST_CUDA_BASE_IMAGE: 'nvidia/cuda:12.6.0-base-ubuntu24.04'
+  LATEST_ALPINE_BASE_IMAGE: 'frolvlad/alpine-glibc:alpine-3.22'
+  LATEST_CUDA_BASE_IMAGE: 'nvidia/cuda:13.0.2-base-ubuntu24.04'
 
 jobs:
   build_docker_image_and_push:
     if: github.repository == 'mamba-org/micromamba-docker'
     runs-on: ubuntu-24.04
+    permissions:
+      packages: write
     strategy:
       matrix:
         image:
+         - debian:13-slim
+         - debian:13
          - debian:12-slim
          - debian:12
-         - debian:11-slim
-         - debian:11
+         - ubuntu:25.10
          - ubuntu:24.04
          - ubuntu:22.04
-         - ubuntu:20.04
-         - frolvlad/alpine-glibc:alpine-3.20
-         - frolvlad/alpine-glibc:alpine-3.19
-         - frolvlad/alpine-glibc:alpine-3.18
-         - frolvlad/alpine-glibc:alpine-3.17
+         - frolvlad/alpine-glibc:alpine-3.22
+         - frolvlad/alpine-glibc:alpine-3.21
          - public.ecr.aws/amazonlinux/amazonlinux:2023
-         - nvidia/cuda:12.6.0-base-ubuntu24.04
-         - nvidia/cuda:12.6.0-base-ubuntu22.04
-         - nvidia/cuda:12.6.0-base-ubuntu20.04
+         - nvidia/cuda:13.0.2-base-ubuntu24.04
+         - nvidia/cuda:13.0.2-base-ubuntu22.04
+         - nvidia/cuda:12.9.1-base-ubuntu24.04
+         - nvidia/cuda:12.9.1-base-ubuntu22.04
+         - nvidia/cuda:12.8.1-base-ubuntu24.04
+         - nvidia/cuda:12.8.1-base-ubuntu22.04
+         - nvidia/cuda:12.6.3-base-ubuntu24.04
+         - nvidia/cuda:12.6.3-base-ubuntu22.04
          - nvidia/cuda:12.5.1-base-ubuntu24.04
          - nvidia/cuda:12.5.1-base-ubuntu22.04
-         - nvidia/cuda:12.5.1-base-ubuntu20.04
          - nvidia/cuda:12.4.1-base-ubuntu22.04
-         - nvidia/cuda:12.4.1-base-ubuntu20.04
          - nvidia/cuda:12.3.2-base-ubuntu22.04
-         - nvidia/cuda:12.3.2-base-ubuntu20.04
          - nvidia/cuda:12.2.2-base-ubuntu22.04
-         - nvidia/cuda:12.2.2-base-ubuntu20.04
          - nvidia/cuda:12.1.1-base-ubuntu22.04
-         - nvidia/cuda:12.1.1-base-ubuntu20.04
          - nvidia/cuda:11.8.0-base-ubuntu22.04
-         - nvidia/cuda:11.8.0-base-ubuntu20.04
          - nvidia/cuda:11.7.1-base-ubuntu22.04
-         - nvidia/cuda:11.7.1-base-ubuntu20.04
-         - nvidia/cuda:11.6.2-base-ubuntu20.04
-         - nvidia/cuda:11.4.3-base-ubuntu20.04
     steps:
-    - name: Install GNU parallel, shellcheck, and apptainer
+    - name: Install GNU parallel, shellcheck
       run: |
-        sudo add-apt-repository -y ppa:apptainer/ppa
         sudo apt update
-        sudo apt-get install --no-install-recommends -y parallel shellcheck software-properties-common apptainer
+        sudo apt-get install --no-install-recommends -y parallel shellcheck software-properties-common
     - name: Setup nox
-      uses: wntrblm/nox@5656fcedc31a1ea37d016e4d94d00185330cc528
+      uses: wntrblm/nox@0eee2e45758dbd06d48ebb23476439f0f00e5cbd
     - name: Checkout source
-      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
+      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
       with:
+        persist-credentials: false
         submodules: recursive
     - name: Get short git hash
       id: short_hash
@@ -91,9 +91,9 @@ jobs:
           echo 'distro_id=alpine' >> $GITHUB_OUTPUT
           alpine_version_number="${base_tag##alpine-}"
           echo "tag=alpine${alpine_version_number}" >> $GITHUB_OUTPUT
-          echo 'platforms=linux/amd64' >> $GITHUB_OUTPUT
+          echo 'platforms=linux/amd64,linux/arm64' >> $GITHUB_OUTPUT
         elif [ "${base_name}" = 'public.ecr.aws/amazonlinux/amazonlinux' ]; then
-          echo 'distro_id=amzn' >> $GITHUB_OUTPUT
+          echo 'distro_id=fedora' >> $GITHUB_OUTPUT
           echo "tag=amazon${base_tag}" >> $GITHUB_OUTPUT
           echo 'platforms=linux/amd64,linux/arm64' >> $GITHUB_OUTPUT
         elif [ "${base_name}" = 'ubuntu' ]; then
@@ -102,26 +102,30 @@ jobs:
           echo 'platforms=linux/amd64,linux/arm64,linux/ppc64le' >> $GITHUB_OUTPUT
         else
           echo 'distro_id=debian' >> $GITHUB_OUTPUT
-          echo "tag=${base_name}" >> $GITHUB_OUTPUT
-          echo 'platforms=linux/amd64,linux/arm64,linux/ppc64le' >> $GITHUB_OUTPUT
+          echo "tag=debian${base_tag}" >> $GITHUB_OUTPUT
+          if [ "${base_tag}" = '11' ] || [ "${base_tag}" = '11-slim' ]; then
+            echo 'platforms=linux/amd64,linux/arm64' >> $GITHUB_OUTPUT
+          else
+            echo 'platforms=linux/amd64,linux/arm64,linux/ppc64le' >> $GITHUB_OUTPUT
+          fi
         fi
         echo "is_default=$([ "$BASE_IMAGE" = "$DEFAULT_BASE_IMAGE" ] \
                            && echo true || echo false)" >> $GITHUB_OUTPUT
-        echo "is_latest_alpine=$([ "$IMAGE" = "$LATEST_ALPINE_BASE_IMAGE" ] \
+        echo "is_latest_alpine=$([ "$BASE_IMAGE" = "$LATEST_ALPINE_BASE_IMAGE" ] \
                           && echo true || echo false)" >> $GITHUB_OUTPUT
-        echo "is_latest_debian=$([ "$IMAGE" = "$LATEST_DEBIAN_BASE_IMAGE" ] \
+        echo "is_latest_debian=$([ "$BASE_IMAGE" = "$LATEST_DEBIAN_BASE_IMAGE" ] \
                           && echo true || echo false)" >> $GITHUB_OUTPUT
-        echo "is_latest_debian_slim=$([ "$IMAGE" = "$LATEST_DEBIAN_SLIM_BASE_IMAGE" ] \
+        echo "is_latest_debian_slim=$([ "$BASE_IMAGE" = "$LATEST_DEBIAN_SLIM_BASE_IMAGE" ] \
                           && echo true || echo false)" >> $GITHUB_OUTPUT
-        echo "is_latest_ubuntu=$([ "$IMAGE" = "$LATEST_UBUNTU_BASE_IMAGE" ] \
+        echo "is_latest_ubuntu=$([ "$BASE_IMAGE" = "$LATEST_UBUNTU_BASE_IMAGE" ] \
                           && echo true || echo false)" >> $GITHUB_OUTPUT
-        echo "is_latest_amazon=$([ "$IMAGE" = "$LATEST_AMAZON_BASE_IMAGE" ] \
+        echo "is_latest_amazon=$([ "$BASE_IMAGE" = "$LATEST_AMAZON_BASE_IMAGE" ] \
                           && echo true || echo false)" >> $GITHUB_OUTPUT
-        echo "is_latest_cuda=$([ "$IMAGE" = "$LATEST_CUDA_BASE_IMAGE" ] \
+        echo "is_latest_cuda=$([ "$BASE_IMAGE" = "$LATEST_CUDA_BASE_IMAGE" ] \
                           && echo true || echo false)" >> $GITHUB_OUTPUT
     - name: Get stage1 docker metadata
       id: get_stage1_metadata
-      uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
+      uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893
       with:
         images: |
           ghcr.io/mamba-org/micromamba-cache/stage1
@@ -130,7 +134,7 @@ jobs:
             type=raw,value=${{ steps.set_image_variables.outputs.tag }}
     - name: Get docker metadata
       id: get_metadata
-      uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
+      uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893
       with:
         images: |
           mambaorg/micromamba
@@ -150,15 +154,14 @@ jobs:
         # major
         # major.minor.patch-base_image
         # major.minor-base_image
-        # major-base_image
-        # git-commit-base_image
+        # major-base_imag git-commit-base_image
         # git-commit
         tags: |
             type=raw,value=latest,priority=1000,enable=${{ steps.set_image_variables.outputs.is_default }}
             type=raw,value=${{ steps.set_image_variables.outputs.tag }},priority=900
             type=raw,value=alpine,priority=850,enable=${{ steps.set_image_variables.outputs.is_latest_alpine }}
             type=raw,value=debian,priority=850,enable=${{ steps.set_image_variables.outputs.is_latest_debian }}
-            type=raw,value=debian-slim,priority=850,enable=${{ steps.set_image_variables.outputs.is_latest_debian-slim }}
+            type=raw,value=debian-slim,priority=850,enable=${{ steps.set_image_variables.outputs.is_latest_debian_slim }}
             type=raw,value=ubuntu,priority=850,enable=${{ steps.set_image_variables.outputs.is_latest_ubuntu }}
             type=raw,value=amazon,priority=850,enable=${{ steps.set_image_variables.outputs.is_latest_amazon }}
             type=raw,value=cuda,priority=850,enable=${{ steps.set_image_variables.outputs.is_latest_cuda }}
@@ -173,25 +176,25 @@ jobs:
         labels: |
           distro_id=${{ steps.set_image_variables.outputs.distro_id }}
     - name: Setup docker buildx
-      uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349
+      uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
     - name: Login to DockerHub
-      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
+      uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_TOKEN }}
     - name: Login to GHCR
-      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
+      uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GITHUB_TOKEN }}
     - name: Build Docker images but do not push them yet
       id: docker_build
-      uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75
+      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
       env:
         DOCKER_BUILD_RECORD_UPLOAD: false
       with:
-        dockerfile: ${{ steps.set_image_variables.outputs.distro_id }}.Dockerfile
+        file: ${{ steps.set_image_variables.outputs.distro_id }}.Dockerfile
         platforms: ${{ steps.set_image_variables.outputs.platforms }}
         push: false
         build-args: |
@@ -206,9 +209,9 @@ jobs:
       run: nox -s "image_tests(base_image='${IMAGE}')"
     - name: Push stage1 Docker images
       id: docker_stage1_push
-      uses: docker/build-push-action@35434f557ad77672899d67f7992fb5560bda1071
+      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
       with:
-        dockerfile: ${{ steps.set_image_variables.outputs.distro_id }}.Dockerfile
+        file: ${{ steps.set_image_variables.outputs.distro_id }}.Dockerfile
         target: stage1
         platforms: ${{ steps.set_image_variables.outputs.platforms }}
         push: true
@@ -221,11 +224,11 @@ jobs:
         cache-to: type=inline
     - name: Push Docker images
       id: docker_push
-      uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75
+      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
       env:
         DOCKER_BUILD_RECORD_UPLOAD: false
       with:
-        dockerfile: ${{ steps.set_image_variables.outputs.distro_id }}.Dockerfile
+        file: ${{ steps.set_image_variables.outputs.distro_id }}.Dockerfile
         platforms: ${{ steps.set_image_variables.outputs.platforms }}
         push: true
         build-args: |
@@ -234,23 +237,28 @@ jobs:
         labels: ${{ steps.get_metadata.outputs.labels}}
         cache-from: type=registry,ref=ghcr.io/mamba-org/micromamba-cache/cache:${{ steps.set_image_variables.outputs.tag }}
         cache-to: type=registry,ref=ghcr.io/mamba-org/micromamba-cache/cache:${{ steps.set_image_variables.outputs.tag }},mode=max
-    - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874
+    - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
       with:
-        name: ${{ steps.set_image_variables.outputs.tag }}
+        name: ${{ steps.set_image_variables.outputs.tag }}.metadata
         path: ${{ steps.get_metadata.outputs.bake-file }}
     - name: Image digest
-      run: echo ${{ steps.docker_build.outputs.digest }}
+      env:
+        DIGEST: ${{ steps.docker_build.outputs.digest }}
+      run: echo "${DIGEST}"
   update_dockerhub_discription:
     if: github.repository == 'mamba-org/micromamba-docker'
     needs: build_docker_image_and_push
     runs-on: ubuntu-24.04
     steps:
     - name: Checkout source
-      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
+      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
+      with:
+        persist-credentials: false
     - name: Get artifacts
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53
       with:
         path: artifacts
+        pattern: '*.metadata'
     - name: Format tags
       id: format_tags
       run: |
@@ -262,7 +270,7 @@ jobs:
           | sed 's%^mambaorg/micromamba:\(.*\)$%`\1`, %' \
           | tr -d '\n' \
           | sed 's%, $%%' \
-          | sed "s%^\(.*\)$%[\1](https://github.com/mamba-org/micromamba-docker/blob/main/${distro_id}.Dockerfile")%'
+          | sed "s%^\(.*\)%[\1](https://github.com/mamba-org/micromamba-docker/blob/main/${distro_id}.Dockerfile)%"
           printf '\n\n'
         }
         function get_tags_markdown {
@@ -281,11 +289,11 @@ jobs:
         echo "EOF" >> $GITHUB_ENV
     - name: generate README_with_tags.md
       run: |
-        awk -v r='${{ env.TAGS_MARKDOWN }}' \
+        awk -v r='${TAGS_MARKDOWN}' \
             '{gsub(/<!-- DOCKER_TAGS_INSERTION_POINT -->/,r)}1' \
             README.md > README_with_tags.md
     - name: Copy GitHub README.md to Dockerhub
-      uses: peter-evans/dockerhub-description@e98e4d1628a5f3be2be7c231e50981aee98723ae
+      uses: peter-evans/dockerhub-description@1b9a80c056b620d92cedb9d9b5a223409c68ddfa
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -295,9 +303,13 @@ jobs:
     if: github.repository == 'mamba-org/micromamba-docker'
     needs: build_docker_image_and_push
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
     steps:
     - name: Checkout source
-      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
+      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
+      with:
+        persist-credentials: false
     - name: Get micromamba version number
       id: get_version
       run: |
@@ -322,7 +334,7 @@ jobs:
         create_annotated_tag: true
     - name: Create a GitHub release
       if: steps.last_tag.outputs.previous_tag != steps.get_version.outputs.leading_v_version
-      uses: ncipollo/release-action@a8bcd956fb63e2672c1e57eafb1accf4eaa68c31
+      uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b
       with:
         tag: ${{ steps.create_tag.outputs.new_tag }}
         name: micromamba ${{ steps.create_tag.outputs.new_tag }}