chore(deps): update alpine:3.23 docker digest to fd791d7

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
alpine	final	digest	5b10f43 → fd791d7
alpine	stage	digest	5b10f43 → fd791d7

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

• Type of change: Digest-pinned update within Alpine 3.23 (same minor version). The tag alpine:3.23 does not change; only the SHA-256 digest pin advances from 5b10f432ef3d... to fd791d74b689....
• Security patches: This digest bump corresponds to a patch release of Alpine 3.23, which includes security fixes for OpenSSL (heap overflow, certificate parsing flaws, PKCS7 use-after-free) and BusyBox, along with other core system package updates.
• Breaking changes: None. Digest updates within the same minor Alpine release do not carry breaking changes. Alpine's package ABI is stable within a minor release series, and no package removals or renames affect this image.
• New features: None relevant to this use case.

🎯 Impact Scope Investigation

• Dockerfile usage: Alpine is used in exactly two FROM lines in /Dockerfile:
  1. Build stage (AS download): installs only curl via apk add --no-cache curl to download the ghasec release tarball, then discards the layer.
  2. Final stage: copies the pre-built ghasec binary in and runs ghasec --version. No Alpine packages are installed here.
• No Go source code references: There are no Alpine-specific imports, configurations, or environment assumptions in the Go codebase. The linter binary itself is architecture-native and self-contained.
• CI/CD impact: .github/workflows/release-please.yml builds and pushes this Docker image to ghcr.io/koki-develop/ghasec on every release via docker/build-push-action. The updated digest will be used on the next release build. No workflow logic depends on Alpine internals beyond curl availability, which is unchanged.
• Other dependencies: No transitive impact on Go modules or other packages. The update is isolated entirely to the Docker layer.

💡 Recommended Actions

• No migration steps required. This is a drop-in digest update.
• Merge as-is. The new digest brings security patches and no regressions are expected.
• Optionally verify the new digest by pulling alpine:3.23@sha256:fd791d74b68913cbb027c6546007b3f0d3bc45125f797758156952bc2d6daf40 and confirming curl installs correctly, but this is not strictly necessary given the nature of a patch digest update.

🔗 Reference Links

• Alpine Linux Docker Hub – official image
• Alpine Linux security advisories
• Alpine Linux release notes for 3.23
• Alpine Linux posts (patch announcements)

Generated by koki-develop/claude-renovate-review