From 8c3b5db166a3f66f6c21aa523e9110611cbd6889 Mon Sep 17 00:00:00 2001
From: David Karlsson <35727626+dvdksn@users.noreply.github.com>
Date: Fri, 19 Dec 2025 20:31:14 +0100
Subject: [PATCH 1/4] chore: fix gitignore for cagent validation log

Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
---
 .gitignore | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index d382b9a60e4..60699f1d6b4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,4 +15,4 @@ cagent
 # cagent tmp files
 .cagent
 .upstream-issues.md
-.validation-log.md
+.validation.log

From 02d82e2105f0500a2cf6518feead4b5447e7984f Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Fri, 19 Dec 2025 15:04:03 +0000
Subject: [PATCH 2/4] docs: address issue #23194
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This change was automatically generated by the documentation agent team
in response to issue #23194.

🤖 Generated with cagent
---
 .../manuals/build/building/best-practices.md  | 54 +++++++++++++------
 1 file changed, 37 insertions(+), 17 deletions(-)

diff --git a/content/manuals/build/building/best-practices.md b/content/manuals/build/building/best-practices.md
index ba6b1b21620..e4298449f9a 100644
--- a/content/manuals/build/building/best-practices.md
+++ b/content/manuals/build/building/best-practices.md
@@ -77,23 +77,17 @@ dependencies can considerably lower the attack surface.
 
 ## Rebuild your images often
 
-Docker images are immutable. Building an image is taking a snapshot of that
-image at that moment. That includes any base images, libraries, or other
-software you use in your build. To keep your images up-to-date and secure, make
-sure to rebuild your image often, with updated dependencies.
+Docker images are immutable. Building an image is taking a snapshot of
+that image at that moment. That includes any base images, libraries, or
+other software you use in your build. To keep your images up-to-date and
+secure, rebuild your images regularly with updated dependencies.
 
-To ensure that you're getting the latest versions of dependencies in your build,
-you can use the `--no-cache` option to avoid cache hits.
+### Use --pull to get fresh base images
 
-```console
-$ docker build --no-cache -t my-image:my-tag .
-```
-
-The following Dockerfile uses the `24.04` tag of the `ubuntu` image. Over time,
-that tag may resolve to a different underlying version of the `ubuntu` image,
-as the publisher rebuilds the image with new security patches and updated
-libraries. Using the `--no-cache`, you can avoid cache hits and ensure a fresh
-download of base images and dependencies.
+The following Dockerfile uses the `24.04` tag of the `ubuntu` image.
+Over time, that tag may resolve to a different underlying version of the
+`ubuntu` image, as the publisher rebuilds the image with new security
+patches and updated libraries.
 
 ```dockerfile
 # syntax=docker/dockerfile:1
@@ -101,6 +95,33 @@ FROM ubuntu:24.04
 RUN apt-get -y update && apt-get install -y --no-install-recommends python3
 ```
 
+To get the latest version of the base image, use the `--pull` flag:
+
+```console
+$ docker build --pull -t my-image:my-tag .
+```
+
+The `--pull` flag forces Docker to check for and download a newer
+version of the base image, even if you have a version cached locally.
+
+### Use --no-cache for clean builds
+
+The `--no-cache` flag disables the build cache, forcing Docker to
+rebuild all layers from scratch:
+
+```console
+$ docker build --no-cache -t my-image:my-tag .
+```
+
+This gets the latest available versions of dependencies from package
+managers like `apt-get` or `npm`. However, `--no-cache` doesn't pull a
+fresh base image - it only prevents reusing cached layers. For a
+completely fresh build with the latest base image, combine both flags:
+
+```console
+$ docker build --pull --no-cache -t my-image:my-tag .
+```
+
 Also consider [pinning base image versions](#pin-base-image-versions).
 
 ## Exclude with .dockerignore
@@ -639,10 +660,10 @@ RUN ln -s /usr/share/dotnet/dotnet /usr/bin/dotnet
 ```
 
 For more information about `ADD` or `COPY`, see the following:
+
 - [Dockerfile reference for the ADD instruction](/reference/dockerfile.md#add)
 - [Dockerfile reference for the COPY instruction](/reference/dockerfile.md#copy)
 
-
 ### ENTRYPOINT
 
 The best use for `ENTRYPOINT` is to set the image's main command, allowing that
@@ -695,7 +716,6 @@ fi
 exec "$@"
 ```
 
-
 This script uses [the `exec` Bash command](https://wiki.bash-hackers.org/commands/builtin/exec) so that the final running application becomes the container's PID 1. This allows the application to receive any Unix signals sent to the container. For more information, see the [`ENTRYPOINT` reference](/reference/dockerfile.md#entrypoint).
 
 In the following example, a helper script is copied into the container and run via `ENTRYPOINT` on

From fddd7d2f22aa3a7361def76c6455cbd6d2e5fe82 Mon Sep 17 00:00:00 2001
From: David Karlsson <35727626+dvdksn@users.noreply.github.com>
Date: Fri, 19 Dec 2025 20:40:43 +0100
Subject: [PATCH 3/4] ci: install npm dependencies for cagent

Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
---
 .github/workflows/agent.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/agent.yml b/.github/workflows/agent.yml
index 0da7dd6f5cf..40c138e7877 100644
--- a/.github/workflows/agent.yml
+++ b/.github/workflows/agent.yml
@@ -26,6 +26,9 @@ jobs:
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
 
+      - name: Install dependencies
+        run: npm ci
+
       - name: Create branch
         run: |
           git checkout -b agent/issue-${{ github.event.issue.number }}

From 3f662ec6d5fa9c52e3168afbd71dd4a0e93d1e22 Mon Sep 17 00:00:00 2001
From: David Karlsson <35727626+dvdksn@users.noreply.github.com>
Date: Fri, 19 Dec 2025 20:48:10 +0100
Subject: [PATCH 4/4] ci: add timeout (15m) for cagent run task

Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
---
 .github/workflows/agent.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/agent.yml b/.github/workflows/agent.yml
index 40c138e7877..87cf400614b 100644
--- a/.github/workflows/agent.yml
+++ b/.github/workflows/agent.yml
@@ -35,6 +35,7 @@ jobs:
 
       - name: Run agent
         uses: docker/cagent-action@v1.0.3
+        timeout-minutes: 15
         with:
           cagent-version: v1.15.5
           agent: ./agent.yml