fix(deps): update alpine docker tag to v3.23.3

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
alpine	stage	minor	3.21.6 → 3.23.3

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Version Jump: Alpine Linux 3.21.6 → 3.23.3 (skipping 3.22.x, minor version jump)

Major Changes:

• Security Fixes: Alpine 3.23.3 includes critical OpenSSL security fixes addressing 12 CVEs from the January 27, 2026 advisory (CVE-2025-11187, CVE-2025-15467-69, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418-21, CVE-2026-22795-96)
• APK v3 Package Manager: Alpine 3.23 introduces apk-tools v3 (though v2 index/package format is maintained for compatibility)
• Toolchain Updates: GCC 15, LLVM 21, Go 1.25, Linux kernel 6.18 LTS
• System Changes: linux-stable replaces linux-edge, /usr-merge support introduced

Breaking Changes (Not Applicable to This Project):

• ifstate 2.x configuration file schema changes (network configuration)
• libapk API changes (if using programmatically)
• Boot loader configuration changes for kernel updates
• Intel wireless firmware package relocation
• Qt5 library removals, PostgreSQL 15 dropped, ffmpeg4 removed

Alpine 3.22 Intermediate Changes:

• nginx/njs now use pcre2 instead of pcre (8.x)
• Final release with apk-tools v2.14
• Dovecot 2.3 → 2.4 with config format changes

🎯 Impact Scope Investigation

Alpine Usage in This Project:
The Alpine image is used ONLY in the first build stage (mise) to download a single static binary:

FROM alpine:3.23.3 AS mise
RUN wget -qO /usr/local/bin/mise \
  "https://github.com/jdx/mise/releases/download/v2026.2.23/mise-v2026.2.23-linux-${ARCH}-musl"

Impact Analysis:

1. No apk package installations: The Dockerfile does NOT use apk add or install any Alpine packages
2. Minimal dependency: Only uses wget (pre-installed in Alpine base image) to fetch the mise binary
3. Multi-stage isolation: The Alpine stage is discarded; only the static mise binary is copied to the base stage (which uses Debian bookworm-slim from ghcr.io/codize-dev/nsjail)
4. Static binary compatibility: mise provides musl-specific builds (linux-${ARCH}-musl) that are compatible across Alpine versions
5. No runtime impact: Alpine is not present in the final container image

Dependencies on Other Packages: None - the project does not use Alpine's package ecosystem

Build Process Impact:

• wget in Alpine 3.21.6 → 3.23.3: No breaking changes identified
• musl libc updates: Not a concern as mise binary is statically linked
• CI/CD pipeline: Uses Docker buildx cache; no Alpine-specific dependencies in GitHub Actions

💡 Recommended Actions

Immediate Actions:

1. ✅ Safe to merge - No code changes required
2. ✅ Run CI/CD pipeline to verify the build succeeds (E2E tests will validate full functionality)
3. ✅ Monitor the Docker build process for any unexpected issues

Optional Follow-up:

• Consider the security benefits of the OpenSSL CVE fixes (though Alpine is only used during build, not runtime)
• No migration work needed as Alpine is used purely as a build tool

Testing Recommendation:
The existing CI/CD pipeline includes:

• Build validation on ubuntu-latest and ubuntu-24.04-arm
• E2E tests with Docker Compose
• This should be sufficient to catch any Alpine-related issues

🔗 Reference Links

• Alpine 3.23.0 Release Announcement
• Alpine 3.23.0 Release Notes
• Alpine 3.23.3 Security Release
• Alpine 3.22.0 Release Notes
• mise Alpine Linux Package
• GCC 15 Porting Guide

Generated by koki-develop/claude-renovate-review