align dependency runtime baselines across Docker and CI

.github/.docker-compose-database.yml

@@ -1,6 +1,6 @@
 services:
   db:
-    image: postgis/postgis:15-3.3
+    image: postgis/postgis:16-3.5
     container_name: voyage-db
     restart: unless-stopped
     ports:

.github/workflows/backend-beta.yml

@@ -13,16 +13,17 @@ on:
 
 env:
   IMAGE_NAME: "voyage-backend"
+  PYTHON_IMAGE: "python:3.13-slim"
 
 jobs:
   upload:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -48,6 +49,8 @@ jobs:
         with:
           context: ./backend
           platforms: linux/amd64,linux/arm64
+          build-args: |
+            PYTHON_IMAGE=${{ env.PYTHON_IMAGE }}
           push: true
           tags: |
             ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:beta

.github/workflows/backend-latest.yml

@@ -15,6 +15,7 @@ on:
 
 env:
   IMAGE_NAME: "voyage-backend"
+  PYTHON_IMAGE: "python:3.13-slim"
 
 jobs:
   upload:
@@ -50,6 +51,8 @@ jobs:
         with:
           context: ./backend
           platforms: linux/amd64,linux/arm64
+          build-args: |
+            PYTHON_IMAGE=${{ env.PYTHON_IMAGE }}
           push: true
           tags: |
             ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:latest

.github/workflows/backend-release.yml

@@ -10,16 +10,17 @@ on:
 
 env:
   IMAGE_NAME: "voyage-backend"
+  PYTHON_IMAGE: "python:3.13-slim"
 
 jobs:
   upload:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -45,6 +46,8 @@ jobs:
         with:
           context: ./backend
           platforms: linux/amd64,linux/arm64
+          build-args: |
+            PYTHON_IMAGE=${{ env.PYTHON_IMAGE }}
           push: true
           tags: |
             ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}

.github/workflows/backend-test.yml

@@ -15,15 +15,15 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: set up python 3.12
+      - name: set up python 3.13
         uses: actions/setup-python@v5
         with:
-          python-version: "3.12"
+          python-version: "3.13"
 
       - name: install dependencies
         run: |
           sudo apt update -q
-          sudo apt install -y -q python3-gdal
+          sudo apt install -y -q gdal-bin libgdal-dev
 
       - name: start database
         run: |

.github/workflows/frontend-beta.yml

@@ -13,16 +13,17 @@ on:
 
 env:
   IMAGE_NAME: "voyage-frontend"
+  BUN_VERSION: "1.3.10"
 
 jobs:
   upload:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -48,6 +49,8 @@ jobs:
         with:
           context: ./frontend
           platforms: linux/amd64,linux/arm64
+          build-args: |
+            BUN_VERSION=${{ env.BUN_VERSION }}
           push: true
           tags: |
             ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:beta

.github/workflows/frontend-latest.yml

@@ -15,6 +15,7 @@ on:
 
 env:
   IMAGE_NAME: "voyage-frontend"
+  BUN_VERSION: "1.3.10"
 
 jobs:
   upload:
@@ -50,6 +51,8 @@ jobs:
         with:
           context: ./frontend
           platforms: linux/amd64,linux/arm64
+          build-args: |
+            BUN_VERSION=${{ env.BUN_VERSION }}
           push: true
           tags: |
             ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:latest

.github/workflows/frontend-release.yml

@@ -10,16 +10,17 @@ on:
 
 env:
   IMAGE_NAME: "voyage-frontend"
+  BUN_VERSION: "1.3.10"
 
 jobs:
   upload:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -45,6 +46,8 @@ jobs:
         with:
           context: ./frontend
           platforms: linux/amd64,linux/arm64
+          build-args: |
+            BUN_VERSION=${{ env.BUN_VERSION }}
           push: true
           tags: |
             ghcr.io/${{ steps.repo_owner.outputs.repo_owner }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}

.github/workflows/frontend-test.yml

@@ -17,6 +17,8 @@ jobs:
 
       - name: setup bun
         uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: 1.3.10
 
       - name: install dependencies
         working-directory: frontend

.github/workflows/trivy_security_scans.yml

@@ -41,6 +41,9 @@ jobs:
   image-scan:
     name: Trivy Docker Image Scan (Backend & Frontend)
     runs-on: ubuntu-latest
+    env:
+      BUN_VERSION: "1.3.10"
+      PYTHON_IMAGE: "python:3.13-slim"
 
     steps:
       - name: Checkout code
@@ -57,10 +60,10 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build backend Docker image
-        run: docker build -t voyage-backend ./backend
+        run: docker build --build-arg PYTHON_IMAGE=${{ env.PYTHON_IMAGE }} -t voyage-backend ./backend
 
       - name: Build frontend Docker image
-        run: docker build -t voyage-frontend ./frontend
+        run: docker build --build-arg BUN_VERSION=${{ env.BUN_VERSION }} -t voyage-frontend ./frontend
 
       - name: Scan backend Docker image with Trivy
         uses: aquasecurity/trivy-action@master

backend/Dockerfile

@@ -1,5 +1,6 @@
 # Stage 1: Build stage with dependencies
-FROM python:3.13-slim AS builder
+ARG PYTHON_IMAGE=python:3.13-slim
+FROM ${PYTHON_IMAGE} AS builder
 
 # Metadata labels
 LABEL maintainer="Voyage contributors" \
@@ -35,7 +36,7 @@ RUN pip install --upgrade pip \
     && pip install --no-cache-dir -r requirements.txt
 
 # Stage 2: Final image with runtime dependencies
-FROM python:3.13-slim
+FROM ${PYTHON_IMAGE}
 WORKDIR /code
 ENV PYTHONDONTWRITEBYTECODE=1
 ENV PYTHONUNBUFFERED=1

backend/server/requirements.txt

@@ -33,5 +33,5 @@ legacy-cgi==2.6.4
 requests>=2.32.5
 cryptography>=46.0.5
 django-mcp-server>=0.5.7
-litellm>=1.82.1
-duckduckgo-search>=4.0.0
+litellm>=1.82.2
+duckduckgo-search>=8.1.1

cdn/Dockerfile

@@ -1,11 +1,13 @@
 # Use an official Python image as a base
-FROM python:3.11-slim
+ARG PYTHON_IMAGE=python:3.13-slim
+FROM ${PYTHON_IMAGE}
 
 # Set the working directory
 WORKDIR /app
 
 # Install required Python packages
-RUN pip install --no-cache-dir requests osm2geojson
+COPY requirements.txt /app/requirements.txt
+RUN pip install --no-cache-dir -r /app/requirements.txt
 
 # Copy the script into the container
 COPY main.py /app/main.py

cdn/requirements.txt

@@ -1 +1,2 @@
-osm2geojson==0.2.5
+requests==2.32.5
+osm2geojson==0.3.2

docker-compose.dev.yml

@@ -3,6 +3,8 @@ services:
     build:
       context: ./frontend/
       target: builder
+      args:
+        BUN_VERSION: ${BUN_VERSION:-1.3.10}
     # image: ghcr.io/alex-wiesner/voyage-frontend:latest
     restart: unless-stopped
     user: root
@@ -28,7 +30,10 @@ services:
       - postgres_data:/var/lib/postgresql/data/
 
   server:
-    build: ./backend/
+    build:
+      context: ./backend/
+      args:
+        PYTHON_IMAGE: ${PYTHON_IMAGE:-python:3.13-slim}
     # image: ghcr.io/alex-wiesner/voyage-backend:latest
     restart: unless-stopped
     entrypoint: []