build(docker): Add --pull flag to all Docker build commands to ensure the latest base images are used (fixes #1051).

[junhaoliao]

Description

Add the --pull flag to all Docker build scripts (docker build and docker buildx build) to ensure base images are always pulled fresh from the registry. This prevents builds from using stale cached base images that may have missing security updates.

Checklist

• The PR satisfies the contribution guidelines.
• This is a breaking change and that has been indicated in the PR title, OR this isn't a
  breaking change.
• Necessary docs have been updated, OR no docs need to be updated.

Validation performed

0. Verify --pull is present in every build script

Task: Confirm --pull immediately follows docker build or docker buildx build in all 8
scripts.

Command:

for f in $(grep -rn "docker build\b\|docker buildx build" --include="build.sh" -l); do
    echo "=== $f ==="
    grep -A1 "docker build" "$f"
    echo
done

Output:

=== tools/docker-images/clp-package/build.sh ===
    docker build
    --pull

=== components/core/tools/docker-images/clp-env-base-manylinux_2_28-x86_64/build.sh ===
    docker buildx build
    --pull

=== components/core/tools/docker-images/clp-core-ubuntu-jammy/build.sh ===
    docker build
    --pull

=== components/core/tools/docker-images/clp-env-base-centos-stream-9/build.sh ===
    docker build
    --pull

=== components/core/tools/docker-images/clp-env-base-musllinux_1_2-aarch64/build.sh ===
    docker buildx build
    --pull

=== components/core/tools/docker-images/clp-env-base-ubuntu-jammy/build.sh ===
    docker build
    --pull

=== components/core/tools/docker-images/clp-env-base-musllinux_1_2-x86_64/build.sh ===
    docker buildx build
    --pull

=== components/core/tools/docker-images/clp-env-base-manylinux_2_28-aarch64/build.sh ===
    docker buildx build
    --pull

All 8 build scripts now include --pull immediately after the docker build / docker buildx build command.

1. Build CLP package

Task: Verify the clp-package Docker image builds successfully with the --pull flag in
tools/docker-images/clp-package/build.sh (the script invoked by task).

Command:

task

Output:

...
#30 exporting manifest list sha256:190cd68e5f13faa68efb8d61743cbbc78b92c5285d7cc053365bb36f6b9ad6e6 0.0s done
#30 naming to moby-dangling@sha256:190cd68e5f13faa68efb8d61743cbbc78b92c5285d7cc053365bb36f6b9ad6e6 done
#30 unpacking to moby-dangling@sha256:190cd68e5f13faa68efb8d61743cbbc78b92c5285d7cc053365bb36f6b9ad6e6 done
#30 DONE 0.1s
task: [package] echo '0.8.1-dev' > '/home/junhao/workspace/clp/build/clp-package/VERSION'

Build completed successfully.

2. Start CLP

Task: Verify CLP starts successfully with the image built using --pull.

Command:

cd build/clp-package
./sbin/start-clp.sh

Output:

...
 Container clp-package-0cc6-api-server-1 Healthy
 Container clp-package-0cc6-query-scheduler-1 Healthy
 Container clp-package-0cc6-compression-worker-1 Healthy
 Container clp-package-0cc6-webui-1 Healthy
2026-02-01T11:18:55.524 INFO [controller] Started CLP.

All containers started and passed health checks.

3. Test compression

Task: Verify compression works correctly.

Command:

./sbin/compress.sh --timestamp-key timestamp ~/samples/postgresql.jsonl

Output:

2026-02-01T11:19:00.199 INFO [compress] Compression job 1 submitted.
2026-02-01T11:19:02.201 INFO [compress] Compressed 392.84MB into 9.94MB (39.53x). Speed: 205.93MB/s.
2026-02-01T11:19:02.702 INFO [compress] Compression finished.
2026-02-01T11:19:02.702 INFO [compress] Compressed 392.84MB into 9.94MB (39.53x). Speed: 183.79MB/s.

Compression job completed successfully.

4. Stop CLP

Task: Verify CLP stops cleanly.

Command:

./sbin/stop-clp.sh

Output:

...
 Network clp-package-0cc6_default Removed
2026-02-01T11:19:28.015 INFO [controller] Stopped CLP.

All containers stopped and removed successfully.

Summary by CodeRabbit

Release Notes

• Chores
  • Docker image builds now automatically pull the latest base images before building, ensuring containers use current dependencies and security patches across all build configurations.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This pull request adds the --pull flag to eight Docker build scripts across the codebase, ensuring Docker attempts to pull the latest base image versions before building rather than using cached versions.

Changes

Cohort / File(s)	Summary
Docker build scripts with --pull flag components/core/tools/docker-images/clp-core-ubuntu-jammy/build.sh, components/core/tools/docker-images/clp-env-base-centos-stream-9/build.sh, components/core/tools/docker-images/clp-env-base-manylinux_2_28-aarch64/build.sh, components/core/tools/docker-images/clp-env-base-manylinux_2_28-x86_64/build.sh, components/core/tools/docker-images/clp-env-base-musllinux_1_2-aarch64/build.sh, components/core/tools/docker-images/clp-env-base-musllinux_1_2-x86_64/build.sh, components/core/tools/docker-images/clp-env-base-ubuntu-jammy/build.sh	Added --pull flag to docker build/buildx commands to ensure base images are pulled before building.
Package build script with --pull flag tools/docker-images/clp-package/build.sh	Added --pull flag to docker build command to ensure base image is pulled before building.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related issues

• Add --pull flag to all Docker build scripts to ensure fresh base images #1051: This PR directly implements the objective of adding the --pull flag to Docker build scripts to ensure base images are pulled before building.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title accurately summarizes the main change: adding --pull flags to Docker build commands across multiple scripts to ensure fresh base images are used.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[kirkrodrigues]

For the PR title, how about:

build(docker): Add `--pull` flag to all Docker build commands to ensure the latest base images are used (fixes #1051).