| name | bump-subimage |
| description | Bump a pinned upstream sub-image version in docker-compose.yml (WireGuard, Traefik, Authelia, Redis, docker-socket-proxy, etc.) following Vaier's version-pin policy. Use when asked to update/upgrade a sub-image, or when checking whether sub-images are out of date. |
Bump a pinned sub-image version
All upstream images in docker-compose.yml are pinned to specific versions — no floating :latest. This skill changes one of those pins safely. (This is NOT for the Vaier app image — that's the deploy-vaier skill.)
Policy (must follow)
- Check upstream for the latest stable release for the image in question — its GitHub releases / Docker Hub tags. Skip pre-release / rc / beta tags.
- Ask the dev before bumping — never bump unilaterally. Explain which images have newer releases and what changed (changelog highlights, breaking notes).
- Only bump if the dev confirms, and bump one image at a time unless asked otherwise.
- WireGuard drift rule: the generated WireGuard client compose (
DockerComposeGeneratorAdapter) must pin the same wireguard version as the server. A drift-check test enforces this — if you bump the server's wireguard image, update the generated client pin too, or the test fails (by design).
- After bumping: run
mvn test, then deploy the full stack (docker compose up -d) and confirm nothing broke before committing.
- Bump the Maven
project.version in the same change (per issue #167: Vaier release cuts only happen when sub-image deps change).
- Update
README.md / PRD.md if the change is user-visible. Commit locally (include any relevant Closes #<n>); do not push — the dev pushes when ready.
Where the pins live
docker-compose.yml services.*.image (e.g. lscr.io/linuxserver/wireguard:…, traefik:…, authelia/authelia:…, redis:…, the docker-socket-proxy/haproxy image). The matching WireGuard client pin lives in DockerComposeGeneratorAdapter.
Checklist