ideally the code for building a MediaWiki image with security patches would live in Jenkins Job Builder so git history and code review can happen through the standard process™©.
|Open||None||T198901 Migrate production services to kubernetes using the pipeline|
|Open||None||T238770 Deploy MediaWiki to Wikimedia production in containers|
|Open||None||T238771 Get production MW-land images built and published|
|Resolved||dancy||T271274 Security patch workflow for MediaWiki on k8s|
|Resolved||dduvall||T273676 Jenkins job exists for building patched MediaWiki image|
|Resolved||dduvall||T274182 Multi-version MediaWiki image is built and published|
The existing .pipeline/config.yaml was extended to patch the production image before publishing to the restricted repo. See T271274: Security patch workflow for MediaWiki on k8s and associated patchsets for implementation details.