What about using something like dependabot to keep the image up to date?
Also, it is generally good idea to create immutable image tags, rather than only having latest.
I want nixos/nix to stay up to date with the base image because newer alpine image may contain bug fixes or security fixes, and nix image is not currently built with buildImage/buildLayeredImage (yet).