I have recently built official Arch base image by applying instructions from https://wiki.archlinux.org/title/Docker on cloned repository https://gitlab.archlinux.org/archlinux/archlinux-docker.git. Do I need to manually rebuild image each time I want to bump all package versions inside it or can I just write Dockerfile with FROM whiteman808/archlinux:base and command such as RUN pacman -Syu --no-confirm --needed and let build server rebuild Arch base image using this Dockerfile?

Assuming that command is a package update command, I would not update packages in a Dockerfile depending on a base image. That base image should be upgraded. If you upgrade packages, the old packages will be always there and the update command just creates anothe rlayer making your image bigger and if any security tool scans layers, it will find vulnerable package versions as well even if you updated. You can also introduce vulnerability. And as I also mentioned in your other topic, your image will not be reproducable as each time you can have different versions of packages and you will never know which version you will get. Also unless you change something else in your Dockerfile, the update command will not invalidate layer cache, so just because you run the automated build daily, the update command will not run if nothing changes in the Dockerfile.

I can use --no-cache option from docker build to ensure I build Docker image with updated packages in a clean way.

And why would you ignore all caches? People pulling your image would have to pull the entire image including the regenerated layers that didn’t change. And it was just one problem I mentioned.