Docker/baseimage-docker
1
0
Fork 1
mirror of https://github.com/phusion/baseimage-docker.git synced 2026-03-26 20:38:58 +00:00
Code Issues Releases Wiki Activity

Replace security date tags with patch version bumps in scheduled builds

Browse Source 
The scheduled weekly security build now bumps the patch version
(e.g. noble-1.0.2 -> noble-1.0.3) instead of appending
-security.YYYYMMDD. Each rebuild creates a proper GitHub release
with the new patch tag and pushes Docker images accordingly.

Co-authored-by: samip5 <1703002+samip5@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-02-27 13:09:20 +00:00
parent cd436b0335
commit 33033d8eb5
1 changed files with 23 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
.github/workflows/scheduled-build.yml vendored
View File

@@ -20,7 +20,7 @@ jobs:
- ubuntu_codename: jammy - ubuntu_codename: jammy
base_image: ubuntu:22.04 base_image: ubuntu:22.04
steps: steps:
- name: Get latest release tag for this LTS track - name: Get latest release tag and compute next patch version
id: release id: release
run: | run: |
LATEST_TAG=$(gh release list \ LATEST_TAG=$(gh release list \
@@ -28,37 +28,42 @@ jobs:
--exclude-pre-releases \ --exclude-pre-releases \
--exclude-drafts \ --exclude-drafts \
--json tagName \ --json tagName \
--jq '[.[] | select(.tagName | startswith("${{ matrix.ubuntu_codename }}-")) | select(.tagName | contains("-security.") | not)] | first | .tagName') --jq '[.[] | select(.tagName | startswith("${{ matrix.ubuntu_codename }}-"))] | first | .tagName')
if [ -z "${LATEST_TAG}" ]; then if [ -z "${LATEST_TAG}" ]; then
echo "No release found for ${{ matrix.ubuntu_codename }} track" >&2 echo "No release found for ${{ matrix.ubuntu_codename }} track" >&2
exit 1 exit 1
fi fi
echo "tag=${LATEST_TAG}" >> $GITHUB_OUTPUT # Extract version and bump patch: noble-1.0.2 -> noble-1.0.3
if ! echo "${LATEST_TAG}" | grep -qE '^[a-z]+-[0-9]+\.[0-9]+\.[0-9]+$'; then
echo "Tag '${LATEST_TAG}' does not match expected format <codename>-<major>.<minor>.<patch>" >&2
exit 1
fi
PREFIX="${LATEST_TAG%.*}" # noble-1.0
PATCH="${LATEST_TAG##*.}" # 2
NEXT_PATCH=$((PATCH + 1))
NEXT_TAG="${PREFIX}.${NEXT_PATCH}" # noble-1.0.3
echo "current_tag=${LATEST_TAG}" >> $GITHUB_OUTPUT
echo "next_tag=${NEXT_TAG}" >> $GITHUB_OUTPUT
env: env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Checkout release tag - name: Checkout release tag
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
ref: ${{ steps.release.outputs.tag }} ref: ${{ steps.release.outputs.current_tag }}
- name: Prepare - name: Prepare
id: prep id: prep
run: | run: |
DOCKER_IMAGE=phusion/baseimage DOCKER_IMAGE=phusion/baseimage
RELEASE_TAG=${{ steps.release.outputs.tag }} NEXT_TAG=${{ steps.release.outputs.next_tag }}
BUILD_DATE=$(date -u +%Y%m%d)
SECURITY_TAG="${RELEASE_TAG}-security.${BUILD_DATE}"
PLATFORMS=amd64,arm,arm64 PLATFORMS=amd64,arm,arm64
TAGS="${DOCKER_IMAGE}:${RELEASE_TAG}" TAGS="${DOCKER_IMAGE}:${NEXT_TAG}"
TAGS="${TAGS}, ${DOCKER_IMAGE}:${SECURITY_TAG}"
TAGS="${TAGS}, ${DOCKER_IMAGE}:${{ matrix.ubuntu_codename }}" TAGS="${TAGS}, ${DOCKER_IMAGE}:${{ matrix.ubuntu_codename }}"
TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${RELEASE_TAG}" TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${NEXT_TAG}"
TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${SECURITY_TAG}"
TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}" TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}"
echo "tags=${TAGS}" >> $GITHUB_OUTPUT echo "tags=${TAGS}" >> $GITHUB_OUTPUT
echo "platforms=${PLATFORMS}" >> $GITHUB_OUTPUT echo "platforms=${PLATFORMS}" >> $GITHUB_OUTPUT
echo "security_tag=${SECURITY_TAG}" >> $GITHUB_OUTPUT
- name: Set up QEMU - name: Set up QEMU
uses: docker/setup-qemu-action@v3 uses: docker/setup-qemu-action@v3
@@ -97,18 +102,16 @@ jobs:
- name: Create GitHub Release - name: Create GitHub Release
run: | run: |
gh release create "${{ steps.prep.outputs.security_tag }}" \ gh release create "${{ steps.release.outputs.next_tag }}" \
--repo "${{ github.repository }}" \ --repo "${{ github.repository }}" \
--target "${{ steps.release.outputs.tag }}" \ --target "${{ steps.release.outputs.current_tag }}" \
--title "${{ steps.prep.outputs.security_tag }}" \ --title "${{ steps.release.outputs.next_tag }}" \
--notes "Automated weekly security rebuild of \`${{ steps.release.outputs.tag }}\` using \`${{ matrix.base_image }}\`. --notes "Automated weekly security rebuild of \`${{ steps.release.outputs.current_tag }}\` with latest \`${{ matrix.base_image }}\` packages.
Images pushed: Images pushed:
- \`phusion/baseimage:${{ steps.release.outputs.tag }}\` - \`phusion/baseimage:${{ steps.release.outputs.next_tag }}\`
- \`phusion/baseimage:${{ steps.prep.outputs.security_tag }}\`
- \`phusion/baseimage:${{ matrix.ubuntu_codename }}\` - \`phusion/baseimage:${{ matrix.ubuntu_codename }}\`
- \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ steps.release.outputs.tag }}\` - \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ steps.release.outputs.next_tag }}\`
- \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ steps.prep.outputs.security_tag }}\`
- \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}\`" - \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}\`"
env: env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}