From c6629806863b8e8d54fe6cbcd9803abb3cb8ea67 Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Fri, 27 Feb 2026 15:27:06 +0200 Subject: [PATCH] Add GitHub releases with patch version bumps for scheduled security builds (#653) - scheduled-build.yml: Create GitHub release after each weekly security rebuild with date-stamped tag (e.g. noble-1.0.2-security.20260227) - scheduled-build.yml: Add date-stamped Docker image tags alongside existing version and codename tags - scheduled-build.yml: Bump permissions to contents:write for release creation - scheduled-build.yml: Exclude security-tagged releases from base version lookup to prevent nested tags - main.yml: Update docker/build-push-action from v5 to v6 - scheduled-build.yml: Update docker/build-push-action from v5 to v6 - stale.yml: Remove deprecated repo-token parameter Co-authored-by: samip5 <1703002+samip5@users.noreply.github.com> * Replace security date tags with patch version bumps in scheduled builds The scheduled weekly security build now bumps the patch version (e.g. noble-1.0.2 -> noble-1.0.3) instead of appending -security.YYYYMMDD. Each rebuild creates a proper GitHub release with the new patch tag and pushes Docker images accordingly. Co-authored-by: samip5 <1703002+samip5@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: samip5 <1703002+samip5@users.noreply.github.com> --- .github/workflows/main.yml | 2 +- .github/workflows/scheduled-build.yml | 42 ++++++++++++++++++++++----- .github/workflows/stale.yml | 1 - 3 files changed, 35 insertions(+), 10 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index e749661..60d2ffa 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -76,7 +76,7 @@ jobs: password: ${{ secrets.DOCKER_PASSWORD }} - name: Build and Push - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: builder: ${{ steps.buildx.outputs.name }} context: image diff --git a/.github/workflows/scheduled-build.yml b/.github/workflows/scheduled-build.yml index a4beae7..a105b87 100644 --- a/.github/workflows/scheduled-build.yml +++ b/.github/workflows/scheduled-build.yml @@ -9,7 +9,7 @@ jobs: build: runs-on: ubuntu-latest permissions: - contents: read + contents: write packages: write strategy: fail-fast: false @@ -20,7 +20,7 @@ jobs: - ubuntu_codename: jammy base_image: ubuntu:22.04 steps: - - name: Get latest release tag for this LTS track + - name: Get latest release tag and compute next patch version id: release run: | LATEST_TAG=$(gh release list \ @@ -33,24 +33,34 @@ jobs: echo "No release found for ${{ matrix.ubuntu_codename }} track" >&2 exit 1 fi - echo "tag=${LATEST_TAG}" >> $GITHUB_OUTPUT + # Extract version and bump patch: noble-1.0.2 -> noble-1.0.3 + if ! echo "${LATEST_TAG}" | grep -qE '^[a-z]+-[0-9]+\.[0-9]+\.[0-9]+$'; then + echo "Tag '${LATEST_TAG}' does not match expected format -.." >&2 + exit 1 + fi + PREFIX="${LATEST_TAG%.*}" # noble-1.0 + PATCH="${LATEST_TAG##*.}" # 2 + NEXT_PATCH=$((PATCH + 1)) + NEXT_TAG="${PREFIX}.${NEXT_PATCH}" # noble-1.0.3 + echo "current_tag=${LATEST_TAG}" >> $GITHUB_OUTPUT + echo "next_tag=${NEXT_TAG}" >> $GITHUB_OUTPUT env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Checkout release tag uses: actions/checkout@v4 with: - ref: ${{ steps.release.outputs.tag }} + ref: ${{ steps.release.outputs.current_tag }} - name: Prepare id: prep run: | DOCKER_IMAGE=phusion/baseimage - RELEASE_TAG=${{ steps.release.outputs.tag }} + NEXT_TAG=${{ steps.release.outputs.next_tag }} PLATFORMS=amd64,arm,arm64 - TAGS="${DOCKER_IMAGE}:${RELEASE_TAG}" + TAGS="${DOCKER_IMAGE}:${NEXT_TAG}" TAGS="${TAGS}, ${DOCKER_IMAGE}:${{ matrix.ubuntu_codename }}" - TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${RELEASE_TAG}" + TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${NEXT_TAG}" TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}" echo "tags=${TAGS}" >> $GITHUB_OUTPUT echo "platforms=${PLATFORMS}" >> $GITHUB_OUTPUT @@ -81,7 +91,7 @@ jobs: password: ${{ secrets.DOCKER_PASSWORD }} - name: Build and Push - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: image platforms: ${{ steps.prep.outputs.platforms }} @@ -89,3 +99,19 @@ jobs: tags: ${{ steps.prep.outputs.tags }} build-args: BASE_IMAGE=${{ matrix.base_image }} no-cache: true + + - name: Create GitHub Release + run: | + gh release create "${{ steps.release.outputs.next_tag }}" \ + --repo "${{ github.repository }}" \ + --target "${{ steps.release.outputs.current_tag }}" \ + --title "${{ steps.release.outputs.next_tag }}" \ + --notes "Automated weekly security rebuild of \`${{ steps.release.outputs.current_tag }}\` with latest \`${{ matrix.base_image }}\` packages. + + Images pushed: + - \`phusion/baseimage:${{ steps.release.outputs.next_tag }}\` + - \`phusion/baseimage:${{ matrix.ubuntu_codename }}\` + - \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ steps.release.outputs.next_tag }}\` + - \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}\`" + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index d6068b9..6f2058b 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -9,7 +9,6 @@ jobs: steps: - uses: actions/stale@v9 with: - repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: 'This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.' stale-pr-message: 'This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution.' close-issue-message: 'Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.'