Add GitHub releases with patch version bumps for scheduled security builds (#653)

- scheduled-build.yml: Create GitHub release after each weekly security
  rebuild with date-stamped tag (e.g. noble-1.0.2-security.20260227)
- scheduled-build.yml: Add date-stamped Docker image tags alongside
  existing version and codename tags
- scheduled-build.yml: Bump permissions to contents:write for release
  creation
- scheduled-build.yml: Exclude security-tagged releases from base
  version lookup to prevent nested tags
- main.yml: Update docker/build-push-action from v5 to v6
- scheduled-build.yml: Update docker/build-push-action from v5 to v6
- stale.yml: Remove deprecated repo-token parameter

Co-authored-by: samip5 <1703002+samip5@users.noreply.github.com>

* Replace security date tags with patch version bumps in scheduled builds

The scheduled weekly security build now bumps the patch version
(e.g. noble-1.0.2 -> noble-1.0.3) instead of appending
-security.YYYYMMDD. Each rebuild creates a proper GitHub release
with the new patch tag and pushes Docker images accordingly.

Co-authored-by: samip5 <1703002+samip5@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: samip5 <1703002+samip5@users.noreply.github.com>

.github/workflows/scheduled-build.yml

@@ -9,7 +9,7 @@ jobs:
     build:
         runs-on: ubuntu-latest
         permissions:
-            contents: read
+            contents: write
             packages: write
         strategy:
             fail-fast: false
@@ -20,7 +20,7 @@ jobs:
                     - ubuntu_codename: jammy
                       base_image: ubuntu:22.04
         steps:
-          - name: Get latest release tag for this LTS track
+          - name: Get latest release tag and compute next patch version
             id: release
             run: |
               LATEST_TAG=$(gh release list \
@@ -33,24 +33,34 @@ jobs:
                 echo "No release found for ${{ matrix.ubuntu_codename }} track" >&2
                 exit 1
               fi
-              echo "tag=${LATEST_TAG}" >> $GITHUB_OUTPUT
+              # Extract version and bump patch: noble-1.0.2 -> noble-1.0.3
+              if ! echo "${LATEST_TAG}" | grep -qE '^[a-z]+-[0-9]+\.[0-9]+\.[0-9]+$'; then
+                echo "Tag '${LATEST_TAG}' does not match expected format <codename>-<major>.<minor>.<patch>" >&2
+                exit 1
+              fi
+              PREFIX="${LATEST_TAG%.*}"            # noble-1.0
+              PATCH="${LATEST_TAG##*.}"            # 2
+              NEXT_PATCH=$((PATCH + 1))
+              NEXT_TAG="${PREFIX}.${NEXT_PATCH}"  # noble-1.0.3
+              echo "current_tag=${LATEST_TAG}" >> $GITHUB_OUTPUT
+              echo "next_tag=${NEXT_TAG}" >> $GITHUB_OUTPUT
             env:
               GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
           - name: Checkout release tag
             uses: actions/checkout@v4
             with:
-              ref: ${{ steps.release.outputs.tag }}
+              ref: ${{ steps.release.outputs.current_tag }}
 
           - name: Prepare
             id: prep
             run: |
               DOCKER_IMAGE=phusion/baseimage
-              RELEASE_TAG=${{ steps.release.outputs.tag }}
+              NEXT_TAG=${{ steps.release.outputs.next_tag }}
               PLATFORMS=amd64,arm,arm64
-              TAGS="${DOCKER_IMAGE}:${RELEASE_TAG}"
+              TAGS="${DOCKER_IMAGE}:${NEXT_TAG}"
               TAGS="${TAGS}, ${DOCKER_IMAGE}:${{ matrix.ubuntu_codename }}"
-              TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${RELEASE_TAG}"
+              TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${NEXT_TAG}"
               TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}"
               echo "tags=${TAGS}" >> $GITHUB_OUTPUT
               echo "platforms=${PLATFORMS}" >> $GITHUB_OUTPUT
@@ -81,7 +91,7 @@ jobs:
               password: ${{ secrets.DOCKER_PASSWORD }}
 
           - name: Build and Push
-            uses: docker/build-push-action@v5
+            uses: docker/build-push-action@v6
             with:
               context: image
               platforms: ${{ steps.prep.outputs.platforms }}
@@ -89,3 +99,19 @@ jobs:
               tags: ${{ steps.prep.outputs.tags }}
               build-args: BASE_IMAGE=${{ matrix.base_image }}
               no-cache: true
+
+          - name: Create GitHub Release
+            run: |
+              gh release create "${{ steps.release.outputs.next_tag }}" \
+                --repo "${{ github.repository }}" \
+                --target "${{ steps.release.outputs.current_tag }}" \
+                --title "${{ steps.release.outputs.next_tag }}" \
+                --notes "Automated weekly security rebuild of \`${{ steps.release.outputs.current_tag }}\` with latest \`${{ matrix.base_image }}\` packages.
+
+              Images pushed:
+              - \`phusion/baseimage:${{ steps.release.outputs.next_tag }}\`
+              - \`phusion/baseimage:${{ matrix.ubuntu_codename }}\`
+              - \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ steps.release.outputs.next_tag }}\`
+              - \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}\`"
+            env:
+              GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}