Docker/baseimage-docker
1
0
Fork 1
mirror of https://github.com/phusion/baseimage-docker.git synced 2026-03-26 04:18:46 +00:00
Code Issues Releases Wiki Activity

Add GitHub releases with patch version bumps for scheduled security builds (#653)

Browse Source 
- scheduled-build.yml: Create GitHub release after each weekly security
  rebuild with date-stamped tag (e.g. noble-1.0.2-security.20260227)
- scheduled-build.yml: Add date-stamped Docker image tags alongside
  existing version and codename tags
- scheduled-build.yml: Bump permissions to contents:write for release
  creation
- scheduled-build.yml: Exclude security-tagged releases from base
  version lookup to prevent nested tags
- main.yml: Update docker/build-push-action from v5 to v6
- scheduled-build.yml: Update docker/build-push-action from v5 to v6
- stale.yml: Remove deprecated repo-token parameter

Co-authored-by: samip5 <1703002+samip5@users.noreply.github.com>

* Replace security date tags with patch version bumps in scheduled builds

The scheduled weekly security build now bumps the patch version
(e.g. noble-1.0.2 -> noble-1.0.3) instead of appending
-security.YYYYMMDD. Each rebuild creates a proper GitHub release
with the new patch tag and pushes Docker images accordingly.

Co-authored-by: samip5 <1703002+samip5@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: samip5 <1703002+samip5@users.noreply.github.com>
This commit is contained in:
Copilot
2026-02-27 15:27:06 +02:00
committed by GitHub
parent 44a761d9eb
commit c662980686
3 changed files with 35 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/main.yml vendored
View File

@@ -76,7 +76,7 @@ jobs:
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build and Push
uses: docker/build-push-action@v5
uses: docker/build-push-action@v6
with:
builder: ${{ steps.buildx.outputs.name }}
context: image

42
.github/workflows/scheduled-build.yml vendored
View File

@@ -9,7 +9,7 @@ jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
contents: write
packages: write
strategy:
fail-fast: false
@@ -20,7 +20,7 @@ jobs:
- ubuntu_codename: jammy
base_image: ubuntu:22.04
steps:
- name: Get latest release tag for this LTS track
- name: Get latest release tag and compute next patch version
id: release
run: |
LATEST_TAG=$(gh release list \
@@ -33,24 +33,34 @@ jobs:
echo "No release found for ${{ matrix.ubuntu_codename }} track" >&2
exit 1
fi
echo "tag=${LATEST_TAG}" >> $GITHUB_OUTPUT
# Extract version and bump patch: noble-1.0.2 -> noble-1.0.3
if ! echo "${LATEST_TAG}" | grep -qE '^[a-z]+-[0-9]+\.[0-9]+\.[0-9]+$'; then
echo "Tag '${LATEST_TAG}' does not match expected format <codename>-<major>.<minor>.<patch>" >&2
exit 1
fi
PREFIX="${LATEST_TAG%.*}" # noble-1.0
PATCH="${LATEST_TAG##*.}" # 2
NEXT_PATCH=$((PATCH + 1))
NEXT_TAG="${PREFIX}.${NEXT_PATCH}" # noble-1.0.3
echo "current_tag=${LATEST_TAG}" >> $GITHUB_OUTPUT
echo "next_tag=${NEXT_TAG}" >> $GITHUB_OUTPUT
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Checkout release tag
uses: actions/checkout@v4
with:
ref: ${{ steps.release.outputs.tag }}
ref: ${{ steps.release.outputs.current_tag }}
- name: Prepare
id: prep
run: |
DOCKER_IMAGE=phusion/baseimage
RELEASE_TAG=${{ steps.release.outputs.tag }}
NEXT_TAG=${{ steps.release.outputs.next_tag }}
PLATFORMS=amd64,arm,arm64
TAGS="${DOCKER_IMAGE}:${RELEASE_TAG}"
TAGS="${DOCKER_IMAGE}:${NEXT_TAG}"
TAGS="${TAGS}, ${DOCKER_IMAGE}:${{ matrix.ubuntu_codename }}"
TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${RELEASE_TAG}"
TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${NEXT_TAG}"
TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}"
echo "tags=${TAGS}" >> $GITHUB_OUTPUT
echo "platforms=${PLATFORMS}" >> $GITHUB_OUTPUT
@@ -81,7 +91,7 @@ jobs:
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build and Push
uses: docker/build-push-action@v5
uses: docker/build-push-action@v6
with:
context: image
platforms: ${{ steps.prep.outputs.platforms }}
@@ -89,3 +99,19 @@ jobs:
tags: ${{ steps.prep.outputs.tags }}
build-args: BASE_IMAGE=${{ matrix.base_image }}
no-cache: true
- name: Create GitHub Release
run: |
gh release create "${{ steps.release.outputs.next_tag }}" \
--repo "${{ github.repository }}" \
--target "${{ steps.release.outputs.current_tag }}" \
--title "${{ steps.release.outputs.next_tag }}" \
--notes "Automated weekly security rebuild of \`${{ steps.release.outputs.current_tag }}\` with latest \`${{ matrix.base_image }}\` packages.
Images pushed:
- \`phusion/baseimage:${{ steps.release.outputs.next_tag }}\`
- \`phusion/baseimage:${{ matrix.ubuntu_codename }}\`
- \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ steps.release.outputs.next_tag }}\`
- \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}\`"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

1
.github/workflows/stale.yml vendored
View File

@@ -9,7 +9,6 @@ jobs:
steps:
- uses: actions/stale@v9
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.'
stale-pr-message: 'This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution.'
close-issue-message: 'Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.'