Add GH release creation to scheduled security builds, update deprecated workflow components

- scheduled-build.yml: Create GitHub release after each weekly security rebuild with date-stamped tag (e.g. noble-1.0.2-security.20260227) - scheduled-build.yml: Add date-stamped Docker image tags alongside existing version and codename tags - scheduled-build.yml: Bump permissions to contents:write for release creation - scheduled-build.yml: Exclude security-tagged releases from base version lookup to prevent nested tags - main.yml: Update docker/build-push-action from v5 to v6 - scheduled-build.yml: Update docker/build-push-action from v5 to v6 - stale.yml: Remove deprecated repo-token parameter Co-authored-by: samip5 <1703002+samip5@users.noreply.github.com>
2026-03-26 12:29:07 +00:00 · 2026-02-27 12:57:39 +00:00
parent 00987409ee
commit cd436b0335
2 changed files with 28 additions and 21 deletions
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -2,18 +2,12 @@ name: Release

 on:
    workflow_dispatch:
-    push:
-        tags:
-            - 'noble-*'
-            - 'jammy-*'
-
-permissions:
-    contents: write
-    packages: write
-
+    release:
+     types: [published]
 jobs:
    build:
        runs-on: ubuntu-latest
+        if: "!contains(github.event.head_commit.message, '[ci-skip]')"
        steps:
          - name: Checkout
            uses: actions/checkout@v4
@@ -90,13 +84,3 @@ jobs:
              push: ${{ steps.prep.outputs.push }}
              tags: ${{ steps.prep.outputs.tags }}
              build-args: BASE_IMAGE=${{ steps.prep.outputs.base_image }}
-
-          - name: Create GitHub Release
-            if: startsWith(github.ref, 'refs/tags/')
-            run: |
-              gh release create "${{ github.ref_name }}" \
-                --repo "${{ github.repository }}" \
-                --title "${{ github.ref_name }}" \
-                --generate-notes
-            env:
-              GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/scheduled-build.yml
+++ b/.github/workflows/scheduled-build.yml
@@ -9,7 +9,7 @@ jobs:
    build:
        runs-on: ubuntu-latest
        permissions:
-            contents: read
+            contents: write
            packages: write
        strategy:
            fail-fast: false
@@ -28,7 +28,7 @@ jobs:
                --exclude-pre-releases \
                --exclude-drafts \
                --json tagName \
-                --jq '[.[] | select(.tagName | startswith("${{ matrix.ubuntu_codename }}-"))] | first | .tagName')
+                --jq '[.[] | select(.tagName | startswith("${{ matrix.ubuntu_codename }}-")) | select(.tagName | contains("-security.") | not)] | first | .tagName')
              if [ -z "${LATEST_TAG}" ]; then
                echo "No release found for ${{ matrix.ubuntu_codename }} track" >&2
                exit 1
@@ -47,13 +47,18 @@ jobs:
            run: |
              DOCKER_IMAGE=phusion/baseimage
              RELEASE_TAG=${{ steps.release.outputs.tag }}
+              BUILD_DATE=$(date -u +%Y%m%d)
+              SECURITY_TAG="${RELEASE_TAG}-security.${BUILD_DATE}"
              PLATFORMS=amd64,arm,arm64
              TAGS="${DOCKER_IMAGE}:${RELEASE_TAG}"
+              TAGS="${TAGS}, ${DOCKER_IMAGE}:${SECURITY_TAG}"
              TAGS="${TAGS}, ${DOCKER_IMAGE}:${{ matrix.ubuntu_codename }}"
              TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${RELEASE_TAG}"
+              TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${SECURITY_TAG}"
              TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}"
              echo "tags=${TAGS}" >> $GITHUB_OUTPUT
              echo "platforms=${PLATFORMS}" >> $GITHUB_OUTPUT
+              echo "security_tag=${SECURITY_TAG}" >> $GITHUB_OUTPUT

          - name: Set up QEMU
            uses: docker/setup-qemu-action@v3
@@ -89,3 +94,21 @@ jobs:
              tags: ${{ steps.prep.outputs.tags }}
              build-args: BASE_IMAGE=${{ matrix.base_image }}
              no-cache: true
+
+          - name: Create GitHub Release
+            run: |
+              gh release create "${{ steps.prep.outputs.security_tag }}" \
+                --repo "${{ github.repository }}" \
+                --target "${{ steps.release.outputs.tag }}" \
+                --title "${{ steps.prep.outputs.security_tag }}" \
+                --notes "Automated weekly security rebuild of \`${{ steps.release.outputs.tag }}\` using \`${{ matrix.base_image }}\`.
+
+              Images pushed:
+              - \`phusion/baseimage:${{ steps.release.outputs.tag }}\`
+              - \`phusion/baseimage:${{ steps.prep.outputs.security_tag }}\`
+              - \`phusion/baseimage:${{ matrix.ubuntu_codename }}\`
+              - \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ steps.release.outputs.tag }}\`
+              - \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ steps.prep.outputs.security_tag }}\`
+              - \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}\`"
+            env:
+              GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}