Add GitHub auth status check step

Add step to check GitHub authentication status before creating a release.

.github/workflows/main.yml

@@ -4,6 +4,11 @@ on:
     workflow_dispatch:
     release:
      types: [published]
+
+permissions:
+    contents: read
+    packages: write
+
 jobs:
     build:
         runs-on: ubuntu-latest
@@ -76,7 +81,7 @@ jobs:
                 password: ${{ secrets.DOCKER_PASSWORD }}
 
           - name: Build and Push
-            uses: docker/build-push-action@v5
+            uses: docker/build-push-action@v6
             with:
               builder: ${{ steps.buildx.outputs.name }}
               context: image

.github/workflows/scheduled-build.yml

@@ -5,11 +5,15 @@ on:
         - cron: '0 2 * * 0'  # Every Sunday at 02:00 UTC
     workflow_dispatch:
 
+permissions:
+    contents: write
+    packages: write
+
 jobs:
     build:
         runs-on: ubuntu-latest
         permissions:
-            contents: read
+            contents: write
             packages: write
         strategy:
             fail-fast: false
@@ -20,7 +24,7 @@ jobs:
                     - ubuntu_codename: jammy
                       base_image: ubuntu:22.04
         steps:
-          - name: Get latest release tag for this LTS track
+          - name: Get latest release tag and compute next patch version
             id: release
             run: |
               LATEST_TAG=$(gh release list \
@@ -33,24 +37,34 @@ jobs:
                 echo "No release found for ${{ matrix.ubuntu_codename }} track" >&2
                 exit 1
               fi
-              echo "tag=${LATEST_TAG}" >> $GITHUB_OUTPUT
+              # Extract version and bump patch: noble-1.0.2 -> noble-1.0.3
+              if ! echo "${LATEST_TAG}" | grep -qE '^[a-z]+-[0-9]+\.[0-9]+\.[0-9]+$'; then
+                echo "Tag '${LATEST_TAG}' does not match expected format <codename>-<major>.<minor>.<patch>" >&2
+                exit 1
+              fi
+              PREFIX="${LATEST_TAG%.*}"            # noble-1.0
+              PATCH="${LATEST_TAG##*.}"            # 2
+              NEXT_PATCH=$((PATCH + 1))
+              NEXT_TAG="${PREFIX}.${NEXT_PATCH}"  # noble-1.0.3
+              echo "current_tag=${LATEST_TAG}" >> $GITHUB_OUTPUT
+              echo "next_tag=${NEXT_TAG}" >> $GITHUB_OUTPUT
             env:
               GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
           - name: Checkout release tag
             uses: actions/checkout@v4
             with:
-              ref: ${{ steps.release.outputs.tag }}
+              ref: ${{ steps.release.outputs.current_tag }}
 
           - name: Prepare
             id: prep
             run: |
               DOCKER_IMAGE=phusion/baseimage
-              RELEASE_TAG=${{ steps.release.outputs.tag }}
+              NEXT_TAG=${{ steps.release.outputs.next_tag }}
               PLATFORMS=amd64,arm,arm64
-              TAGS="${DOCKER_IMAGE}:${RELEASE_TAG}"
+              TAGS="${DOCKER_IMAGE}:${NEXT_TAG}"
               TAGS="${TAGS}, ${DOCKER_IMAGE}:${{ matrix.ubuntu_codename }}"
-              TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${RELEASE_TAG}"
+              TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${NEXT_TAG}"
               TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}"
               echo "tags=${TAGS}" >> $GITHUB_OUTPUT
               echo "platforms=${PLATFORMS}" >> $GITHUB_OUTPUT
@@ -81,7 +95,7 @@ jobs:
               password: ${{ secrets.DOCKER_PASSWORD }}
 
           - name: Build and Push
-            uses: docker/build-push-action@v5
+            uses: docker/build-push-action@v6
             with:
               context: image
               platforms: ${{ steps.prep.outputs.platforms }}
@@ -89,3 +103,24 @@ jobs:
               tags: ${{ steps.prep.outputs.tags }}
               build-args: BASE_IMAGE=${{ matrix.base_image }}
               no-cache: true
+
+          - name: Check gh auth status
+            run: gh auth status
+            env:
+              GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+          - name: Create GitHub Release
+            run: |
+              gh release create "${{ steps.release.outputs.next_tag }}" \
+                --repo "${{ github.repository }}" \
+                --target "${{ steps.release.outputs.current_tag }}" \
+                --title "${{ steps.release.outputs.next_tag }}" \
+                --notes "Automated weekly security rebuild of \`${{ steps.release.outputs.current_tag }}\` with latest \`${{ matrix.base_image }}\` packages.
+
+              Images pushed:
+              - \`phusion/baseimage:${{ steps.release.outputs.next_tag }}\`
+              - \`phusion/baseimage:${{ matrix.ubuntu_codename }}\`
+              - \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ steps.release.outputs.next_tag }}\`
+              - \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}\`"
+            env:
+              GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/stale.yml

@@ -9,7 +9,6 @@ jobs:
     steps:
       - uses: actions/stale@v9
         with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
           stale-issue-message: 'This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.'
           stale-pr-message: 'This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution.'
           close-issue-message: 'Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.'