Replace security date tags with patch version bumps in scheduled builds

The scheduled weekly security build now bumps the patch version (e.g. noble-1.0.2 -> noble-1.0.3) instead of appending -security.YYYYMMDD. Each rebuild creates a proper GitHub release with the new patch tag and pushes Docker images accordingly. Co-authored-by: samip5 <1703002+samip5@users.noreply.github.com>
Add GH release creation to scheduled security builds, update deprecated workflow components
2026-03-26 12:29:07 +00:00 · 2026-02-27 13:09:20 +00:00 · 2026-02-27 12:57:39 +00:00 · 2026-02-27 12:51:54 +00:00 · 2026-02-27 12:48:29 +00:00
3 changed files with 35 additions and 10 deletions
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -76,7 +76,7 @@ jobs:
                password: ${{ secrets.DOCKER_PASSWORD }}

          - name: Build and Push
-            uses: docker/build-push-action@v5
+            uses: docker/build-push-action@v6
            with:
              builder: ${{ steps.buildx.outputs.name }}
              context: image
--- a/.github/workflows/scheduled-build.yml
+++ b/.github/workflows/scheduled-build.yml
@@ -9,7 +9,7 @@ jobs:
    build:
        runs-on: ubuntu-latest
        permissions:
-            contents: read
+            contents: write
            packages: write
        strategy:
            fail-fast: false
@@ -20,7 +20,7 @@ jobs:
                    - ubuntu_codename: jammy
                      base_image: ubuntu:22.04
        steps:
-          - name: Get latest release tag for this LTS track
+          - name: Get latest release tag and compute next patch version
            id: release
            run: |
              LATEST_TAG=$(gh release list \
@@ -33,24 +33,34 @@ jobs:
                echo "No release found for ${{ matrix.ubuntu_codename }} track" >&2
                exit 1
              fi
-              echo "tag=${LATEST_TAG}" >> $GITHUB_OUTPUT
+              # Extract version and bump patch: noble-1.0.2 -> noble-1.0.3
+              if ! echo "${LATEST_TAG}" | grep -qE '^[a-z]+-[0-9]+\.[0-9]+\.[0-9]+$'; then
+                echo "Tag '${LATEST_TAG}' does not match expected format <codename>-<major>.<minor>.<patch>" >&2
+                exit 1
+              fi
+              PREFIX="${LATEST_TAG%.*}"            # noble-1.0
+              PATCH="${LATEST_TAG##*.}"            # 2
+              NEXT_PATCH=$((PATCH + 1))
+              NEXT_TAG="${PREFIX}.${NEXT_PATCH}"  # noble-1.0.3
+              echo "current_tag=${LATEST_TAG}" >> $GITHUB_OUTPUT
+              echo "next_tag=${NEXT_TAG}" >> $GITHUB_OUTPUT
            env:
              GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

          - name: Checkout release tag
            uses: actions/checkout@v4
            with:
-              ref: ${{ steps.release.outputs.tag }}
+              ref: ${{ steps.release.outputs.current_tag }}

          - name: Prepare
            id: prep
            run: |
              DOCKER_IMAGE=phusion/baseimage
-              RELEASE_TAG=${{ steps.release.outputs.tag }}
+              NEXT_TAG=${{ steps.release.outputs.next_tag }}
              PLATFORMS=amd64,arm,arm64
-              TAGS="${DOCKER_IMAGE}:${RELEASE_TAG}"
+              TAGS="${DOCKER_IMAGE}:${NEXT_TAG}"
              TAGS="${TAGS}, ${DOCKER_IMAGE}:${{ matrix.ubuntu_codename }}"
-              TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${RELEASE_TAG}"
+              TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${NEXT_TAG}"
              TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}"
              echo "tags=${TAGS}" >> $GITHUB_OUTPUT
              echo "platforms=${PLATFORMS}" >> $GITHUB_OUTPUT
@@ -81,7 +91,7 @@ jobs:
              password: ${{ secrets.DOCKER_PASSWORD }}

          - name: Build and Push
-            uses: docker/build-push-action@v5
+            uses: docker/build-push-action@v6
            with:
              context: image
              platforms: ${{ steps.prep.outputs.platforms }}
@@ -89,3 +99,19 @@ jobs:
              tags: ${{ steps.prep.outputs.tags }}
              build-args: BASE_IMAGE=${{ matrix.base_image }}
              no-cache: true
+
+          - name: Create GitHub Release
+            run: |
+              gh release create "${{ steps.release.outputs.next_tag }}" \
+                --repo "${{ github.repository }}" \
+                --target "${{ steps.release.outputs.current_tag }}" \
+                --title "${{ steps.release.outputs.next_tag }}" \
+                --notes "Automated weekly security rebuild of \`${{ steps.release.outputs.current_tag }}\` with latest \`${{ matrix.base_image }}\` packages.
+
+              Images pushed:
+              - \`phusion/baseimage:${{ steps.release.outputs.next_tag }}\`
+              - \`phusion/baseimage:${{ matrix.ubuntu_codename }}\`
+              - \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ steps.release.outputs.next_tag }}\`
+              - \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}\`"
+            env:
+              GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -9,7 +9,6 @@ jobs:
    steps:
      - uses: actions/stale@v9
        with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
          stale-issue-message: 'This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.'
          stale-pr-message: 'This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution.'
          close-issue-message: 'Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.'
Author	SHA1	Message	Date
copilot-swe-agent[bot]	33033d8eb5	Replace security date tags with patch version bumps in scheduled builds The scheduled weekly security build now bumps the patch version (e.g. noble-1.0.2 -> noble-1.0.3) instead of appending -security.YYYYMMDD. Each rebuild creates a proper GitHub release with the new patch tag and pushes Docker images accordingly. Co-authored-by: samip5 <1703002+samip5@users.noreply.github.com>	2026-02-27 13:09:20 +00:00
copilot-swe-agent[bot]	cd436b0335	Add GH release creation to scheduled security builds, update deprecated workflow components - scheduled-build.yml: Create GitHub release after each weekly security rebuild with date-stamped tag (e.g. noble-1.0.2-security.20260227) - scheduled-build.yml: Add date-stamped Docker image tags alongside existing version and codename tags - scheduled-build.yml: Bump permissions to contents:write for release creation - scheduled-build.yml: Exclude security-tagged releases from base version lookup to prevent nested tags - main.yml: Update docker/build-push-action from v5 to v6 - scheduled-build.yml: Update docker/build-push-action from v5 to v6 - stale.yml: Remove deprecated repo-token parameter Co-authored-by: samip5 <1703002+samip5@users.noreply.github.com>	2026-02-27 12:57:39 +00:00
copilot-swe-agent[bot]	00987409ee	Create GH releases on tag push, update deprecated workflow components - main.yml: Trigger on tag pushes (noble-, jammy-) instead of manual release published events - main.yml: Add step to create GitHub release after image build+push - main.yml: Add contents:write + packages:write permissions - main.yml: Update docker/build-push-action from v5 to v6 - scheduled-build.yml: Update docker/build-push-action from v5 to v6 - stale.yml: Remove deprecated repo-token parameter Co-authored-by: samip5 <1703002+samip5@users.noreply.github.com>	2026-02-27 12:51:54 +00:00
copilot-swe-agent[bot]	e62ee93f8a	Initial plan	2026-02-27 12:48:29 +00:00