Replace security date tags with patch version bumps in scheduled builds

The scheduled weekly security build now bumps the patch version
(e.g. noble-1.0.2 -> noble-1.0.3) instead of appending
-security.YYYYMMDD. Each rebuild creates a proper GitHub release
with the new patch tag and pushes Docker images accordingly.

Co-authored-by: samip5 <1703002+samip5@users.noreply.github.com>

.github/workflows/main.yml

@@ -20,6 +20,17 @@ jobs:
               # Set the platforms to build for here and thus reduce duplicating it.
               PLATFORMS=amd64,arm,arm64
               TAGS="${DOCKER_IMAGE}:${GIT_BRANCH}, ghcr.io/${{ github.repository_owner }}/baseimage:${GIT_BRANCH}"
+
+              # Determine BASE_IMAGE from release tag prefix (e.g. noble-1.0.2 -> ubuntu:24.04)
+              if [[ "${GIT_BRANCH}" == noble-* ]]; then
+                BASE_IMAGE="ubuntu:24.04"
+              elif [[ "${GIT_BRANCH}" == jammy-* ]]; then
+                BASE_IMAGE="ubuntu:22.04"
+              else
+                # Default to noble (latest LTS) for unrecognised tag prefixes
+                echo "::warning::Unrecognized release tag prefix '${GIT_BRANCH}'. Expected it to start with 'noble-' or 'jammy-'. Defaulting BASE_IMAGE to ubuntu:24.04 (Noble)."
+                BASE_IMAGE="ubuntu:24.04"
+              fi
               
               # Set output parameters.
               
@@ -32,6 +43,7 @@ jobs:
                 echo "docker_image=${DOCKER_IMAGE}" >> $GITHUB_OUTPUT
               fi
               echo "platforms=${PLATFORMS}" >> $GITHUB_OUTPUT
+              echo "base_image=${BASE_IMAGE}" >> $GITHUB_OUTPUT
 
 
           - name: Set up QEMU
@@ -64,10 +76,11 @@ jobs:
                 password: ${{ secrets.DOCKER_PASSWORD }}
 
           - name: Build and Push
-            uses: docker/build-push-action@v5
+            uses: docker/build-push-action@v6
             with:
               builder: ${{ steps.buildx.outputs.name }}
               context: image
               platforms: ${{ steps.prep.outputs.platforms }}
               push: ${{ steps.prep.outputs.push }}
               tags: ${{ steps.prep.outputs.tags }}
+              build-args: BASE_IMAGE=${{ steps.prep.outputs.base_image }}

.github/workflows/scheduled-build.yml

@@ -0,0 +1,117 @@
+name: Scheduled Security Build
+
+on:
+    schedule:
+        - cron: '0 2 * * 0'  # Every Sunday at 02:00 UTC
+    workflow_dispatch:
+
+jobs:
+    build:
+        runs-on: ubuntu-latest
+        permissions:
+            contents: write
+            packages: write
+        strategy:
+            fail-fast: false
+            matrix:
+                include:
+                    - ubuntu_codename: noble
+                      base_image: ubuntu:24.04
+                    - ubuntu_codename: jammy
+                      base_image: ubuntu:22.04
+        steps:
+          - name: Get latest release tag and compute next patch version
+            id: release
+            run: |
+              LATEST_TAG=$(gh release list \
+                --repo ${{ github.repository }} \
+                --exclude-pre-releases \
+                --exclude-drafts \
+                --json tagName \
+                --jq '[.[] | select(.tagName | startswith("${{ matrix.ubuntu_codename }}-"))] | first | .tagName')
+              if [ -z "${LATEST_TAG}" ]; then
+                echo "No release found for ${{ matrix.ubuntu_codename }} track" >&2
+                exit 1
+              fi
+              # Extract version and bump patch: noble-1.0.2 -> noble-1.0.3
+              if ! echo "${LATEST_TAG}" | grep -qE '^[a-z]+-[0-9]+\.[0-9]+\.[0-9]+$'; then
+                echo "Tag '${LATEST_TAG}' does not match expected format <codename>-<major>.<minor>.<patch>" >&2
+                exit 1
+              fi
+              PREFIX="${LATEST_TAG%.*}"            # noble-1.0
+              PATCH="${LATEST_TAG##*.}"            # 2
+              NEXT_PATCH=$((PATCH + 1))
+              NEXT_TAG="${PREFIX}.${NEXT_PATCH}"  # noble-1.0.3
+              echo "current_tag=${LATEST_TAG}" >> $GITHUB_OUTPUT
+              echo "next_tag=${NEXT_TAG}" >> $GITHUB_OUTPUT
+            env:
+              GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+          - name: Checkout release tag
+            uses: actions/checkout@v4
+            with:
+              ref: ${{ steps.release.outputs.current_tag }}
+
+          - name: Prepare
+            id: prep
+            run: |
+              DOCKER_IMAGE=phusion/baseimage
+              NEXT_TAG=${{ steps.release.outputs.next_tag }}
+              PLATFORMS=amd64,arm,arm64
+              TAGS="${DOCKER_IMAGE}:${NEXT_TAG}"
+              TAGS="${TAGS}, ${DOCKER_IMAGE}:${{ matrix.ubuntu_codename }}"
+              TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${NEXT_TAG}"
+              TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}"
+              echo "tags=${TAGS}" >> $GITHUB_OUTPUT
+              echo "platforms=${PLATFORMS}" >> $GITHUB_OUTPUT
+
+          - name: Set up QEMU
+            uses: docker/setup-qemu-action@v3
+            with:
+              platforms: ${{ steps.prep.outputs.platforms }}
+
+          - name: Set up Docker Buildx
+            uses: docker/setup-buildx-action@v3
+            with:
+              install: true
+              version: latest
+              driver-opts: image=moby/buildkit:latest
+
+          - name: Login to GHCR (Github Container Registry)
+            uses: docker/login-action@v3
+            with:
+              registry: ghcr.io
+              username: ${{ github.actor }}
+              password: ${{ secrets.GITHUB_TOKEN }}
+
+          - name: Login to Docker Hub
+            uses: docker/login-action@v3
+            with:
+              username: ${{ secrets.DOCKER_USERNAME }}
+              password: ${{ secrets.DOCKER_PASSWORD }}
+
+          - name: Build and Push
+            uses: docker/build-push-action@v6
+            with:
+              context: image
+              platforms: ${{ steps.prep.outputs.platforms }}
+              push: true
+              tags: ${{ steps.prep.outputs.tags }}
+              build-args: BASE_IMAGE=${{ matrix.base_image }}
+              no-cache: true
+
+          - name: Create GitHub Release
+            run: |
+              gh release create "${{ steps.release.outputs.next_tag }}" \
+                --repo "${{ github.repository }}" \
+                --target "${{ steps.release.outputs.current_tag }}" \
+                --title "${{ steps.release.outputs.next_tag }}" \
+                --notes "Automated weekly security rebuild of \`${{ steps.release.outputs.current_tag }}\` with latest \`${{ matrix.base_image }}\` packages.
+
+              Images pushed:
+              - \`phusion/baseimage:${{ steps.release.outputs.next_tag }}\`
+              - \`phusion/baseimage:${{ matrix.ubuntu_codename }}\`
+              - \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ steps.release.outputs.next_tag }}\`
+              - \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}\`"
+            env:
+              GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/stale.yml

@@ -9,7 +9,6 @@ jobs:
     steps:
       - uses: actions/stale@v9
         with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
           stale-issue-message: 'This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.'
           stale-pr-message: 'This Pull Request has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thank you for your contribution.'
           close-issue-message: 'Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.'

LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2013-2015 Phusion Holding B.V.
+Copyright (c) 2013-2025 Phusion Holding B.V.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Makefile

@@ -1,4 +1,4 @@
-VERSION ?= noble-1.0.0
+VERSION ?= noble-1.0.2
 ifdef BASE_IMAGE
 	BUILD_ARG = --build-arg BASE_IMAGE=$(BASE_IMAGE)
 	ifndef NAME

README.md

@@ -586,7 +586,7 @@ Start a virtual machine with Docker in it. You can use the Vagrantfile that we'v
 
 First, install `vagrant-disksize` plug-in:
 
-    vagrant plugin install vagrant-disksize:
+    vagrant plugin install vagrant-disksize
 
 Then, start the virtual machine
 

image/prepare.sh

@@ -50,6 +50,7 @@ case $(lsb_release -is) in
     ;;
   Debian)
     $minimal_apt_get_install locales locales-all
+    echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
     ;;
   *)
     ;;