Docker/baseimage-docker
1
0
Fork 1
mirror of https://github.com/phusion/baseimage-docker.git synced 2026-03-26 20:38:58 +00:00
Code Issues Releases Wiki Activity
Files
33033d8eb511e7c20423e8500ff18c7baf91d045
baseimage-docker/.github/workflows/scheduled-build.yml
copilot-swe-agent[bot] 33033d8eb5 Replace security date tags with patch version bumps in scheduled builds 
The scheduled weekly security build now bumps the patch version
(e.g. noble-1.0.2 -> noble-1.0.3) instead of appending
-security.YYYYMMDD. Each rebuild creates a proper GitHub release
with the new patch tag and pushes Docker images accordingly.

Co-authored-by: samip5 <1703002+samip5@users.noreply.github.com>
2026-02-27 13:09:20 +00:00

118 lines
4.7 KiB
YAML
Raw Blame History

name: Scheduled Security Build
on:
schedule:
- cron: '0 2 * * 0' # Every Sunday at 02:00 UTC
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
strategy:
fail-fast: false
matrix:
include:
- ubuntu_codename: noble
base_image: ubuntu:24.04
- ubuntu_codename: jammy
base_image: ubuntu:22.04
steps:
- name: Get latest release tag and compute next patch version
id: release
run: |
LATEST_TAG=$(gh release list \
--repo ${{ github.repository }} \
--exclude-pre-releases \
--exclude-drafts \
--json tagName \
--jq '[.[] | select(.tagName | startswith("${{ matrix.ubuntu_codename }}-"))] | first | .tagName')
if [ -z "${LATEST_TAG}" ]; then
echo "No release found for ${{ matrix.ubuntu_codename }} track" >&2
exit 1
fi
# Extract version and bump patch: noble-1.0.2 -> noble-1.0.3
if ! echo "${LATEST_TAG}" | grep -qE '^[a-z]+-[0-9]+\.[0-9]+\.[0-9]+$'; then
echo "Tag '${LATEST_TAG}' does not match expected format <codename>-<major>.<minor>.<patch>" >&2
exit 1
fi
PREFIX="${LATEST_TAG%.*}" # noble-1.0
PATCH="${LATEST_TAG##*.}" # 2
NEXT_PATCH=$((PATCH + 1))
NEXT_TAG="${PREFIX}.${NEXT_PATCH}" # noble-1.0.3
echo "current_tag=${LATEST_TAG}" >> $GITHUB_OUTPUT
echo "next_tag=${NEXT_TAG}" >> $GITHUB_OUTPUT
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Checkout release tag
uses: actions/checkout@v4
with:
ref: ${{ steps.release.outputs.current_tag }}
- name: Prepare
id: prep
run: |
DOCKER_IMAGE=phusion/baseimage
NEXT_TAG=${{ steps.release.outputs.next_tag }}
PLATFORMS=amd64,arm,arm64
TAGS="${DOCKER_IMAGE}:${NEXT_TAG}"
TAGS="${TAGS}, ${DOCKER_IMAGE}:${{ matrix.ubuntu_codename }}"
TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${NEXT_TAG}"
TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}"
echo "tags=${TAGS}" >> $GITHUB_OUTPUT
echo "platforms=${PLATFORMS}" >> $GITHUB_OUTPUT
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: ${{ steps.prep.outputs.platforms }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
install: true
version: latest
driver-opts: image=moby/buildkit:latest
- name: Login to GHCR (Github Container Registry)
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build and Push
uses: docker/build-push-action@v6
with:
context: image
platforms: ${{ steps.prep.outputs.platforms }}
push: true
tags: ${{ steps.prep.outputs.tags }}
build-args: BASE_IMAGE=${{ matrix.base_image }}
no-cache: true
- name: Create GitHub Release
run: |
gh release create "${{ steps.release.outputs.next_tag }}" \
--repo "${{ github.repository }}" \
--target "${{ steps.release.outputs.current_tag }}" \
--title "${{ steps.release.outputs.next_tag }}" \
--notes "Automated weekly security rebuild of \`${{ steps.release.outputs.current_tag }}\` with latest \`${{ matrix.base_image }}\` packages.
Images pushed:
- \`phusion/baseimage:${{ steps.release.outputs.next_tag }}\`
- \`phusion/baseimage:${{ matrix.ubuntu_codename }}\`
- \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ steps.release.outputs.next_tag }}\`
- \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}\`"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Reference in New Issue View Git Blame Copy Permalink