Docker/baseimage-docker
1
0
Fork 1
mirror of https://github.com/phusion/baseimage-docker.git synced 2026-03-27 04:48:33 +00:00
Code Issues Releases Wiki Activity
Files
cd436b03350658c1c2e93caaa632302f8e2f3bc7
baseimage-docker/.github/workflows/scheduled-build.yml
copilot-swe-agent[bot] cd436b0335 Add GH release creation to scheduled security builds, update deprecated workflow components 
- scheduled-build.yml: Create GitHub release after each weekly security
  rebuild with date-stamped tag (e.g. noble-1.0.2-security.20260227)
- scheduled-build.yml: Add date-stamped Docker image tags alongside
  existing version and codename tags
- scheduled-build.yml: Bump permissions to contents:write for release
  creation
- scheduled-build.yml: Exclude security-tagged releases from base
  version lookup to prevent nested tags
- main.yml: Update docker/build-push-action from v5 to v6
- scheduled-build.yml: Update docker/build-push-action from v5 to v6
- stale.yml: Remove deprecated repo-token parameter

Co-authored-by: samip5 <1703002+samip5@users.noreply.github.com>
2026-02-27 12:57:39 +00:00

115 lines
4.6 KiB
YAML
Raw Blame History

name: Scheduled Security Build
on:
schedule:
- cron: '0 2 * * 0' # Every Sunday at 02:00 UTC
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
strategy:
fail-fast: false
matrix:
include:
- ubuntu_codename: noble
base_image: ubuntu:24.04
- ubuntu_codename: jammy
base_image: ubuntu:22.04
steps:
- name: Get latest release tag for this LTS track
id: release
run: |
LATEST_TAG=$(gh release list \
--repo ${{ github.repository }} \
--exclude-pre-releases \
--exclude-drafts \
--json tagName \
--jq '[.[] | select(.tagName | startswith("${{ matrix.ubuntu_codename }}-")) | select(.tagName | contains("-security.") | not)] | first | .tagName')
if [ -z "${LATEST_TAG}" ]; then
echo "No release found for ${{ matrix.ubuntu_codename }} track" >&2
exit 1
fi
echo "tag=${LATEST_TAG}" >> $GITHUB_OUTPUT
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Checkout release tag
uses: actions/checkout@v4
with:
ref: ${{ steps.release.outputs.tag }}
- name: Prepare
id: prep
run: |
DOCKER_IMAGE=phusion/baseimage
RELEASE_TAG=${{ steps.release.outputs.tag }}
BUILD_DATE=$(date -u +%Y%m%d)
SECURITY_TAG="${RELEASE_TAG}-security.${BUILD_DATE}"
PLATFORMS=amd64,arm,arm64
TAGS="${DOCKER_IMAGE}:${RELEASE_TAG}"
TAGS="${TAGS}, ${DOCKER_IMAGE}:${SECURITY_TAG}"
TAGS="${TAGS}, ${DOCKER_IMAGE}:${{ matrix.ubuntu_codename }}"
TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${RELEASE_TAG}"
TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${SECURITY_TAG}"
TAGS="${TAGS}, ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}"
echo "tags=${TAGS}" >> $GITHUB_OUTPUT
echo "platforms=${PLATFORMS}" >> $GITHUB_OUTPUT
echo "security_tag=${SECURITY_TAG}" >> $GITHUB_OUTPUT
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: ${{ steps.prep.outputs.platforms }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
install: true
version: latest
driver-opts: image=moby/buildkit:latest
- name: Login to GHCR (Github Container Registry)
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build and Push
uses: docker/build-push-action@v6
with:
context: image
platforms: ${{ steps.prep.outputs.platforms }}
push: true
tags: ${{ steps.prep.outputs.tags }}
build-args: BASE_IMAGE=${{ matrix.base_image }}
no-cache: true
- name: Create GitHub Release
run: |
gh release create "${{ steps.prep.outputs.security_tag }}" \
--repo "${{ github.repository }}" \
--target "${{ steps.release.outputs.tag }}" \
--title "${{ steps.prep.outputs.security_tag }}" \
--notes "Automated weekly security rebuild of \`${{ steps.release.outputs.tag }}\` using \`${{ matrix.base_image }}\`.
Images pushed:
- \`phusion/baseimage:${{ steps.release.outputs.tag }}\`
- \`phusion/baseimage:${{ steps.prep.outputs.security_tag }}\`
- \`phusion/baseimage:${{ matrix.ubuntu_codename }}\`
- \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ steps.release.outputs.tag }}\`
- \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ steps.prep.outputs.security_tag }}\`
- \`ghcr.io/${{ github.repository_owner }}/baseimage:${{ matrix.ubuntu_codename }}\`"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Reference in New Issue View Git Blame Copy Permalink