Skip to content

Implement automatic rebuilds of release images #47

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Implement automatic rebuilds of release images #47

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a7ece4d
Implement automatic rebuilds of release images
fatalbanana Sep 14, 2025
1908958
Fix previous changes
fatalbanana Sep 15, 2025
4ff33f1
Fix comparisons; add logging
fatalbanana Sep 19, 2025
5d158bf
Fix tag bump
fatalbanana Oct 3, 2025
2dbdd7c
Fix inverted logic; spelling
fatalbanana Oct 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions .github/actions/bump_tag/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
name: Push new tag with version bump

runs:
using: "composite"
steps:
- name: Create new patch release
shell: bash
working-directory: ${{ github.workspace }}
env:
GH_TOKEN: ${{ github.token }}
Copy link

Copilot AI Oct 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The github.token should be explicitly passed as an input to this composite action rather than being implicitly available. Composite actions don't automatically inherit secrets/tokens from the caller's context. This will likely fail with a permissions error when the action attempts to use gh CLI commands.

Copilot uses AI. Check for mistakes.
run: |
git config --global user.name "github-actions[bot]"
git config --global user.email "github-actions[bot]@users.noreply.github.com"
LATEST_TAG=`git tag --list "v[0-9]*.[0-9]*.[0-9]*\+[0-9]*" --sort=-v:refname | head -n 1`
RELEASE_VERSION=${LATEST_TAG%%+*}
BUILD_VERSION=${LATEST_TAG##*+}
NEW_BUILD_VERSION=$((BUILD_VERSION + 1))
NEW_TAG="${RELEASE_VERSION}+${NEW_BUILD_VERSION}"
echo "Latest tag: $LATEST_TAG"
echo "New tag: $NEW_TAG"
git tag $NEW_TAG $LATEST_TAG
git push origin $NEW_TAG
gh workflow run release --ref $NEW_TAG
1 change: 1 addition & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ on:
push:
tags:
- "v[0-9]+.[0-9]+.[0-9]+\\+[0-9]+"
workflow_dispatch:

concurrency:
group: rspamd-docker-${{ github.ref_name }}
Expand Down
75 changes: 69 additions & 6 deletions .github/workflows/security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,75 @@ on:
workflow_dispatch:

jobs:
security_check:
autosecurity:
permissions:
actions: write
contents: write
runs-on: "ubuntu-22.04"
steps:
- name: Run grype
uses: anchore/scan-action@v4
- name: Check out source code
uses: actions/checkout@v4
with:
image: rspamd/rspamd:latest
only-fixed: true
severity-cutoff: low
fetch-depth: 0

- name: Download grype
uses: anchore/scan-action/download-grype@v4
id: grype

- name: Check image
run: |
${{steps.grype.outputs.cmd}} --only-fixed -o json --file report_release.json ghcr.io/${{ github.repository }}
RELEASE_VULN_COUNT=`jq '(.matches | length)' report_release.json`
echo Counted $RELEASE_VULN_COUNT vulnerabilities in release image.
echo RELEASE_VULN_COUNT=$RELEASE_VULN_COUNT >> "$GITHUB_ENV"

- name: Get old package tag
if: ${{ env.RELEASE_VULN_COUNT != '0' }}
run: |
OLD_PKG_TAG=`docker inspect ghcr.io/${{ github.repository }} | jq -r '.[0].Config.Labels."com.rspamd.pkg-tag"'`
echo "OLD_PKG_TAG=$OLD_PKG_TAG" >> "$GITHUB_ENV"

- name: Build test image
if: ${{ env.RELEASE_VULN_COUNT != '0' }}
id: build_test
uses: docker/build-push-action@v5
with:
build-args: |
PKG_IMG=ghcr.io/${{ github.repository }}
PKG_TAG=${{ env.OLD_PKG_TAG }}
file: Dockerfile
push: false
tags: ""

- name: Check test image
if: ${{ env.RELEASE_VULN_COUNT != '0' }}
run: |
${{steps.grype.outputs.cmd}} --only-fixed -o json --file report_test.json ${{ steps.build_test.outputs.digest }}
TEST_VULN_COUNT=`jq '(.matches | length)' report_test.json`
echo Counted $TEST_VULN_COUNT vulnerabilities in test image.
echo TEST_VULN_COUNT=$TEST_VULN_COUNT >> "$GITHUB_ENV"

- name: Push new tag if test image checked clean
if: ${{ env.RELEASE_VULN_COUNT != '0' && env.TEST_VULN_COUNT == '0' }}
uses: ./.github/actions/bump_tag

- name: Check if test image is relatively better
if: ${{ env.RELEASE_VULN_COUNT != '0' && env.TEST_VULN_COUNT != '0' }}
run: |
jq '.matches.[].vulnerability.id' report_release.json | sort | uniq > release_vulns.txt
jq '.matches.[].vulnerability.id' report_test.json | sort | uniq > test_vulns.txt
NEWVULNS=$(comm -23 test_vulns.txt release_vulns.txt | wc -l)
if [ "$NEWVULNS" -gt 0 ]; then
echo "New test image has $NEWVULNS novel vulnerabilities? Weird... :("
fi
FIXEDVULNS=$(comm -23 release_vulns.txt test_vulns.txt | wc -l)
if [ "$FIXEDVULNS" -gt 0 ]; then
echo "Found $FIXEDVULNS vulnerabilities fixed in new test image. Bumping tag."
echo "BUMP_TAG=1" >> "$GITHUB_ENV"
else
echo "test image not fixed yet? OK... :("
fi

- name: Push new tag if test image is better
if: ${{ env.BUMP_TAG == '1' }}
uses: ./.github/actions/bump_tag