From 81046cba6d5fea96072b872bb6f0b81055c088c7 Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Fri, 3 Jul 2026 18:17:16 +0200 Subject: [PATCH] feat: auto-release on tracked upstream version bump Adds a workflow that watches docker-bake.hcl for changes to modsec2-version, modsec3-version, httpd-version, or nginx-version. When one of these changes lands on main, it tags and creates a GitHub release, then invokes the publish workflow directly as a reusable workflow so the images build and push without waiting for the next manual release. --- .github/workflows/auto-release.yml | 93 ++++++++++++++++++++++++++++++ .github/workflows/publish.yml | 6 ++ 2 files changed, 99 insertions(+) create mode 100644 .github/workflows/auto-release.yml diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml new file mode 100644 index 0000000..bfc8fc7 --- /dev/null +++ b/.github/workflows/auto-release.yml @@ -0,0 +1,93 @@ +name: Auto-release on upstream version bump + +on: + push: + branches: [main] + paths: + - docker-bake.hcl + +permissions: {} + +jobs: + check-version-bump: + runs-on: ubuntu-latest + permissions: + contents: read + outputs: + bumped: ${{ steps.check.outputs.bumped }} + steps: + - name: Checkout + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # actions/checkout@v5 + with: + fetch-depth: 0 + persist-credentials: false + + - name: Check for tracked upstream version bump + id: check + run: | + set -euo pipefail + BEFORE="${{ github.event.before }}" + if [ -z "${BEFORE//0/}" ]; then + echo "No previous commit to diff against; skipping." + echo "bumped=false" >> "$GITHUB_OUTPUT" + exit 0 + fi + + version_of() { + git show "$1:docker-bake.hcl" | awk -v var="$2" ' + $0 ~ "variable \"" var "\"" { found=1 } + found && /default *=/ { print; exit } + ' + } + + bumped=false + for var in modsec2-version modsec3-version httpd-version nginx-version; do + old=$(version_of "$BEFORE" "$var") + new=$(version_of "${{ github.sha }}" "$var") + if [ "$old" != "$new" ]; then + echo "Version bump detected for $var: $old -> $new" + bumped=true + fi + done + echo "bumped=$bumped" >> "$GITHUB_OUTPUT" + + tag-and-release: + needs: check-version-bump + if: needs.check-version-bump.outputs.bumped == 'true' + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - name: Checkout + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # actions/checkout@v5 + with: + persist-credentials: false + + - name: Create release tag and GitHub release + env: + GH_TOKEN: ${{ github.token }} + run: | + set -euo pipefail + base="release/$(date -u +%Y%m%d)" + tag="$base" + suffix=1 + while gh api "repos/${{ github.repository }}/git/ref/tags/$tag" >/dev/null 2>&1; do + tag="${base}-${suffix}" + suffix=$((suffix + 1)) + done + + gh release create "$tag" \ + --target "${{ github.sha }}" \ + --title "$tag" \ + --generate-notes + + publish: + needs: tag-and-release + permissions: + contents: read + packages: write + id-token: write + uses: ./.github/workflows/publish.yml + secrets: + dockerhub_user: ${{ secrets.dockerhub_user }} + dockerhub_token: ${{ secrets.dockerhub_token }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 2c49aad..c1e5a85 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -3,6 +3,12 @@ name: Build and publish images for container registries on: release: types: [published] + workflow_call: + secrets: + dockerhub_user: + required: true + dockerhub_token: + required: true permissions: {}