libseccomp: create workflow to monitor releases

Create a new github workflow to monitor releases daily from the
libseccomp repository. When a new release is detected, lodge an issue
against the Firecracker repo.

Signed-off-by: James Curtis <[email protected]>

Author: JamesC1305

.github/workflows/monitor_libseccomp_releases.yml

@@ -0,0 +1,69 @@
+name: Monitor libseccomp Releases
+
+on:
+  schedule:
+    - cron: '0 0 * * *'  # Daily at midnight UTC
+  workflow_dispatch:  # Allow manual trigger
+
+permissions:
+  issues: write
+  contents: read
+
+jobs:
+  check-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+          
+      - name: Get current libseccomp version from Dockerfile
+        id: current
+        run: |
+          CURRENT=$(grep 'LIBSECCOMP_VER' tools/devctr/Dockerfile | grep -oP "v[0-9.]+")
+          echo "version=$CURRENT" >> $GITHUB_OUTPUT
+          
+      - name: Check for new libseccomp release
+        id: latest
+        run: |
+          LATEST=$(curl -s https://api.github.com/repos/seccomp/libseccomp/releases/latest | jq -r '.tag_name')
+          echo "version=$LATEST" >> $GITHUB_OUTPUT
+
+      - name: Check latest version is newer
+        id: semver_check
+        run: |
+          CURRENT=$(echo ${{ steps.current.outputs.version }} | grep -oP "[0-9.]+")
+          LATEST=$(echo ${{ steps.latest.outputs.version }} | grep -oP "[0-9.]+") 
+          if ! printf '%s\n%s' "$LATEST" "$CURRENT" | sort -VC && [ "$CURRENT" != "$LATEST" ]; then
+            echo "is_newer=true" >> $GITHUB_OUTPUT;
+          else
+            echo "is_newer=false" >> $GITHUB_OUTPUT;
+          fi
+ 
+      - name: Check if issue exists
+        if: steps.semver_check.outputs.is_newer == 'true' # New release has higher semantic version
+        id: issue_check
+        run: |
+          ISSUES=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+            "https://api.github.com/repos/${{ github.repository }}/issues?state=open&labels=dependencies" | \
+          jq -r --arg tag "${{ steps.latest.outputs.version }}" '[.[] | select(.title | contains("chore(deps): update libseccomp to \($tag)"))] | length')
+          echo "exists=$ISSUES" >> $GITHUB_OUTPUT
+
+      - name: Create issue for new release
+        id: create_issue
+        if: steps.semver_check.outputs.is_newer == 'true' && steps.issue_check.outputs.exists == '0' # No existing issue for new version
+        run: |
+          gh issue create \
+            --title "chore(deps): update libseccomp to ${{ steps.latest.outputs.version }}" \
+            --body "$(cat <<EOF
+          A new version of libseccomp has been released: **${{ steps.latest.outputs.version }}**
+
+          Current version in Dockerfile: **${{ steps.current.outputs.version }}**
+
+          Repository: https://github.com/seccomp/libseccomp/releases/tag/${{ steps.latest.outputs.version }}
+
+          Please review and consider updating Firecracker's dependency in \`tools/devctr/Dockerfile\`.
+          EOF
+          )" \
+            --label "dependencies"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

tools/devctr/Dockerfile

@@ -17,6 +17,7 @@ ENV LC_ALL=C.UTF-8
 ENV QEMU_VER="8.1.1"
 ENV CROSVM_VER="9d542e6dafa3a85acd1fb6cd6f1adfa1331c4e96"
 ENV CROSVM_TOOLCHAIN_VER="1.68.2"
+ENV LIBSECCOMP_VER = "v2.5.5"
 
 # Build and install Qemu vhost-user-blk backend
 #
@@ -168,7 +169,7 @@ RUN apt-get update \
         libtool gperf \
     && git clone https://github.com/seccomp/libseccomp /tmp/libseccomp \
     && cd /tmp/libseccomp \
-    && git checkout tags/v2.5.5 \
+    && git checkout tags/${LIBSECCOMP_VER} \
     && ./autogen.sh \
     && CC="musl-gcc -static" ./configure --enable-static=yes --enable-shared=false \
     && make install \