improve CI workflow

This improves the CI workflow for the base images. Whenever we
merge/push to `main`, we shellcheck and try to build the images (but we
don't push them). Every night, `nightly` tagged images are created and
pushed. Then, on a biweekly basis, we build the current image, based on
`main` and compare the result to the latest `stable` image. We gather
the changed ubuntu packages and release the just built image as the new `stable` one.
A new tag is pushed and a github release is created which contains the
changed packages and all commits added since the last tag which contain
the conventinal commit preambles `fix`, `feat` or `breaking`.

Author: thirdeyenick

.github/workflows/build-and-publish-nightly.yml

@@ -0,0 +1,107 @@
+name: Build and Publish Nightly
+
+on:
+  workflow_call:
+    inputs:
+      publish:
+        description: "Whether to publish the built images as nightly"
+        type: boolean
+        default: true
+
+permissions:
+  packages: write
+
+jobs:
+  build:
+    name: "Build deploio-heroku:${{ matrix.stack-version }} (${{ matrix.arch }}) image"
+    runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        arch: ["amd64", "arm64"]
+        stack-version: ["24"]
+    env:
+      DOCKER_IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/deploio-heroku
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+      - name: Build base image groups
+        run: bin/build.sh "${{ matrix.stack-version }}" "${{ matrix.arch }}"
+      - name: Export base images from the Docker daemon
+        if: ${{ inputs.publish }}
+        run: |
+          docker save $(docker images --format '{{.Repository}}:{{.Tag}}' | grep "${DOCKER_IMAGE_NAME}:${{ matrix.stack-version }}") | zstd -T0 --long=31 -o images.tar.zst
+      - name: Save base image exports to the cache
+        if: ${{ inputs.publish }}
+        uses: actions/cache/save@v5
+        with:
+          key: ${{ github.run_id }}-${{ matrix.stack-version }}-${{ matrix.arch }}
+          path: images.tar.zst
+
+  publish-nightly-images:
+    if: ${{ inputs.publish }}
+    name: "Publish nightly deploio-heroku:${{ matrix.stack-version }} (${{ matrix.arch }}) image"
+    needs:
+      - build
+    runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        arch: ["amd64", "arm64"]
+        stack-version: ["24"]
+    env:
+      DOCKER_IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/deploio-heroku
+    steps:
+      - name: Restore base images from the cache
+        uses: actions/cache/restore@v5
+        with:
+          fail-on-cache-miss: true
+          key: ${{ github.run_id }}-${{ matrix.stack-version }}-${{ matrix.arch }}
+          path: images.tar.zst
+        env:
+          SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
+      - name: Load Docker images into the Docker daemon
+        run: zstd -dc --long=31 images.tar.zst | docker load
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Publish base images to registry
+        run: |
+          for variant in "" "-build"; do
+            srcTag="${DOCKER_IMAGE_NAME}:${{ matrix.stack-version }}${variant}"
+            nightlyTag="${srcTag}_linux-${{ matrix.arch }}.nightly"
+            docker tag "${srcTag}" "${nightlyTag}"
+            docker push "${nightlyTag}"
+          done
+
+  publish-nightly-multi-arch:
+    if: ${{ inputs.publish }}
+    name: "Publish nightly deploio-heroku:${{ matrix.stack-version }} multi-arch indices"
+    needs:
+      - publish-nightly-images
+    runs-on: ubuntu-24.04
+    env:
+      DOCKER_IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/deploio-heroku
+    strategy:
+      fail-fast: false
+      matrix:
+        stack-version: ["24"]
+    steps:
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Publish multi-arch image index
+        run: |
+          for variant in '' '-build'; do
+            armTag="${DOCKER_IMAGE_NAME}:${{ matrix.stack-version }}${variant}_linux-arm64.nightly"
+            amdTag="${DOCKER_IMAGE_NAME}:${{ matrix.stack-version }}${variant}_linux-amd64.nightly"
+            nightlyIndex="${DOCKER_IMAGE_NAME}:${{ matrix.stack-version }}${variant}.nightly"
+            docker manifest create "${nightlyIndex}" "${amdTag}" "${armTag}"
+            docker manifest push "${nightlyIndex}"
+          done

.github/workflows/ci.yml

@@ -5,10 +5,6 @@ on:
     # Avoid duplicate builds on PRs.
     branches:
       - main
-    tags:
-      - v*
-  schedule:
-    - cron: "0 0 * * 1-5"
   pull_request:
   workflow_dispatch:
 
@@ -26,134 +22,8 @@ jobs:
         run: find . -type f \( -name "*.sh" -o -path "*/bin/*" \) ! -name '*.jq' | xargs -t shellcheck
 
   build:
-    name: "Build heroku-${{ matrix.stack-version }} (${{ matrix.arch }})"
     needs:
       - shellcheck
-    runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
-    strategy:
-      fail-fast: false
-      matrix:
-        arch: ["amd64", "arm64"]
-        stack-version: ["24"]
-    env:
-      DOCKER_IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/deploio-heroku
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-      - name: Build base image groups
-        run: bin/build.sh "${{ matrix.stack-version }}" "${{ matrix.arch }}"
-      - name: Check that the generated files are in sync
-        run: |-
-          status="$(git status --porcelain)"
-          if [[ -n "$status" ]]; then
-            echo "Generated files differ from checked-in versions! Run bin/build.sh to regenerate them locally."
-            echo -e "\nChanged files:\n${status}\n"
-            git diff
-            exit 1
-          fi
-      - name: Export base images from the Docker daemon
-        if: github.ref_name == 'main' || github.ref_type == 'tag'
-        run: |
-          docker save $(docker images --format '{{.Repository}}:{{.Tag}}' | grep "${DOCKER_IMAGE_NAME}:${{ matrix.stack-version }}") | zstd -T0 --long=31 -o images.tar.zst
-      - name: Save OCI base image exports to the cache
-        if: github.ref_name == 'main' || github.ref_type == 'tag'
-        uses: actions/cache/save@v5
-        with:
-          key: ${{ github.run_id}}-${{ matrix.stack-version }}-${{ matrix.arch }}
-          path: images.tar.zst
-
-  publish-images:
-    if: github.ref_name == 'main' || github.ref_type == 'tag'
-    name: "Publish heroku-${{ matrix.stack-version }} (${{ matrix.arch }})"
-    needs:
-      - build
-    runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
-    env:
-      TAG_SUFFIX: ".${{ github.ref_type == 'tag' && github.ref_name || 'nightly' }}"
-      DOCKER_IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/deploio-heroku
-    strategy:
-      fail-fast: false
-      matrix:
-        arch: ["amd64", "arm64"]
-        stack-version: ["24"]
-    steps:
-      - name: Restore base images from the cache
-        uses: actions/cache/restore@v5
-        with:
-          fail-on-cache-miss: true
-          key: ${{ github.run_id}}-${{ matrix.stack-version }}-${{ matrix.arch }}
-          path: images.tar.zst
-        env:
-          SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
-      - name: Load Docker images into the Docker daemon
-        run: zstd -dc --long=31 images.tar.zst | docker load
-      - name: Log in to GitHub Container Registry
-        run: echo '${{ secrets.GITHUB_TOKEN }}' | docker login ghcr.io -u '${{ github.actor }}' --password-stdin
-      - name: Publish base images to registry
-        run: |
-          for variant in "" "-build"; do
-            srcTag="${DOCKER_IMAGE_NAME}:${{ matrix.stack-version }}${variant}"
-            destTag="${srcTag}_linux-${{ matrix.arch }}${TAG_SUFFIX}"
-            docker tag "${srcTag}" "${destTag}"
-            docker push "${destTag}"
-          done
-
-  publish-indices:
-    if: github.ref_name == 'main' || github.ref_type == 'tag'
-    name: "Publish heroku-${{ matrix.stack-version }} indices"
-    needs:
-      - publish-images
-    runs-on: ubuntu-24.04
-    env:
-      TAG_SUFFIX: ".${{ github.ref_type == 'tag' && github.ref_name || 'nightly' }}"
-      DOCKER_IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/deploio-heroku
-    strategy:
-      fail-fast: false
-      matrix:
-        stack-version: ["24"]
-    steps:
-      - name: Log in to GitHub Container Registry
-        run: echo '${{ secrets.GITHUB_TOKEN }}' | docker login ghcr.io -u '${{ github.actor }}' --password-stdin
-      - name: Publish multi-arch image index
-        run: |
-          for variant in '' '-build'; do
-            indexTag="${DOCKER_IMAGE_NAME}:${{ matrix.stack-version }}${variant}${TAG_SUFFIX}"
-            armTag="${DOCKER_IMAGE_NAME}:${{ matrix.stack-version }}${variant}_linux-arm64${TAG_SUFFIX}"
-            amdTag="${DOCKER_IMAGE_NAME}:${{ matrix.stack-version }}${variant}_linux-amd64${TAG_SUFFIX}"
-            docker manifest create "${indexTag}" "${amdTag}" "${armTag}"
-            docker manifest push "${indexTag}"
-          done
-
-  promote-tags:
-    if: github.ref_type == 'tag'
-    name: "Promote heroku-${{ matrix.stack-version }} tags"
-    needs:
-      - publish-images
-      - publish-indices
-    runs-on: ubuntu-24.04
-    strategy:
-      fail-fast: false
-      matrix:
-        stack-version: ["24"]
-    env:
-      DOCKER_IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/deploio-heroku
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-      - name: Log in to GitHub Container Registry
-        run: echo '${{ secrets.GITHUB_TOKEN }}' | docker login ghcr.io -u '${{ github.actor }}' --password-stdin
-      - name: Install crane
-        uses: buildpacks/github-actions/setup-tools@f3ec16c6d708761c6e87bbc8fe7f97375f80e7cd # v5.10.1
-      - name: Promote images to stable tag
-        run: |
-          destTags=( )
-          for variant in '' '-build'; do
-            for arch in 'amd64' 'arm64'; do
-              destTags+=("${DOCKER_IMAGE_NAME}:${{ matrix.stack-version }}${variant}_linux-${arch}")
-            done
-            destTags+=("${DOCKER_IMAGE_NAME}:${{ matrix.stack-version }}${variant}")
-          done
-          for destTag in "${destTags[@]}"; do
-            srcTag="${destTag}.${{ github.ref_name }}"
-            crane copy "${srcTag}" "${destTag}"
-          done
+    uses: ./.github/workflows/build-and-publish-nightly.yml
+    with:
+      publish: false

.github/workflows/nightly.yml

@@ -0,0 +1,14 @@
+name: Nightly
+
+on:
+  schedule:
+    - cron: "0 3 * * *"
+  workflow_dispatch:
+
+permissions:
+  packages: write
+
+jobs:
+  build-and-publish-nightly:
+    uses: ./.github/workflows/build-and-publish-nightly.yml
+    secrets: inherit

.github/workflows/release.yml

@@ -0,0 +1,101 @@
+name: Release
+
+on:
+  schedule:
+    - cron: "0 7 1,15 * *"
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  build-and-publish-nightly:
+    uses: ./.github/workflows/build-and-publish-nightly.yml
+    secrets: inherit
+
+  check-digest:
+    name: "Check if release is needed"
+    needs: build-and-publish-nightly
+    runs-on: ubuntu-24.04
+    outputs:
+      should-release: ${{ steps.check.outputs.should-release }}
+      next-tag: ${{ steps.check.outputs.next-tag }}
+      from-tag: ${{ steps.check.outputs.from-tag }}
+    env:
+      DOCKER_IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/deploio-heroku
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - name: Install crane
+        uses: buildpacks/github-actions/setup-tools@f3ec16c6d708761c6e87bbc8fe7f97375f80e7cd # v5.10.1
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check digests and determine if release is needed
+        id: check
+        run: bin/check-digest.sh
+
+  release:
+    name: "Release deploio-heroku-${{ matrix.stack-version }}"
+    needs: check-digest
+    if: needs.check-digest.outputs.should-release == 'true'
+    runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix:
+        stack-version: ["24"]
+    env:
+      DOCKER_IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/deploio-heroku
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - name: Install crane
+        uses: buildpacks/github-actions/setup-tools@f3ec16c6d708761c6e87bbc8fe7f97375f80e7cd # v5.10.1
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Generate release notes
+        run: |
+          bin/generate-release-notes.sh \
+            "${{ matrix.stack-version }}" \
+            "${DOCKER_IMAGE_NAME}" \
+            "${{ needs.check-digest.outputs.from-tag }}" \
+            > /tmp/release-notes.md
+      - name: Promote nightly images to versioned and stable tags
+        run: |
+          nextTag="${{ needs.check-digest.outputs.next-tag }}"
+          for variant in '' '-build'; do
+            for arch in 'amd64' 'arm64'; do
+              src="${DOCKER_IMAGE_NAME}:${{ matrix.stack-version }}${variant}_linux-${arch}.nightly"
+              versioned="${DOCKER_IMAGE_NAME}:${{ matrix.stack-version }}${variant}_linux-${arch}.${nextTag}"
+              stable="${DOCKER_IMAGE_NAME}:${{ matrix.stack-version }}${variant}_linux-${arch}"
+              crane copy "${src}" "${versioned}"
+              crane copy "${src}" "${stable}"
+            done
+            src_index="${DOCKER_IMAGE_NAME}:${{ matrix.stack-version }}${variant}.nightly"
+            versioned_index="${DOCKER_IMAGE_NAME}:${{ matrix.stack-version }}${variant}.${nextTag}"
+            stable_index="${DOCKER_IMAGE_NAME}:${{ matrix.stack-version }}${variant}"
+            crane copy "${src_index}" "${versioned_index}"
+            crane copy "${src_index}" "${stable_index}"
+          done
+      - name: Create git tag and push
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git tag "${{ needs.check-digest.outputs.next-tag }}"
+          git push origin "${{ needs.check-digest.outputs.next-tag }}"
+      - name: Create GitHub release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh release create "${{ needs.check-digest.outputs.next-tag }}" --title "${{ needs.check-digest.outputs.next-tag }}" --notes-file /tmp/release-notes.md

BUILD.md

@@ -34,6 +34,12 @@ The `*-build` variants include all the packages from the non-build variant by de
 
 We use GitHub Actions to build and release the base images:
 
-* Any push to `main` will build the images and push the nightly GitHub Container Registry tag variants (such as `ghcr.io/ninech/deploio-heroku:24-build.nightly`).
-* Any new Git tag will build the image and push the latest GitHub Container Registry tag (such as `ghcr.io/ninech/deploio-heroku:24-build`),
-  as well as a versioned tag (such as `ghcr.io/ninech/deploio-heroku:24-build.v123`).
+* Any push to `main` will build the images (proves that images can be build)
+* A nightly job pushes `nightly` tagged GitHub Container Registry variants (such as `ghcr.io/ninech/deploio-heroku:24-build.nightly`).
+* A special release pipeline will run every 2 weeks automatically and create a new `stable`
+  tag of the `run` and `build` images. A new tag and github release will also be created automatically. This
+  pipeline can also be started manually to quickly release a new `stable` version.
+
+The message attached to the github release will contain all changed Ubuntu
+packages (and their versions) and messages made by the conventional commit
+preambles `fix`, `feat` and `breaking change`.

bin/build.sh

@@ -76,6 +76,7 @@ write_package_list() {
 	done
 }
 
+
 RUN_IMAGE_TAG="${REPO}:${STACK_VERSION}"
 RUN_DOCKERFILE_DIR="heroku-${STACK_VERSION}"
 [[ -d "${RUN_DOCKERFILE_DIR}" ]] || abort "fatal: directory ${RUN_DOCKERFILE_DIR} not found"