[PMAR-290] Automate patching (#49)

apmatthews · web-flow · commit a8ead643aea8 · 2026-01-05T14:29:05.000-05:00
* Add scheduled rebuild workflow

* Remove dependency on instrumentisto/rsync-ssh

Dependabot version checks aren't able to detect changes to the base
image because the tag format (i.e. alpine3.20) is not standard semver.
This prevents Dependabot from automatically updating the base image when
a new version is released, creating the need to manually monitor for and
apply base image updates.

The instrumentisto/rsync-ssh base image isn't particularly complex and
we're already running package updates and installing a few additional
dependencies. Therefore, it makes sense to just use alpine directly and
install all of the instrumentisto/rsync-ssh dependencies ourselves. This
should allow Dependabot to automatically update the base image when a
new version is released.

* Update documentation

* Drop unused v prefix for image tags
diff --git a/.changeset/flat-shrimps-hide.md b/.changeset/flat-shrimps-hide.md
@@ -0,0 +1,5 @@
+---
+"@wpengine/site-deploy": patch
+---
+
+Remove dependency on instrumentisto/rsync-ssh
diff --git a/.github/workflows/scheduled-rebuild.yml b/.github/workflows/scheduled-rebuild.yml
@@ -0,0 +1,55 @@
+name: Scheduled Docker Rebuild
+
+on:
+  schedule:
+    # Run monthly on the 1st at 00:00 UTC
+    - cron: '0 0 1 * *'
+  workflow_dispatch: # Allow manual triggers
+
+jobs:
+  rebuild:
+    name: Rebuild Docker Image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get current version
+        id: version
+        run: |
+          VERSION=$(jq -r '.version' package.json)
+          MAJOR=$(echo $VERSION | cut -d. -f1)
+          MINOR=$(echo $VERSION | cut -d. -f2)
+          PATCH=$(echo $VERSION | cut -d. -f3)
+          echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
+          echo "MAJOR=$MAJOR" >> $GITHUB_OUTPUT
+          echo "MINOR=$MINOR" >> $GITHUB_OUTPUT
+          echo "PATCH=$PATCH" >> $GITHUB_OUTPUT
+
+      - name: Checkout release tag
+        run: git checkout v${{ steps.version.outputs.MAJOR }}.${{ steps.version.outputs.MINOR }}.${{ steps.version.outputs.PATCH }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: |
+            wpengine/site-deploy:latest
+            wpengine/site-deploy:${{ steps.version.outputs.MAJOR }}
+            wpengine/site-deploy:${{ steps.version.outputs.MAJOR }}.${{ steps.version.outputs.MINOR }}
+            wpengine/site-deploy:${{ steps.version.outputs.MAJOR }}.${{ steps.version.outputs.MINOR }}.${{ steps.version.outputs.PATCH }}
+          # No cache - we want fresh base image layers for security patches
+          no-cache: true
+
diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
@@ -38,15 +38,35 @@ Any other customizations that are uniquely required can be added to the Dockerfi
 
 ## Updating the Docker Image
 
-The `latest` Docker Image will be updated automatically after merging into the `main` branch.
-`wpengine/site-deploy:latest`
+### Automatic Builds
 
+Docker images are built and pushed automatically:
 
-A versioned Docker Image will be automatically generated for each release of this repository, based on the tag name
-`wpengine/site-deploy:{tagName}`
+| Trigger | Tags Updated | Source |
+|---------|--------------|--------|
+| Push to `main` | `latest` | Docker Hub Autobuild |
+| New version release | `latest`, `vX`, `vX.Y`, `vX.Y.Z` | Docker Hub Autobuild |
+| Monthly schedule (1st of month) | `latest`, `vX`, `vX.Y`, `vX.Y.Z` | GitHub Actions |
 
-Additional Docker Images will be automatically generated for each branch to use in testing.
-`wpengine/site-deploy:branch-{branchName}`
+The scheduled monthly rebuild ensures security patches are applied even when there are no new releases. This workflow uses `no-cache` to pull fresh base image layers.
+
+### Base Image Maintenance
+
+The Dockerfile uses Alpine Linux as its base image. The base image follows this update pattern:
+
+- **Dependabot** monitors for new Alpine versions and creates PRs automatically
+- **Scheduled rebuilds** pick up security patches from `apk upgrade` monthly
+- Alpine releases new versions every 6 months (roughly June and December)
+
+When Dependabot opens a PR for a new Alpine version:
+
+1. Review the [Alpine release notes](https://alpinelinux.org/releases/) for breaking changes
+2. Add a changeset to the PR (`npx changeset`) so a proper release is created when merged
+3. Merge the PR to trigger a new versioned release
+
+### Docker Hub
+
+Images are published to DockerHub: [wpengine/site-deploy](https://hub.docker.com/r/wpengine/site-deploy)
 
 ## Manually updating the Docker Image
 
diff --git a/Dockerfile b/Dockerfile
@@ -1,10 +1,15 @@
-FROM instrumentisto/rsync-ssh:alpine3.20
-# Install dependencies
+FROM alpine:3.20
+
 RUN apk update \
  && apk upgrade \
  && apk add --no-cache \
+            rsync \
+            openssh-client-default sshpass \
+            gettext-envsubst \
+            ca-certificates tzdata \
             bash \
             php \
+ && update-ca-certificates \
  && rm -rf /var/cache/apk/*
 # Add entrypoint and utils
 COPY utils /utils

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"@wpengine/site-deploy": patch
 +---
++
 +Remove dependency on instrumentisto/rsync-ssh