From 8d74fe46977e72a3e692855feaaa62d823ab0834 Mon Sep 17 00:00:00 2001 From: Andrew Matthews Date: Tue, 30 Dec 2025 11:55:53 -0500 Subject: [PATCH 1/3] Add scheduled rebuild workflow --- .github/workflows/scheduled-rebuild.yml | 55 +++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 .github/workflows/scheduled-rebuild.yml diff --git a/.github/workflows/scheduled-rebuild.yml b/.github/workflows/scheduled-rebuild.yml new file mode 100644 index 0000000..fc46a32 --- /dev/null +++ b/.github/workflows/scheduled-rebuild.yml @@ -0,0 +1,55 @@ +name: Scheduled Docker Rebuild + +on: + schedule: + # Run monthly on the 1st at 00:00 UTC + - cron: '0 0 1 * *' + workflow_dispatch: # Allow manual triggers + +jobs: + rebuild: + name: Rebuild Docker Image + runs-on: ubuntu-latest + steps: + - name: Checkout Repo + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Get current version + id: version + run: | + VERSION=$(jq -r '.version' package.json) + MAJOR=$(echo $VERSION | cut -d. -f1) + MINOR=$(echo $VERSION | cut -d. -f2) + PATCH=$(echo $VERSION | cut -d. -f3) + echo "VERSION=$VERSION" >> $GITHUB_OUTPUT + echo "MAJOR=$MAJOR" >> $GITHUB_OUTPUT + echo "MINOR=$MINOR" >> $GITHUB_OUTPUT + echo "PATCH=$PATCH" >> $GITHUB_OUTPUT + + - name: Checkout release tag + run: git checkout v${{ steps.version.outputs.MAJOR }}.${{ steps.version.outputs.MINOR }}.${{ steps.version.outputs.PATCH }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Build and push + uses: docker/build-push-action@v5 + with: + context: . + push: true + tags: | + wpengine/site-deploy:latest + wpengine/site-deploy:v${{ steps.version.outputs.MAJOR }} + wpengine/site-deploy:v${{ steps.version.outputs.MAJOR }}.${{ steps.version.outputs.MINOR }} + wpengine/site-deploy:v${{ steps.version.outputs.MAJOR }}.${{ steps.version.outputs.MINOR }}.${{ steps.version.outputs.PATCH }} + # No cache - we want fresh base image layers for security patches + no-cache: true + From 01ea657e9daa17120fc4cf41556314e3d0f676d0 Mon Sep 17 00:00:00 2001 From: Andrew Matthews Date: Tue, 30 Dec 2025 11:56:52 -0500 Subject: [PATCH 2/3] Remove dependency on instrumentisto/rsync-ssh Dependabot version checks aren't able to detect changes to the base image because the tag format (i.e. alpine3.20) is not standard semver. This prevents Dependabot from automatically updating the base image when a new version is released, creating the need to manually monitor for and apply base image updates. The instrumentisto/rsync-ssh base image isn't particularly complex and we're already running package updates and installing a few additional dependencies. Therefore, it makes sense to just use alpine directly and install all of the instrumentisto/rsync-ssh dependencies ourselves. This should allow Dependabot to automatically update the base image when a new version is released. --- .changeset/flat-shrimps-hide.md | 5 +++++ Dockerfile | 9 +++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 .changeset/flat-shrimps-hide.md diff --git a/.changeset/flat-shrimps-hide.md b/.changeset/flat-shrimps-hide.md new file mode 100644 index 0000000..e662461 --- /dev/null +++ b/.changeset/flat-shrimps-hide.md @@ -0,0 +1,5 @@ +--- +"@wpengine/site-deploy": patch +--- + +Remove dependency on instrumentisto/rsync-ssh diff --git a/Dockerfile b/Dockerfile index 36304af..6b87d2d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,15 @@ -FROM instrumentisto/rsync-ssh:alpine3.20 -# Install dependencies +FROM alpine:3.20 + RUN apk update \ && apk upgrade \ && apk add --no-cache \ + rsync \ + openssh-client-default sshpass \ + gettext-envsubst \ + ca-certificates tzdata \ bash \ php \ + && update-ca-certificates \ && rm -rf /var/cache/apk/* # Add entrypoint and utils COPY utils /utils From 1c4e8d74b4bb2e06b6e934be7e3503fb12038f8a Mon Sep 17 00:00:00 2001 From: Andrew Matthews Date: Tue, 30 Dec 2025 12:26:55 -0500 Subject: [PATCH 3/3] Update documentation --- DEVELOPMENT.md | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md index 2d4dc16..4fdf2f7 100644 --- a/DEVELOPMENT.md +++ b/DEVELOPMENT.md @@ -38,15 +38,35 @@ Any other customizations that are uniquely required can be added to the Dockerfi ## Updating the Docker Image -The `latest` Docker Image will be updated automatically after merging into the `main` branch. -`wpengine/site-deploy:latest` +### Automatic Builds +Docker images are built and pushed automatically: -A versioned Docker Image will be automatically generated for each release of this repository, based on the tag name -`wpengine/site-deploy:{tagName}` +| Trigger | Tags Updated | Source | +|---------|--------------|--------| +| Push to `main` | `latest` | Docker Hub Autobuild | +| New version release | `latest`, `vX`, `vX.Y`, `vX.Y.Z` | Docker Hub Autobuild | +| Monthly schedule (1st of month) | `latest`, `vX`, `vX.Y`, `vX.Y.Z` | GitHub Actions | -Additional Docker Images will be automatically generated for each branch to use in testing. -`wpengine/site-deploy:branch-{branchName}` +The scheduled monthly rebuild ensures security patches are applied even when there are no new releases. This workflow uses `no-cache` to pull fresh base image layers. + +### Base Image Maintenance + +The Dockerfile uses Alpine Linux as its base image. The base image follows this update pattern: + +- **Dependabot** monitors for new Alpine versions and creates PRs automatically +- **Scheduled rebuilds** pick up security patches from `apk upgrade` monthly +- Alpine releases new versions every 6 months (roughly June and December) + +When Dependabot opens a PR for a new Alpine version: + +1. Review the [Alpine release notes](https://alpinelinux.org/releases/) for breaking changes +2. Add a changeset to the PR (`npx changeset`) so a proper release is created when merged +3. Merge the PR to trigger a new versioned release + +### Docker Hub + +Images are published to DockerHub: [wpengine/site-deploy](https://hub.docker.com/r/wpengine/site-deploy) ## Manually updating the Docker Image