Skip to content

chore: keep all agentbbs services on latest software#69

Merged
ralyodio merged 3 commits into
mainfrom
chore/mailu-auto-update
Jul 1, 2026
Merged

chore: keep all agentbbs services on latest software#69
ralyodio merged 3 commits into
mainfrom
chore/mailu-auto-update

Conversation

@ralyodio

@ralyodio ralyodio commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Keeps every version-pinned piece of agentbbs current — both the running services and the source pins — after an audit of the whole repo.

Audit result

Component Was Action
Mailu (deploy/mailu/*.yml) 2024.06 floating series new workflow pulls the latest patch weekly/on-demand
Forgejo (setup.sh) 11.0.1 bumped → 11.0.15 (latest 11.x LTS patch)
Ergo (setup.sh) 2.18.0 already latest — no change
Go (go.mod / CI) 1.26 CI's 1.26 auto-resolves to latest patch (go1.26.4) — no change
Ubuntu pod base 24.04 current LTS — no change
GitHub Actions @v4/@v5/@v7 current majors — Dependabot keeps them patch-current

What's in this PR

  1. .github/workflows/mailu-update.yml — scheduled (weekly) + workflow_dispatch action that SSHes to the droplet (reusing deploy.yml's DEPLOY_* secrets), backs up DKIM keys + admin DB, docker compose pulls the Mailu stack to the latest patch of the pinned series, recreates, and health-checks the front on 127.0.0.1:8080. Shares deploy.yml's concurrency group so it never races a code deploy.
  2. Forgejo 11.0.111.0.15 in setup.sh — in-LTS-line patch bump (a 15.x major stays a separate, tested upgrade because of DB migrations).
  3. .github/dependabot.yml — weekly, review-gated update PRs for github-actions, Go modules, and Docker image tags (Mailu compose + pod Containerfile). Nothing auto-merges.

Deliberately not auto-bumped

  • Major version jumps (Forgejo 15.x, a future Mailu 2025.xx series) — those carry DB/config migrations and stay reviewed PRs.
  • Shell-string pins in setup.sh (FORGEJO_VERSION/ERGO_VERSION) can't be watched by Dependabot; switch to Renovate later if you want those automated too.

After merge

  • Actions → mailu-update → Run workflow to bring the box from 2024.06.<old> to 2024.06.53 immediately.
  • The next deploy (setup.sh) installs Forgejo 11.0.15.

🤖 Generated with Claude Code

The deploy/mailu compose stack pins the floating series tags
(ghcr.io/mailu/*:2024.06); patch releases within the series only land when
someone runs `docker compose pull`, so the box drifts behind on security fixes.

Add a scheduled (weekly) + on-demand workflow that SSHes to the droplet
(reusing deploy.yml's DEPLOY_* secrets), backs up DKIM keys + the admin DB,
pulls the latest images for the pinned series, recreates the containers, and
health-checks the Mailu front on 127.0.0.1:8080. Shares deploy.yml's
concurrency group so it never races a code deploy. Stays within the pinned
series on purpose — crossing to a future series stays a deliberate PR.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

vu1nz Security Review

0 finding(s) in PR #?

No security issues found.

Audit of every version pin in the repo: Ergo (2.18.0), Go (1.26 → latest
patch via setup-go), the Ubuntu pod base (24.04 LTS), and the GitHub Action
majors are all already current. Only Forgejo was stale — bump 11.0.1 →
11.0.15 (latest patch of the 11.x LTS line; a 15.x major stays a deliberate,
tested upgrade because of DB migrations).

Add .github/dependabot.yml so github-actions, Go modules, and the Docker
image tags (Mailu compose + pod Containerfile) get review-gated update PRs
weekly. Shell-string pins (FORGEJO_VERSION/ERGO_VERSION in setup.sh) can't be
watched by Dependabot; noted inline. Mailu runtime patch level is handled by
the mailu-update workflow.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@ralyodio ralyodio changed the title ci: add mailu-update workflow to keep the mail stack current chore: keep all agentbbs services on latest software Jul 1, 2026
Plus-addressing (chovy+tag@ -> chovy@) is a hard prerequisite for qaaas.dev's
packages/mail but was missing from the example, so tagged mail bounces as an
unknown recipient until an operator sets it by hand. Add it with a note that it
governs DELIVERY only, not login (Mailu auths the exact address; base <name>@
is the single login and already receives all +tagged mail).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@ralyodio ralyodio merged commit 807ecf2 into main Jul 1, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant