chore: keep all agentbbs services on latest software#69
Merged
Conversation
The deploy/mailu compose stack pins the floating series tags (ghcr.io/mailu/*:2024.06); patch releases within the series only land when someone runs `docker compose pull`, so the box drifts behind on security fixes. Add a scheduled (weekly) + on-demand workflow that SSHes to the droplet (reusing deploy.yml's DEPLOY_* secrets), backs up DKIM keys + the admin DB, pulls the latest images for the pinned series, recreates the containers, and health-checks the Mailu front on 127.0.0.1:8080. Shares deploy.yml's concurrency group so it never races a code deploy. Stays within the pinned series on purpose — crossing to a future series stays a deliberate PR. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
vu1nz Security Review0 finding(s) in PR #? No security issues found. |
Audit of every version pin in the repo: Ergo (2.18.0), Go (1.26 → latest patch via setup-go), the Ubuntu pod base (24.04 LTS), and the GitHub Action majors are all already current. Only Forgejo was stale — bump 11.0.1 → 11.0.15 (latest patch of the 11.x LTS line; a 15.x major stays a deliberate, tested upgrade because of DB migrations). Add .github/dependabot.yml so github-actions, Go modules, and the Docker image tags (Mailu compose + pod Containerfile) get review-gated update PRs weekly. Shell-string pins (FORGEJO_VERSION/ERGO_VERSION in setup.sh) can't be watched by Dependabot; noted inline. Mailu runtime patch level is handled by the mailu-update workflow. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Plus-addressing (chovy+tag@ -> chovy@) is a hard prerequisite for qaaas.dev's packages/mail but was missing from the example, so tagged mail bounces as an unknown recipient until an operator sets it by hand. Add it with a note that it governs DELIVERY only, not login (Mailu auths the exact address; base <name>@ is the single login and already receives all +tagged mail). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Keeps every version-pinned piece of agentbbs current — both the running services and the source pins — after an audit of the whole repo.
Audit result
deploy/mailu/*.yml)2024.06floating seriessetup.sh)11.0.111.0.15(latest 11.x LTS patch)setup.sh)2.18.0go.mod/ CI)1.261.26auto-resolves to latest patch (go1.26.4) — no change24.04@v4/@v5/@v7What's in this PR
.github/workflows/mailu-update.yml— scheduled (weekly) +workflow_dispatchaction that SSHes to the droplet (reusingdeploy.yml'sDEPLOY_*secrets), backs up DKIM keys + admin DB,docker compose pulls the Mailu stack to the latest patch of the pinned series, recreates, and health-checks the front on127.0.0.1:8080. Sharesdeploy.yml's concurrency group so it never races a code deploy.11.0.1→11.0.15insetup.sh— in-LTS-line patch bump (a 15.x major stays a separate, tested upgrade because of DB migrations)..github/dependabot.yml— weekly, review-gated update PRs for github-actions, Go modules, and Docker image tags (Mailu compose + pod Containerfile). Nothing auto-merges.Deliberately not auto-bumped
2025.xxseries) — those carry DB/config migrations and stay reviewed PRs.setup.sh(FORGEJO_VERSION/ERGO_VERSION) can't be watched by Dependabot; switch to Renovate later if you want those automated too.After merge
2024.06.<old>to2024.06.53immediately.setup.sh) installs Forgejo11.0.15.🤖 Generated with Claude Code