Skip to content

Decouple security releases from MUSL builds #2353

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ItsHarta wants to merge 6 commits into
base: main
Choose a base branch
from
+69 −15
Open

Decouple security releases from MUSL builds #2353

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
f819843
attempt to split alpine version checking for builds
ItsHarta Jan 14, 2026
3dbbef0
improve logic
ItsHarta Jan 15, 2026
2bd4f4f
update variable names
ItsHarta Jan 15, 2026
faebb3d
trim whitespaces
ItsHarta Jan 15, 2026
b687765
fix incorrect behavior for -s and [variants] parameter
ItsHarta Jan 15, 2026
dd0693d
trim whitespaces
ItsHarta Jan 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
69 changes: 55 additions & 14 deletions build-automation.mjs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,22 @@ const checkIfThereAreNewVersions = async (github) => {

for (let supportedVersion of supportedVersions) {
const { stdout } = await exec(`ls ${supportedVersion}`);
const baseVersions = stdout.trim().split("\n");

const { stdout: fullVersionOutput } = await exec(`. ./functions.sh && get_full_version ./${supportedVersion}/${stdout.trim().split("\n")[0]}`, { shell: "bash" });
const standardVersion = baseVersions.find(v => !v.startsWith("alpine"));
const { stdout: standardVersionOutput } = await exec(`. ./functions.sh && get_full_version ./${supportedVersion}/${standardVersion}`, { shell: "bash" });

console.log(fullVersionOutput);
const alpineVersion = baseVersions.find(v => v.startsWith("alpine"));
const { stdout: alpineVersionOutput } = await exec(`. ./functions.sh && get_full_version ./${supportedVersion}/${alpineVersion}`, { shell: "bash" });
Comment on lines +22 to +26
Copy link

Copilot AI Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code assumes both a standard variant and an alpine variant exist for every supported version. If either standardVersion or alpineVersion is undefined (from the find operations), the subsequent exec calls will fail with an error. Consider adding error handling to check if these variants exist before attempting to get their versions, or provide fallback behavior.

Copilot uses AI. Check for mistakes.
Comment on lines +22 to +26
Copy link

Copilot AI Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code queries the full version for both standard and alpine variants separately for every supported version (lines 22-26). This results in two exec calls per version (4 total for a typical repo with versions 20, 22, 24, 25). While this is functional, it could be more efficient to read the version information in a single pass or cache the results. However, given that this runs in an automated workflow and the number of versions is small, this is a minor performance consideration and doesn't need to be addressed unless the number of versions grows significantly.

Copilot uses AI. Check for mistakes.

latestSupportedVersions[supportedVersion] = { fullVersion: fullVersionOutput.trim() };
const fullVersion = { main : standardVersionOutput.trim(), alpine: alpineVersionOutput.trim() };
console.log(`${supportedVersion}: main=${fullVersion.main}, alpine=${fullVersion.alpine}`);

latestSupportedVersions[supportedVersion] = {
fullVersion: fullVersion.main,
alpineVersion: fullVersion.alpine,
alpineIsBehind: fullVersion.main !== fullVersion.alpine
};
}

const { data: availableVersionsJson } = await github.request('https://nodejs.org/download/release/index.json');
Expand All @@ -39,9 +49,25 @@ const checkIfThereAreNewVersions = async (github) => {
if (latestSupportedVersions[availableMajor] == null) {
continue;
}
const [_latestMajor, latestMinor, latestPatch] = latestSupportedVersions[availableMajor].fullVersion.split(".");
if (latestSupportedVersions[availableMajor] && (Number(availableMinor) > Number(latestMinor) || (availableMinor === latestMinor && Number(availablePatch) > Number(latestPatch)))) {
filteredNewerVersions[availableMajor] = { fullVersion: `${availableMajor}.${availableMinor}.${availablePatch}` };

const supported = latestSupportedVersions[availableMajor];
const [_latestMajor, latestMinor, latestPatch] = supported.fullVersion.split(".");
const [_alpineMajor, alpineMinor, alpinePatch] = supported.alpineVersion.split(".");

const availableFullVersion = `${availableMajor}.${availableMinor}.${availablePatch}`;

const newMainline = Number(availableMinor) > Number(latestMinor) || (availableMinor === latestMinor && Number(availablePatch) > Number(latestPatch));
const newAlpine = Number(availableMinor) > Number(alpineMinor) || (availableMinor === alpineMinor && Number(availablePatch) > Number(alpinePatch));

const isCatchup = supported.alpineIsBehind && newAlpine && availableFullVersion === supported.fullVersion;

// Alpine will be always behind or equal to main
// So if main is new version, then alpineOnly is always false. And vice versa
if (newMainline || isCatchup) {
filteredNewerVersions[availableMajor] = {
fullVersion: availableFullVersion,
alpineOnly: !newMainline
};
Comment on lines +59 to +70
Copy link

Copilot AI Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The assumption that alpine versions are "always behind or equal to mainline" is documented in the PR description but not enforced or validated in the code. If this assumption is violated (e.g., due to manual changes or errors), the logic in lines 59-70 could produce incorrect results. Consider adding a validation check or assertion that alpine version is not ahead of the main version, or at minimum document this assumption in a code comment near the version comparison logic.

Copilot uses AI. Check for mistakes.
}
}

Expand Down Expand Up @@ -87,16 +113,31 @@ export default async function(github) {
} else {
const newVersions = await checkForMuslVersionsAndSecurityReleases(github, versions);
let updatedVersions = [];

for (const [version, newVersion] of Object.entries(newVersions)) {
if (newVersion.muslBuildExists) {
const { stdout } = await exec(`./update.sh ${newVersion.isSecurityRelease ? "-s " : ""}${version}`);
console.log(stdout);
updatedVersions.push(newVersion.fullVersion);
} else {
console.log(`There's no musl build for version ${newVersion.fullVersion} yet.`);
process.exit(0);
}
const { fullVersion, muslBuildExists, isSecurityRelease, alpineOnly } = newVersion;
// If MUSL is available: build everything (new versions) or alpine only (catch-up)
if (muslBuildExists) {
const updateScope = alpineOnly ? "alpine" : "";

console.log(`MUSL available. Updating ${fullVersion} ${updateScope}.`.trim());
const { stdout } = await exec(`./update.sh ${version} ${updateScope}`.trim());
console.log(stdout);

updatedVersions.push(`${fullVersion} ${updateScope}`.trim());
// Security release: no MUSL build
} else if (isSecurityRelease && !alpineOnly) {
console.log(`Updating ${fullVersion} for non-alpine.`);

const { stdout } = await exec(`./update.sh -s ${version}`);
console.log(stdout);

updatedVersions.push(`${fullVersion} (non-alpine)`);
} else {
console.log(`No MUSL build for ${fullVersion} yet.`);
}
}

const { stdout } = (await exec(`git diff`));
console.log(stdout);

Expand Down
2 changes: 1 addition & 1 deletion functions.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ function get_variants() {
if [ ${#variantsfilter[@]} -gt 0 ]; then
for variant1 in "${availablevariants[@]}"; do
for variant2 in "${variantsfilter[@]}"; do
if [ "${variant1}" = "${variant2}" ]; then
if [[ "${variant1}" =~ ^"${variant2}" ]]; then
variants+=("${variant1}")
Comment on lines +72 to 73
Copy link

Copilot AI Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The regex pattern change from equality check to prefix match using =~ enables "alpine" to match both "alpine3.22" and "alpine3.23", which is the intended behavior. However, this also changes existing behavior: "bookworm" will now match both "bookworm" and "bookworm-slim", and "bullseye" will match both "bullseye" and "bullseye-slim". The PR description mentions this is "to accommodate sub-variants (such as -slim)", suggesting this may be intentional. However, this is a breaking change from the previous behavior where you could select only the base variant without its -slim counterpart. Consider whether this is acceptable or if a more precise pattern is needed (e.g., matching "alpine" or ending with a digit for alpine variants specifically).

Suggested change
if [[ "${variant1}" =~ ^"${variant2}" ]]; then
variants+=("${variant1}")
if [[ "${variant2}" == "alpine" ]]; then
# Special handling for alpine: allow matching alpine sub-variants like alpine3.22
if [[ "${variant1}" =~ ^alpine[0-9] ]]; then
variants+=("${variant1}")
fi
else
# For non-alpine variants, require an exact match to avoid unintended prefix matches
if [[ "${variant1}" == "${variant2}" ]]; then
variants+=("${variant1}")
fi

Copilot uses AI. Check for mistakes.
fi
done
Expand Down
13 changes: 13 additions & 0 deletions update.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,14 @@ function update_node_version() {

nodeVersion="${version}.${fullVersion:-0}"

# preserve the existing YARN_VERSION
if [ "${SKIP}" = true ] && [ -f "${dockerfile}" ]; then
existing_yarn_version=$(grep -m1 'ENV YARN_VERSION=' "${dockerfile}" | cut -d'=' -f2 || echo "")
if [ -n "${existing_yarn_version}" ]; then
sed -Ei -e 's/^(ENV YARN_VERSION)=.*/\1='"${existing_yarn_version}"'/' "${dockerfile}-tmp"
fi
fi

sed -Ei -e 's/^FROM (.*)/FROM '"$fromprefix"'\1/' "${dockerfile}-tmp"
sed -Ei -e 's/^(ENV NODE_VERSION)=.*/\1='"${nodeVersion}"'/' "${dockerfile}-tmp"

Expand Down Expand Up @@ -208,6 +216,11 @@ for version in "${versions[@]}"; do
# Skip non-docker directories
[ -f "${version}/${variant}/Dockerfile" ] || continue

# Skip alpine variants when SKIP is true
if [ "${SKIP}" = true ] && is_alpine "${variant}"; then
Copy link

Copilot AI Jan 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When SKIP is true (security update without MUSL), alpine variants are skipped at lines 219-222. However, this creates an edge case: if the update.sh script is run with -s flag AND a version number but the alpine variant for that version is already behind, it will remain behind. The script doesn't provide any indication to the user that alpine variants were skipped. Consider adding a log message when alpine variants are skipped due to the SKIP flag, to make it clear to operators that these variants need to be updated separately later when MUSL builds become available.

Suggested change
if [ "${SKIP}" = true ] && is_alpine "${variant}"; then
if [ "${SKIP}" = true ] && is_alpine "${variant}"; then
info "SKIP=true; skipping alpine variant '${variant}' for version '${versionnum}' (will need updating once MUSL builds are available)"

Copilot uses AI. Check for mistakes.
continue
fi

update_variant=$(in_variants_to_update "${variant}")
template_file="${parentpath}/Dockerfile-${variant}.template"

Expand Down
Loading