Merged
Conversation
Use uv instead of docker to run release-automation tool instead Introduce more fine grained redis version (release_tag) handling Rewrite release_build_and_test workflow to handle all sorts of notification routing: Route everything directly to requested thread for non regular releases Duplicate links to announcmenets in the requested thread in case of public releases Create release handle for all types of releases, the minimal version would contain only list of images that have been built Ability to override release_branch in ensure-branch for testing purposes
Introduce validation of release_tag, release_type and run_type variables That way the responsibility of identifing whether the release is public is on the caller side In the workflow we only validate for obvious errors and incorrect values.
Flexible slack messaging and some release process modifications
Make REDIS_DOWNLOAD_SHA conditionally required
Installing clang that way hasn't been accepted by docker team as the apt source is nightly
This PR is intended to fix issues raised by the Docker team: docker-library/official-images#20699 (comment) Templating for Dockerfiles To enable custom builds, I introduced Dockerfile templating based on Jinja2. Since we already have a Python-based release-automation tool, this was implemented as a new render-dockerfile command. Major changes: Redis versions are now declared in the .redis.version.json file, which is used as context for the templates Added Dockerfile.j2 templates for each distribution custom_build is no longer used as a Dockerfile ARG, but only as a Jinja2 template variable that enables certain sections in the Dockerfile Introduced an action that validates all Dockerfiles are in sync with their corresponding templates (with custom_build=false) Simplified the "apply docker version" action to use templating for updating Redis versions during releases Added ./bin/render-all-dockerfiles.sh script to help render all templates in various places clang-21 issue Reverted clang-21 source and installation, as there is no reliable way to install the latest version on Trixie.
🛡️ Jit Security Scan Results
🚨 Summary• Shell injection vulnerability detected in GitHub Actions workflow 🔍 FindingsHIGH - 2 findings
1. Shell Injection Vulnerability in GitHub Actions
Remediation: - run: |
- # Create release_info.json with all fields, then filter out empty ones
+ env:
+ GITHUB_CONTEXT: ${{ toJson(github) }}
+ run: |
+ # Create release_info.json with all fields, then filter out empty ones
+ GITHUB_CONTEXT="$GITHUB_CONTEXT"2. Missing '--no-cache' Flag in 'apk add' Command
Remediation: - RUN apk add --update ...
+ RUN apk add --no-cache --update ...
|
dariaguy
approved these changes
Jan 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This includes all workflow changes from unstable, fixes and templating from #503 for release/8.4