OpenVoxProject
diff --git a/‎.github/workflows/build_container.yml‎
Lines changed: 43 additions & 82 deletions b/‎.github/workflows/build_container.yml‎
Lines changed: 43 additions & 82 deletions
diff --git a/‎.github/workflows/ci.yaml‎
Lines changed: 23 additions & 22 deletions b/‎.github/workflows/ci.yaml‎
Lines changed: 23 additions & 22 deletions
diff --git a/‎.github/workflows/security_scanning.yml‎
Lines changed: 20 additions & 18 deletions b/‎.github/workflows/security_scanning.yml‎
Lines changed: 20 additions & 18 deletions
diff --git a/‎Containerfile‎
Lines changed: 6 additions & 3 deletions b/‎Containerfile‎
Lines changed: 6 additions & 3 deletions
@@ -1,71 +1,64 @@
+---
 name: Build and publish a 🛢️ container
 
 on:
   push:
     branches:
       - 'main'
     tags:
-      - '*'
+      - 'v*'
   workflow_dispatch:
 
+concurrency:
+  group: build-and-publish-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read # minimal required permissions to clone repo
+
 jobs:
   setup-matrix:
     runs-on: ubuntu-latest
     outputs:
-      matrix: ${{ steps.set-matrix.outputs.matrix }}
+      build_matrix: ${{ steps.set-build-matrix.outputs.build_matrix }}
+      tag_matrix: ${{ steps.set-tag-matrix.outputs.tag_matrix }}
     steps:
       - name: Source checkout
         uses: actions/checkout@v6
 
       - name: 'Setup yq'
         uses: dcarbone/install-yq-action@v1.3.1
 
-      - id: set-matrix
-        run: echo "matrix=$(yq -o json build_versions.yaml | jq -c)" >> $GITHUB_OUTPUT
+      - id: set-build-matrix
+        run: echo "build_matrix=$(bash matrix.sh build)" >> $GITHUB_OUTPUT
 
-  build-X86-container:
-    runs-on: ubuntu-24.04
-    permissions:
-      contents: read
-      packages: write
-    needs: setup-matrix
-    strategy:
-      matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
-    steps:
-      - name: Build OpenVox Server ${{ matrix.release }} container
-        uses: voxpupuli/gha-build-and-publish-a-container@v2
-        with:
-          registry_password: ${{ secrets.GITHUB_TOKEN }}
-          build_args: |
-            OPENVOX_RELEASE=${{ matrix.release }}
-            OPENVOXAGENT_VERSION=${{ matrix.agent_version }}
-          build_arch: linux/amd64
-          build_context: .
-          buildfile: Containerfile
-          tags: |
-            ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-x86_64
+      - id: set-tag-matrix
+        run: echo "tag_matrix=$(bash matrix.sh tag)" >> $GITHUB_OUTPUT
 
-  build-ARM-container:
-    runs-on: ubuntu-24.04-arm
+  build-and-push-container:
+    runs-on: ${{ matrix.runner }}
     permissions:
       contents: read
       packages: write
     needs: setup-matrix
     strategy:
-      matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
+      matrix: ${{ fromJson(needs.setup-matrix.outputs.build_matrix) }}
     steps:
-      - name: Build OpenVox Server ${{ matrix.release }} container
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Build ${{ matrix.platform }} container
         uses: voxpupuli/gha-build-and-publish-a-container@v2
         with:
           registry_password: ${{ secrets.GITHUB_TOKEN }}
           build_args: |
             OPENVOX_RELEASE=${{ matrix.release }}
             OPENVOXAGENT_VERSION=${{ matrix.agent_version }}
-          build_arch: linux/arm64
+          build_arch: linux/${{ matrix.platform }}
           build_context: .
           buildfile: Containerfile
-          tags: |
-            ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-arm64
+          # tag will look like: ghcr.io/openvoxproject/openvoxagent:8-<sha>-amd64
+          tags: ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-${{ matrix.platform }}
 
   create-multi-arch-manifests:
     runs-on: ubuntu-latest
@@ -74,10 +67,9 @@ jobs:
       packages: write
     needs:
       - setup-matrix
-      - build-X86-container
-      - build-ARM-container
+      - build-and-push-container
     strategy:
-      matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
+      matrix: ${{ fromJson(needs.setup-matrix.outputs.tag_matrix) }}
     steps:
       - name: Log in to the ghcr.io registry
         uses: docker/login-action@v4
@@ -93,57 +85,26 @@ jobs:
           username: voxpupulibot
           password: ${{ secrets.DOCKERHUB_BOT_ADMIN_TOKEN }}
 
-      - name: Extract version number
-        id: extract_version
-        uses: actions/github-script@v9
-        with:
-          script: |
-            const agentVersion = '${{ matrix.agent_version }}';
-            const version = agentVersion.split('-')[0];
-            core.setOutput('version', version);
-
-      - name: Create multi arch manifests
+      - name: Create ref-specific multi-arch manifests
         run: |
-          docker buildx imagetools create -t ghcr.io/openvoxproject/openvoxagent:${{ steps.extract_version.outputs.version }}-${{ github.ref_name }} \
-            ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-arm64 \
-            ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-x86_64
-
-          docker buildx imagetools create -t ghcr.io/openvoxproject/openvoxagent:${{ steps.extract_version.outputs.version }}-latest \
-            ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-arm64 \
-            ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-x86_64
-
-          docker buildx imagetools create -t ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-latest \
-            ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-arm64 \
-            ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-x86_64
-
-          docker buildx imagetools create -t ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }} \
-            ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-arm64 \
-            ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-x86_64
-
-          docker buildx imagetools create -t ghcr.io/openvoxproject/openvoxagent:latest \
+          docker buildx imagetools create \
+            -t ghcr.io/openvoxproject/openvoxagent:${{ matrix.agent_semver }}-${{ github.ref_name }} \
+            -t ghcr.io/openvoxproject/openvoxagent:${{ matrix.agent_semver }} \
+            -t ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }} \
+            -t docker.io/voxpupuli/openvoxagent:${{ matrix.agent_semver }}-${{ github.ref_name }} \
+            -t docker.io/voxpupuli/openvoxagent:${{ matrix.agent_semver }} \
+            -t docker.io/voxpupuli/openvoxagent:${{ matrix.release }} \
             ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-arm64 \
-            ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-x86_64
+            ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-amd64
 
-          # on docker.io we use the voxpupuli namespace because new organizations are not free anymore
-          docker buildx imagetools create -t docker.io/voxpupuli/openvoxagent:${{ steps.extract_version.outputs.version }}-${{ github.ref_name }} \
-            ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-arm64 \
-            ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-x86_64
-
-          docker buildx imagetools create -t docker.io/voxpupuli/openvoxagent:${{ steps.extract_version.outputs.version }}-latest \
-            ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-arm64 \
-            ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-x86_64
-
-          docker buildx imagetools create -t docker.io/voxpupuli/openvoxagent:${{ matrix.release }}-latest \
-            ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-arm64 \
-            ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-x86_64
-
-          docker buildx imagetools create -t docker.io/voxpupuli/openvoxagent:${{ matrix.release }} \
-            ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-arm64 \
-            ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-x86_64
-
-          docker buildx imagetools create -t docker.io/voxpupuli/openvoxagent:latest \
+      - name: Update floating multi-arch tags
+        if: github.ref == 'refs/heads/main'
+        run: |
+          docker buildx imagetools create \
+            -t ghcr.io/openvoxproject/openvoxagent:latest \
+            -t docker.io/voxpupuli/openvoxagent:latest \
             ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-arm64 \
-            ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-x86_64
+            ghcr.io/openvoxproject/openvoxagent:${{ matrix.release }}-${{ github.sha }}-amd64
 
   update-dockerhub-description:
     runs-on: ubuntu-latest
 
@@ -1,60 +1,60 @@
 ---
-name: CI🚦
+name: 🚦 CI
 
 on:
   pull_request:
     branches:
       - 'main'
   workflow_dispatch:
 
+concurrency:
+  group: ci-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read # minimal required permissions to clone repo
+
 jobs:
   setup-matrix:
     runs-on: ubuntu-latest
     outputs:
-      matrix: ${{ steps.set-matrix.outputs.matrix }}
+      build_matrix: ${{ steps.set-build-matrix.outputs.build_matrix }}
     steps:
       - name: Source checkout
         uses: actions/checkout@v6
 
       - name: 'Setup yq'
         uses: dcarbone/install-yq-action@v1.3.1
 
-      - id: set-matrix
-        run: echo "matrix=$(yq -o json build_versions.yaml | jq -c)" >> $GITHUB_OUTPUT
+      - id: set-build-matrix
+        run: echo "build_matrix=$(bash matrix.sh build)" >> $GITHUB_OUTPUT
 
-  build_test_container:
-    name: 'Build test container'
-    runs-on: ubuntu-latest
+  build_ci_container:
+    name: Build ${{ matrix.platform }} CI container
+    runs-on: ${{ matrix.runner }}
     needs: setup-matrix
     strategy:
-      matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
+      fail-fast: false
+      matrix: ${{ fromJson(needs.setup-matrix.outputs.build_matrix) }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
 
-      - name: Extract version number
-        id: extract_version
-        uses: actions/github-script@v9
-        with:
-          script: |
-            const agentVersion = '${{ matrix.agent_version }}';
-            const version = agentVersion.split('-')[0];
-            core.setOutput('version', version);
-
-      - name: Build image
+      - name: Build ${{ matrix.platform }} CI container
         uses: docker/build-push-action@v7
         with:
-          tags: 'ci/openvoxagent:${{ steps.extract_version.outputs.version }}'
+          tags: ci/openvoxagent:${{ matrix.agent_semver }}-${{ matrix.platform }}
           context: .
           file: Containerfile
           push: false
+          platforms: linux/${{ matrix.platform }}
           build-args: |
             OPENVOX_RELEASE=${{ matrix.release }}
             OPENVOXAGENT_VERSION=${{ matrix.agent_version }}
 
   tests:
     needs:
-      - build_test_container
+      - build_ci_container
     runs-on: ubuntu-latest
     name: Test suite
     steps:
@@ -63,11 +63,12 @@ jobs:
   dependabot:
     permissions:
       contents: write
+      pull-requests: write
     name: 'Dependabot auto-merge'
     needs:
       - tests
     runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'pull_request'}}
+    if: github.actor == 'dependabot[bot]' && github.event_name == 'pull_request'
     steps:
       - name: Dependabot metadata
         id: metadata
@@ -79,4 +80,4 @@ jobs:
         run: gh pr merge --auto --merge "$PR_URL"
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
@@ -9,51 +9,52 @@ on:
     branches:
       - main
 
+concurrency:
+  group: security-scanning-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read # minimal required permissions to clone repo
+
 jobs:
   setup-matrix:
     runs-on: ubuntu-latest
     outputs:
-      matrix: ${{ steps.set-matrix.outputs.matrix }}
+      build_matrix: ${{ steps.set-build-matrix.outputs.build_matrix }}
     steps:
       - name: Source checkout
         uses: actions/checkout@v6
 
       - name: 'Setup yq'
         uses: dcarbone/install-yq-action@v1.3.1
 
-      - id: set-matrix
-        run: echo "matrix=$(yq -o json build_versions.yaml | jq -c)" >> $GITHUB_OUTPUT
+      - id: set-build-matrix
+        run: echo "build_matrix=$(bash matrix.sh build)" >> $GITHUB_OUTPUT
 
   scan_ci_container:
-    name: 'Scan CI container'
-    runs-on: ubuntu-latest
+    name: 'Scan ${{ matrix.platform }} CI container'
+    runs-on: ${{ matrix.runner }}
     permissions:
       actions: read
       contents: read
       security-events: write
     needs: setup-matrix
     strategy:
-      matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
+      fail-fast: false
+      matrix: ${{ fromJson(needs.setup-matrix.outputs.build_matrix) }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
 
-      - name: Extract version number
-        id: extract_version
-        uses: actions/github-script@v9
-        with:
-          script: |
-            const agentVersion = '${{ matrix.agent_version }}';
-            const version = agentVersion.split('-')[0];
-            core.setOutput('version', version);
-
-      - name: Build CI container
+      - name: Build ${{ matrix.platform }} CI container
         uses: docker/build-push-action@v7
         with:
-          tags: 'ci/openvoxagent:${{ steps.extract_version.outputs.version }}'
+          tags: ci/openvoxagent:${{ matrix.agent_semver }}-${{ matrix.platform }}
           context: .
           file: Containerfile
+          load: true
           push: false
+          platforms: linux/${{ matrix.platform }}
           build-args: |
             OPENVOX_RELEASE=${{ matrix.release }}
             OPENVOXAGENT_VERSION=${{ matrix.agent_version }}
@@ -62,7 +63,7 @@ jobs:
         uses: anchore/scan-action@v7
         id: scan
         with:
-          image: 'ci/openvoxagent:${{ steps.extract_version.outputs.version }}'
+          image: 'ci/openvoxagent:${{ matrix.agent_semver }}-${{ matrix.platform }}'
           fail-build: false
 
       - name: Inspect action SARIF report
@@ -72,3 +73,4 @@ jobs:
         uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}
+          category: grype-${{ matrix.platform }}
@@ -1,10 +1,13 @@
-FROM ubuntu:26.04
+ARG UBUNTU_VERSION=26.04
 
+FROM ubuntu:${UBUNTU_VERSION} AS base
+
+ARG UBUNTU_VERSION
 ARG OPENVOX_RELEASE=8
 ARG OPENVOX_USER_UID=999
 ARG OPENVOX_USER_GID=999
-ARG UBUNTU_VERSION=24.04
-ARG OPENVOXAGENT_VERSION=8.11.0-1+ubuntu${UBUNTU_VERSION}
+# renovate: datasource=deb depName=openvox-agent openVoxRelease=8
+ARG OPENVOXAGENT_VERSION=8.28.0-1+ubuntu26.04
 ARG OPENVOX_RELEASE_PACKAGE=openvox${OPENVOX_RELEASE}-release-ubuntu${UBUNTU_VERSION}.deb
 
 ADD https://apt.voxpupuli.org/${OPENVOX_RELEASE_PACKAGE} /