pin stable Debian image too [ci skip]

Besides testing, it's used for daily glibc builds.

Also replace 'bookworm' with "stable" in descriptions.

It doesn't stricly follow debian:stable, for the sake of controlling
these bumps. For now it's still on bookworm, and will bump to trixie
in an upcoming commit.

Author: vszakats

.github/workflows/build.yml

@@ -167,8 +167,8 @@ jobs:
             *-*-linux*.*
             urls.txt
 
-  linux-glibc-debian-bookworm-llvm:
-    name: 'linux-glibc-debian-bookworm-llvm'
+  linux-glibc-debian-stable-llvm:
+    name: 'linux-glibc-debian-stable-llvm'
     runs-on: 'ubuntu-latest'
     timeout-minutes: 30
     steps:
@@ -183,31 +183,31 @@ jobs:
         run: |
           export CW_CONFIG="${GITHUB_REF_NAME}-werror-linux"
           export CW_REVISION="${GITHUB_SHA}"
-          DOCKER_IMAGE='debian:bookworm-slim'
+          . ./_versions.sh
           export CW_CCSUFFIX='-15'
           export CW_GCCSUFFIX='-12'
           sudo podman image trust set --type reject default
           sudo podman image trust set --type accept docker.io/library
-          time podman pull "${DOCKER_IMAGE}"
+          time podman pull "${DOCKER_IMAGE_STABLE}"
           podman images --digests
           time podman run --volume "$(pwd):$(pwd)" --workdir "$(pwd)" \
             --env-file <(env | grep -a -E \
               '^(CW_|COSIGN_|GITHUB_|DO_NOT_TRACK)') \
-            "${DOCKER_IMAGE}" \
+            "${DOCKER_IMAGE_STABLE}" \
             sh -c ./_ci-linux-debian.sh
 
       - name: 'list dependencies'
         run: cat urls.txt ./*-version-*.txt || true
       - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
-          name: 'curl-linux-glibc-debian-bookworm-llvm'
+          name: 'curl-linux-glibc-debian-stable-llvm'
           retention-days: ${{ github.ref_name == 'main' && 90 || 5 }}
           path: |
             *-*-linux*.*
             urls.txt
 
-  linux-glibc-debian-bookworm-gcc:
-    name: 'linux-glibc-debian-bookworm-gcc'
+  linux-glibc-debian-stable-gcc:
+    name: 'linux-glibc-debian-stable-gcc'
     runs-on: 'ubuntu-latest'
     timeout-minutes: 30
     steps:
@@ -222,24 +222,24 @@ jobs:
         run: |
           export CW_CONFIG="${GITHUB_REF_NAME}-werror-linux-gcc"
           export CW_REVISION="${GITHUB_SHA}"
-          DOCKER_IMAGE='debian:bookworm-slim'
+          . ./_versions.sh
           export CW_CCSUFFIX='-15'
           export CW_GCCSUFFIX='-12'
           sudo podman image trust set --type reject default
           sudo podman image trust set --type accept docker.io/library
-          time podman pull "${DOCKER_IMAGE}"
+          time podman pull "${DOCKER_IMAGE_STABLE}"
           podman images --digests
           time podman run --volume "$(pwd):$(pwd)" --workdir "$(pwd)" \
             --env-file <(env | grep -a -E \
               '^(CW_|COSIGN_|GITHUB_|DO_NOT_TRACK)') \
-            "${DOCKER_IMAGE}" \
+            "${DOCKER_IMAGE_STABLE}" \
             sh -c ./_ci-linux-debian.sh
 
       - name: 'list dependencies'
         run: cat urls.txt ./*-version-*.txt || true
       - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
-          name: 'curl-linux-glibc-debian-bookworm-gcc'
+          name: 'curl-linux-glibc-debian-stable-gcc'
           retention-days: ${{ github.ref_name == 'main' && 90 || 5 }}
           path: |
             *-*-linux*.*
@@ -319,8 +319,8 @@ jobs:
             *-*-linux*.*
             urls.txt
 
-  linux-musl-debian-bookworm-llvm:
-    name: 'linux-musl-debian-bookworm-llvm'
+  linux-musl-debian-stable-llvm:
+    name: 'linux-musl-debian-stable-llvm'
     runs-on: 'ubuntu-latest'
     timeout-minutes: 30
     steps:
@@ -335,31 +335,31 @@ jobs:
         run: |
           export CW_CONFIG="${GITHUB_REF_NAME}-werror-linux-musl"
           export CW_REVISION="${GITHUB_SHA}"
-          DOCKER_IMAGE='debian:bookworm-slim'
+          . ./_versions.sh
           export CW_CCSUFFIX='-15'
           export CW_GCCSUFFIX='-12'
           sudo podman image trust set --type reject default
           sudo podman image trust set --type accept docker.io/library
-          time podman pull "${DOCKER_IMAGE}"
+          time podman pull "${DOCKER_IMAGE_STABLE}"
           podman images --digests
           time podman run --volume "$(pwd):$(pwd)" --workdir "$(pwd)" \
             --env-file <(env | grep -a -E \
               '^(CW_|COSIGN_|GITHUB_|DO_NOT_TRACK)') \
-            "${DOCKER_IMAGE}" \
+            "${DOCKER_IMAGE_STABLE}" \
             sh -c ./_ci-linux-debian.sh
 
       - name: 'list dependencies'
         run: cat urls.txt ./*-version-*.txt || true
       - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
-          name: 'curl-linux-musl-debian-bookworm-llvm'
+          name: 'curl-linux-musl-debian-stable-llvm'
           retention-days: ${{ github.ref_name == 'main' && 90 || 5 }}
           path: |
             *-*-linux*.*
             urls.txt
 
-  linux-musl-debian-bookworm-gcc:
-    name: 'linux-musl-debian-bookworm-gcc'
+  linux-musl-debian-stable-gcc:
+    name: 'linux-musl-debian-stable-gcc'
     runs-on: 'ubuntu-latest'
     timeout-minutes: 30
     steps:
@@ -374,24 +374,24 @@ jobs:
         run: |
           export CW_CONFIG="${GITHUB_REF_NAME}-werror-linux-musl-gcc"
           export CW_REVISION="${GITHUB_SHA}"
-          DOCKER_IMAGE='debian:bookworm-slim'
+          . ./_versions.sh
           export CW_CCSUFFIX='-15'
           export CW_GCCSUFFIX='-12'
           sudo podman image trust set --type reject default
           sudo podman image trust set --type accept docker.io/library
-          time podman pull "${DOCKER_IMAGE}"
+          time podman pull "${DOCKER_IMAGE_STABLE}"
           podman images --digests
           time podman run --volume "$(pwd):$(pwd)" --workdir "$(pwd)" \
             --env-file <(env | grep -a -E \
               '^(CW_|COSIGN_|GITHUB_|DO_NOT_TRACK)') \
-            "${DOCKER_IMAGE}" \
+            "${DOCKER_IMAGE_STABLE}" \
             sh -c ./_ci-linux-debian.sh
 
       - name: 'list dependencies'
         run: cat urls.txt ./*-version-*.txt || true
       - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
-          name: 'curl-linux-musl-debian-bookworm-gcc'
+          name: 'curl-linux-musl-debian-stable-gcc'
           retention-days: ${{ github.ref_name == 'main' && 90 || 5 }}
           path: |
             *-*-linux*.*

.github/workflows/daily.yml

@@ -40,17 +40,17 @@ jobs:
         run: |
           export CW_CONFIG='werror-dev-linux'
           export CW_REVISION; CW_REVISION="$(TZ=UTC date +'%Y%m%d')"
-          DOCKER_IMAGE='debian:bookworm-slim'
+          . ./_versions.sh
           export CW_CCSUFFIX='-15'
           export CW_GCCSUFFIX='-12'
           sudo podman image trust set --type reject default
           sudo podman image trust set --type accept docker.io/library
-          time podman pull "${DOCKER_IMAGE}"
+          time podman pull "${DOCKER_IMAGE_STABLE}"
           podman images --digests
           time podman run --volume "$(pwd):$(pwd)" --workdir "$(pwd)" \
             --env-file <(env | grep -a -E \
               '^(CW_|SIGN_|COSIGN_|GITHUB_|DO_NOT_TRACK)') \
-            "${DOCKER_IMAGE}" \
+            "${DOCKER_IMAGE_STABLE}" \
             sh -c ./_ci-linux-debian.sh
 
       - name: 'list dependencies'

_bumper.sh

@@ -29,32 +29,38 @@ export _CONFIG="${1:-}"
 # Find out the latest docker image release:
 
 name='debian'
+cpu='amd64'
+
+echo
+for release in 'testing' 'bookworm'; do
 
-# https://docs.docker.com/reference/api/registry/latest/
-token="$(curl --disable --user-agent '' --silent --fail --show-error \
-    "https://auth.docker.io/token?service=registry.docker.io&scope=repository:library/${name}:pull" \
-  | jq --raw-output '.token')"
+  # https://docs.docker.com/reference/api/registry/latest/
+  token="$(curl --disable --user-agent '' --silent --fail --show-error \
+      "https://auth.docker.io/token?service=registry.docker.io&scope=repository:library/${name}:pull" \
+    | jq --raw-output '.token')"
 
-tag="$(curl --disable --user-agent '' --silent --fail --show-error \
-    --header 'Accept: application/json' \
-    --header @/dev/stdin \
-    "https://registry-1.docker.io/v2/library/${name}/tags/list" <<EOF \
-  | jq --raw-output '.tags[]' | grep -E '^testing-[0-9]{8}-slim$' | sort | tail -n -1
+  tag="$(curl --disable --user-agent '' --silent --fail --show-error \
+      --header 'Accept: application/json' \
+      --header @/dev/stdin \
+      "https://registry-1.docker.io/v2/library/${name}/tags/list" <<EOF \
+    | jq --raw-output '.tags[]' | grep -E "^${release}-[0-9]{8}-slim\$" | sort | tail -n -1
 Authorization: Bearer ${token}
 EOF
 )"
 
-cpu='amd64'
-digest="$(curl --disable --user-agent '' --silent --fail --show-error \
-    --header 'Accept: application/json' \
-    --header @/dev/stdin \
-    "https://registry-1.docker.io/v2/library/${name}/manifests/${tag}" <<EOF \
-  | jq --raw-output --arg cpu "${cpu}" '.manifests[] | select(.platform.architecture == $cpu and .platform.os == "linux") | .digest'
+  digest="$(curl --disable --user-agent '' --silent --fail --show-error \
+      --header 'Accept: application/json' \
+      --header @/dev/stdin \
+      "https://registry-1.docker.io/v2/library/${name}/manifests/${tag}" <<EOF \
+    | jq --raw-output --arg cpu "${cpu}" '.manifests[] | select(.platform.architecture == $cpu and .platform.os == "linux") | .digest'
 Authorization: Bearer ${token}
 EOF
 )"
 
-echo; echo "export DOCKER_IMAGE='${name}:${tag}@${digest}'  # ${cpu}"
+  env_suffix=''
+  [ "${release}" != 'testing' ] && env_suffix='_STABLE'
+  echo "export DOCKER_IMAGE${env_suffix}='${name}:${tag}@${digest}'  # ${cpu}"
+done
 
 # Find out the latest AppVeyor CI Ubuntu worker image
 

_versions.sh

@@ -4,6 +4,7 @@
 # SPDX-License-Identifier: MIT
 
 export DOCKER_IMAGE='debian:testing-20250908-slim@sha256:f698e6243e87c0d6b727daae959c3f15a64a3a39cc280a2dd1305d007b3d5f27'  # amd64
+export DOCKER_IMAGE_STABLE='debian:bookworm-20250908-slim@sha256:acd98e6cfc42813a4db9ca54ed79b6f702830bfc2fa43a2c2e87517371d82edb'  # amd64
 
 export CURL_VER_='8.16.0'
 export CURL_HASH=40c8cddbcb6cc6251c03dea423a472a6cea4037be654ba5cf5dec6eb2d22ff1d