feat: add LTS-specific build tags for v3 and v4 CRS releases

.github/workflows/verifyimage.yml

@@ -92,9 +92,9 @@ jobs:
 
       - name: Run ${{ matrix.target }}
         run: |
-          # get the major version from the matrix.target 
-          # The targets end with `<major>-<minor>-<patch>`.
-          CRS_VERSION="v$(awk -F'-' '{print $(NF-2)}' <<< ${{ matrix.target }})"
+          # get the major CRS version from the matrix.target
+          # Targets ending with "previous" are v3; all others are v4.
+          CRS_VERSION="$([[ "${{ matrix.target }}" == *-previous ]] && echo v3 || echo v4)"
           . .github/workflows/configure-rules-for-test.sh \
             "src/opt/modsecurity/configure-rules.${CRS_VERSION}.conf" \
             README.md \

README.md

@@ -45,6 +45,23 @@ Examples:
    * `nginx`
    * `apache-alpine`
 
+### LTS Tags
+
+LTS (Long-Term Support) tags are stable tags pointing to a designated LTS release. They are updated less frequently than stable tags and are intended for users who prioritize stability over new features.
+
+LTS Tags are composed of:
+   * CRS version, in the format `<minor>` or `<minor>.<patch>`
+   * web server variant
+   * OS variant (optional)
+   * `lts` suffix
+
+The LTS tag format is `<CRS version>-<web server>[-<os>]-lts`.
+Examples:
+   * `4.25-nginx-lts`
+   * `4.25.0-nginx-lts`
+   * `4.25-apache-lts`
+   * `4.25.0-apache-alpine-lts`
+
 ## OS Variants
 
 * nginx – *latest stable ModSecurity v3 on Nginx 1.28.2 official stable base image, and latest stable OWASP CRS 4.25.0*

docker-bake.hcl

@@ -17,20 +17,25 @@ variable "modsec2-flags" {
     default = "--with-yajl --with-ssdeep --with-pcre2"
 }
 
-variable "previous-major-crs-version" {
-    default = "3.3.8"
+variable "previous-lts-crs-version" {
+    default = "3.3.9"
 }
 
 variable "major-crs-version" {
     # renovate: depName=coreruleset/coreruleset datasource=github-releases
     default = "4.25.0"
 }
 
+variable "v4-lts-crs-version" {
+    default = "4.25.0"
+}
+
 variable "crs-versions" {
-  default = { 
-    "previous" = previous-major-crs-version,
-    "latest" = major-crs-version
-  }
+  default = [
+    { tag = "previous-lts", version = previous-lts-crs-version },
+    { tag = "lts",      version = v4-lts-crs-version },
+    { tag = "latest",   version = major-crs-version }
+  ]
 }
 
 variable "nginx-version" {
@@ -112,6 +117,14 @@ function "vtag" {
     )
 }
 
+function "lts-tag" {
+    params = [semver, variant]
+    result = concat(
+        tag("${minor(semver)}-${variant}-lts"),
+        tag("${patch(semver)}-${variant}-lts")
+    )
+}
+
 group "default" {
     targets = [
         "apache",
@@ -137,7 +150,7 @@ target "platforms-base" {
 
 target "apache" {
     matrix = {
-        crs_release = crs-versions
+        crs_entry = crs-versions
         base = [
             {
                 name = "debian"
@@ -157,23 +170,25 @@ target "apache" {
     }
 
     inherits = ["platforms-base"]
-    name = "apache-${base.name}-${replace(crs_release, ".", "-")}"
+    name = "apache-${base.name}-${crs_entry.tag}"
     contexts = {
         image = base.image
     }
     dockerfile = base.dockerfile
     args = {
-        CRS_RELEASE = "${crs_release}"
+        CRS_RELEASE = crs_entry.version
         LUA_MODULES = base.lua_modules
     }
-    tags = concat(tag(base.tag_base),
-        vtag("${crs_release}", base.tag_base)
+    tags = concat(
+        tag(base.tag_base),
+        vtag("${crs_entry.version}", base.tag_base),
+        equal(crs_entry.tag, "lts") ? lts-tag("${crs_entry.version}", base.tag_base) : []
     )
 }
 
 target "nginx" {
     matrix = {
-        crs_release = crs-versions
+        crs_entry = crs-versions
         base = [
             {
                 name = "debian"
@@ -203,20 +218,22 @@ target "nginx" {
         ]
     }
     inherits = ["platforms-base"]
-    name = "nginx-${base.name}-${read-only-fs.name}-${replace(crs_release, ".", "-")}"
+    name = "nginx-${base.name}-${read-only-fs.name}-${crs_entry.tag}"
     contexts = {
         image = base.image
     }
     dockerfile = base.dockerfile
     args = {
-        CRS_RELEASE = crs_release
+        CRS_RELEASE = crs_entry.version
         NGINX_VERSION = nginx-version
         LUA_MODULES = base.lua_modules
         NGINX_DYNAMIC_MODULES = join(" ", [for mod in nginx-dynamic-modules : join(" ", [mod.owner, mod.name, mod.version])])
         NGINX_HOME = "/etc/nginx"
         READ_ONLY_FS = read-only-fs.read-only
     }
-    tags = concat(tag("${base.tag_base}${equal(read-only-fs.read-only, "true") ? "-read-only" : ""}"),
-        vtag("${crs_release}", "${base.tag_base}${equal(read-only-fs.read-only, "true") ? "-read-only" : ""}")
+    tags = concat(
+        tag("${base.tag_base}${equal(read-only-fs.read-only, "true") ? "-read-only" : ""}"),
+        vtag("${crs_entry.version}", "${base.tag_base}${equal(read-only-fs.read-only, "true") ? "-read-only" : ""}"),
+        equal(crs_entry.tag, "lts") ? lts-tag("${crs_entry.version}", "${base.tag_base}${equal(read-only-fs.read-only, "true") ? "-read-only" : ""}") : []
     )
 }