diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml index 685a88b..37f3740 100644 --- a/.github/workflows/docker-ci.yml +++ b/.github/workflows/docker-ci.yml @@ -4,11 +4,12 @@ # 2) Scan the image for vulnerabilities with trivy (see https://github.com/aquasecurity/trivy) # 3) Upload the scan results from step 2 to the github security tab of the repository # 4) Generating appropriate image tags for publishing using the docker/metadata-action. Following Rules are applied: -# 1. Running the action on push to the main branch will trigger tagging image as latest -# 2. Running the action on push to a git branch trigger tagging image as "" -# 3. Running the action on push of a git tag matching the semver schema will trigger tagging image with {MAJOR}, {MAJOR}.{MINOR} and {MAJOR}.{MINOR}.{PATCH} -# 4. Running the action on push to a pull request, will trigger tagging for the github container registry with ghcr.io//. This will be skipped for private repositories. -# 5. Running the action on a scheduled basis will trigger tagging images with "nightly". +# * Running the action on push to a git branch adds the tag "" +# * Running the action on push of a semver tag of the form "v.." without specified pre-release adds the tags "" (if not 0), ".", "..", and "latest" +# * Running the action on push of a semver tag of the form "v..-" adds the tag "..-" +# * Running the action on a scheduled basis adds the tag "nightly" +# * Running the action on pull request pushes only to GHCR (if enabled) with the tag "pr-" +# * When pushing to GHCR (if enabled) always adds the tag "sha-" # 5) Rebuild the image for all necessary platforms an publish it based on the applied tags from 4. # # An usage example for this action is provided in the samply organization: https://github.com/samply/.github/blob/main/workflow-templates/docker-ci-template.yml @@ -233,7 +234,7 @@ jobs: with: sarif_file: trivy-results.sarif - - name: "GHCR: Define Image Tags (primary)" + - name: "GHCR: Generate Image Tags" id: docker-meta-ghcr-primary if: env.ghcr uses: docker/metadata-action@v5 @@ -243,27 +244,14 @@ jobs: tags: | type=schedule,pattern=nightly type=ref,event=branch - type=ref,event=pr,prefix=${{ inputs.image-tag-prefix }},suffix=${{ inputs.image-tag-suffix }}pr- + type=ref,event=pr type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - type=sha,prefix=commit-${{ inputs.image-tag-prefix }},suffix=${{ inputs.image-tag-suffix }} - # set latest tag for default branch - type=raw,value=latest,enable={{is_default_branch}} - flavor: | - prefix=${{ inputs.image-tag-prefix }},onlatest=true - suffix=${{ inputs.image-tag-suffix }},onlatest=true - - - name: "GHCR: Define Image Tags (commit-based only)" - id: docker-meta-ghcr-commit - if: env.ghcr != 'true' - uses: docker/metadata-action@v5 - with: - images: | - "ghcr.io/${{ inputs.image-name }}" - tags: | - type=sha,prefix=commit-${{ inputs.image-tag-prefix }},suffix=${{ inputs.image-tag-suffix }} + type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }} + type=sha flavor: | + # adds "latest" tag if any rule of type=ref,event=tag, type=semver, type=pep440, or type=match is specified and matches (only type=semver is specified here) + latest=auto prefix=${{ inputs.image-tag-prefix }},onlatest=true suffix=${{ inputs.image-tag-suffix }},onlatest=true @@ -303,10 +291,10 @@ jobs: type=ref,event=branch type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - # set latest tag for default branch - type=raw,value=latest,enable={{is_default_branch}} + type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }} flavor: | + # adds "latest" tag if any rule of type=ref,event=tag, type=semver, type=pep440, or type=match is specified and matches (only type=semver is specified here) + latest=auto prefix=${{ inputs.image-tag-prefix }},onlatest=true suffix=${{ inputs.image-tag-suffix }},onlatest=true @@ -344,10 +332,10 @@ jobs: type=ref,event=branch type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - # set latest tag for default branch - type=raw,value=latest,enable={{is_default_branch}} + type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }} flavor: | + # adds "latest" tag if any rule of type=ref,event=tag, type=semver, type=pep440, or type=match is specified and matches (only type=semver is specified here) + latest=auto prefix=${{ inputs.image-tag-prefix }},onlatest=true suffix=${{ inputs.image-tag-suffix }},onlatest=true