From 1c407f41ec047d9c146c1a61a3caa24bf617edd4 Mon Sep 17 00:00:00 2001 From: Tim Schumacher Date: Mon, 23 Jun 2025 10:26:06 +0200 Subject: [PATCH 1/3] Remove unused step If `env.ghcr != 'true'` there is no docker push so calculating tags is unnecessary I think --- .github/workflows/docker-ci.yml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml index 685a88b..e2b822b 100644 --- a/.github/workflows/docker-ci.yml +++ b/.github/workflows/docker-ci.yml @@ -254,19 +254,6 @@ jobs: prefix=${{ inputs.image-tag-prefix }},onlatest=true suffix=${{ inputs.image-tag-suffix }},onlatest=true - - name: "GHCR: Define Image Tags (commit-based only)" - id: docker-meta-ghcr-commit - if: env.ghcr != 'true' - uses: docker/metadata-action@v5 - with: - images: | - "ghcr.io/${{ inputs.image-name }}" - tags: | - type=sha,prefix=commit-${{ inputs.image-tag-prefix }},suffix=${{ inputs.image-tag-suffix }} - flavor: | - prefix=${{ inputs.image-tag-prefix }},onlatest=true - suffix=${{ inputs.image-tag-suffix }},onlatest=true - - name: "GHCR: Login" if: env.ghcr uses: docker/login-action@v3 From 54d64d282a97111a5848dc0d43923962bc9496b7 Mon Sep 17 00:00:00 2001 From: Tim Schumacher Date: Mon, 23 Jun 2025 11:03:59 +0200 Subject: [PATCH 2/3] Update tagging rules --- .github/workflows/docker-ci.yml | 35 +++++++++++++++++---------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml index e2b822b..961d6ba 100644 --- a/.github/workflows/docker-ci.yml +++ b/.github/workflows/docker-ci.yml @@ -4,11 +4,12 @@ # 2) Scan the image for vulnerabilities with trivy (see https://github.com/aquasecurity/trivy) # 3) Upload the scan results from step 2 to the github security tab of the repository # 4) Generating appropriate image tags for publishing using the docker/metadata-action. Following Rules are applied: -# 1. Running the action on push to the main branch will trigger tagging image as latest -# 2. Running the action on push to a git branch trigger tagging image as "" -# 3. Running the action on push of a git tag matching the semver schema will trigger tagging image with {MAJOR}, {MAJOR}.{MINOR} and {MAJOR}.{MINOR}.{PATCH} -# 4. Running the action on push to a pull request, will trigger tagging for the github container registry with ghcr.io//. This will be skipped for private repositories. -# 5. Running the action on a scheduled basis will trigger tagging images with "nightly". +# * Running the action on push to a git branch adds the tag "" +# * Running the action on push of a semver tag of the form "v.." without specified pre-release adds the tags "" (if not 0), ".", "..", and "latest" +# * Running the action on push of a semver tag of the form "v..-" adds the tag "..-" +# * Running the action on a scheduled basis adds the tag "nightly" +# * If GHCR is enabled, running the action on pull request pushes to GHCR with the tag "pr-" but does not push to Docker Hub and VerbIS Harbor +# * If GHCR is enabled, always adds the tag "sha-" on GHCR but not on Docker Hub and VerbIS Harbor # 5) Rebuild the image for all necessary platforms an publish it based on the applied tags from 4. # # An usage example for this action is provided in the samply organization: https://github.com/samply/.github/blob/main/workflow-templates/docker-ci-template.yml @@ -233,7 +234,7 @@ jobs: with: sarif_file: trivy-results.sarif - - name: "GHCR: Define Image Tags (primary)" + - name: "GHCR: Generate Image Tags" id: docker-meta-ghcr-primary if: env.ghcr uses: docker/metadata-action@v5 @@ -243,14 +244,14 @@ jobs: tags: | type=schedule,pattern=nightly type=ref,event=branch - type=ref,event=pr,prefix=${{ inputs.image-tag-prefix }},suffix=${{ inputs.image-tag-suffix }}pr- + type=ref,event=pr type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - type=sha,prefix=commit-${{ inputs.image-tag-prefix }},suffix=${{ inputs.image-tag-suffix }} - # set latest tag for default branch - type=raw,value=latest,enable={{is_default_branch}} + type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }} + type=sha flavor: | + # adds "latest" tag if any rule of type=ref,event=tag, type=semver, type=pep440, or type=match is specified and matches (only type=semver is specified here) + latest=auto prefix=${{ inputs.image-tag-prefix }},onlatest=true suffix=${{ inputs.image-tag-suffix }},onlatest=true @@ -290,10 +291,10 @@ jobs: type=ref,event=branch type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - # set latest tag for default branch - type=raw,value=latest,enable={{is_default_branch}} + type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }} flavor: | + # adds "latest" tag if any rule of type=ref,event=tag, type=semver, type=pep440, or type=match is specified and matches (only type=semver is specified here) + latest=auto prefix=${{ inputs.image-tag-prefix }},onlatest=true suffix=${{ inputs.image-tag-suffix }},onlatest=true @@ -331,10 +332,10 @@ jobs: type=ref,event=branch type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - # set latest tag for default branch - type=raw,value=latest,enable={{is_default_branch}} + type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }} flavor: | + # adds "latest" tag if any rule of type=ref,event=tag, type=semver, type=pep440, or type=match is specified and matches (only type=semver is specified here) + latest=auto prefix=${{ inputs.image-tag-prefix }},onlatest=true suffix=${{ inputs.image-tag-suffix }},onlatest=true From ba616035991a83070dcef59cd185d8d87188608c Mon Sep 17 00:00:00 2001 From: Tim Schumacher Date: Wed, 25 Jun 2025 09:32:29 +0200 Subject: [PATCH 3/3] Phrase docs more clearly --- .github/workflows/docker-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml index 961d6ba..37f3740 100644 --- a/.github/workflows/docker-ci.yml +++ b/.github/workflows/docker-ci.yml @@ -8,8 +8,8 @@ # * Running the action on push of a semver tag of the form "v.." without specified pre-release adds the tags "" (if not 0), ".", "..", and "latest" # * Running the action on push of a semver tag of the form "v..-" adds the tag "..-" # * Running the action on a scheduled basis adds the tag "nightly" -# * If GHCR is enabled, running the action on pull request pushes to GHCR with the tag "pr-" but does not push to Docker Hub and VerbIS Harbor -# * If GHCR is enabled, always adds the tag "sha-" on GHCR but not on Docker Hub and VerbIS Harbor +# * Running the action on pull request pushes only to GHCR (if enabled) with the tag "pr-" +# * When pushing to GHCR (if enabled) always adds the tag "sha-" # 5) Rebuild the image for all necessary platforms an publish it based on the applied tags from 4. # # An usage example for this action is provided in the samply organization: https://github.com/samply/.github/blob/main/workflow-templates/docker-ci-template.yml