Skip to content

Docker tagging #53

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Docker tagging #53

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1c407f4
Remove unused step
timakro Jun 23, 2025
54d64d2
Update tagging rules
timakro Jun 23, 2025
ba61603
Phrase docs more clearly
timakro Jun 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 18 additions & 30 deletions .github/workflows/docker-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,12 @@
# 2) Scan the image for vulnerabilities with trivy (see https://github.com/aquasecurity/trivy)
# 3) Upload the scan results from step 2 to the github security tab of the repository
# 4) Generating appropriate image tags for publishing using the docker/metadata-action. Following Rules are applied:
# 1. Running the action on push to the main branch will trigger tagging image as latest
# 2. Running the action on push to a git branch trigger tagging image as "<branchname>"
# 3. Running the action on push of a git tag matching the semver schema will trigger tagging image with {MAJOR}, {MAJOR}.{MINOR} and {MAJOR}.{MINOR}.{PATCH}
# 4. Running the action on push to a pull request, will trigger tagging for the github container registry with ghcr.io/<repository-name>/<pr-reference>. This will be skipped for private repositories.
# 5. Running the action on a scheduled basis will trigger tagging images with "nightly".
# * Running the action on push to a git branch adds the tag "<branchname>"
# * Running the action on push of a semver tag of the form "v<major>.<minor>.<patch>" without specified pre-release adds the tags "<major>" (if not 0), "<major>.<minor>", "<major>.<minor>.<patch>", and "latest"
# * Running the action on push of a semver tag of the form "v<major>.<minor>.<patch>-<prerelease>" adds the tag "<major>.<minor>.<patch>-<prerelease>"
# * Running the action on a scheduled basis adds the tag "nightly"
# * Running the action on pull request pushes only to GHCR (if enabled) with the tag "pr-<pr-number>"
# * When pushing to GHCR (if enabled) always adds the tag "sha-<short-commit-sha>"
# 5) Rebuild the image for all necessary platforms an publish it based on the applied tags from 4.
#
# An usage example for this action is provided in the samply organization: https://github.com/samply/.github/blob/main/workflow-templates/docker-ci-template.yml
Expand Down Expand Up @@ -233,7 +234,7 @@ jobs:
with:
sarif_file: trivy-results.sarif

- name: "GHCR: Define Image Tags (primary)"
- name: "GHCR: Generate Image Tags"
id: docker-meta-ghcr-primary
if: env.ghcr
uses: docker/metadata-action@v5
Expand All @@ -243,27 +244,14 @@ jobs:
tags: |
type=schedule,pattern=nightly
type=ref,event=branch
type=ref,event=pr,prefix=${{ inputs.image-tag-prefix }},suffix=${{ inputs.image-tag-suffix }}pr-
type=ref,event=pr
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
type=sha,prefix=commit-${{ inputs.image-tag-prefix }},suffix=${{ inputs.image-tag-suffix }}
# set latest tag for default branch
type=raw,value=latest,enable={{is_default_branch}}
flavor: |
prefix=${{ inputs.image-tag-prefix }},onlatest=true
suffix=${{ inputs.image-tag-suffix }},onlatest=true

- name: "GHCR: Define Image Tags (commit-based only)"
id: docker-meta-ghcr-commit
if: env.ghcr != 'true'
uses: docker/metadata-action@v5
with:
images: |
"ghcr.io/${{ inputs.image-name }}"
tags: |
type=sha,prefix=commit-${{ inputs.image-tag-prefix }},suffix=${{ inputs.image-tag-suffix }}
type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
type=sha
flavor: |
# adds "latest" tag if any rule of type=ref,event=tag, type=semver, type=pep440, or type=match is specified and matches (only type=semver is specified here)
latest=auto
prefix=${{ inputs.image-tag-prefix }},onlatest=true
suffix=${{ inputs.image-tag-suffix }},onlatest=true

Expand Down Expand Up @@ -303,10 +291,10 @@ jobs:
type=ref,event=branch
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
# set latest tag for default branch
type=raw,value=latest,enable={{is_default_branch}}
type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
flavor: |
# adds "latest" tag if any rule of type=ref,event=tag, type=semver, type=pep440, or type=match is specified and matches (only type=semver is specified here)
latest=auto
prefix=${{ inputs.image-tag-prefix }},onlatest=true
suffix=${{ inputs.image-tag-suffix }},onlatest=true

Expand Down Expand Up @@ -344,10 +332,10 @@ jobs:
type=ref,event=branch
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
# set latest tag for default branch
type=raw,value=latest,enable={{is_default_branch}}
type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
flavor: |
# adds "latest" tag if any rule of type=ref,event=tag, type=semver, type=pep440, or type=match is specified and matches (only type=semver is specified here)
latest=auto
prefix=${{ inputs.image-tag-prefix }},onlatest=true
suffix=${{ inputs.image-tag-suffix }},onlatest=true

Expand Down