Skip to content

Add separate workflow for managing latest Docker tag#6

Merged
chaptersix merged 3 commits intomainfrom
fix-ghcr-registry-prefix
Nov 21, 2025
Merged

Add separate workflow for managing latest Docker tag#6
chaptersix merged 3 commits intomainfrom
fix-ghcr-registry-prefix

Conversation

@chaptersix
Copy link
Owner

@chaptersix chaptersix commented Nov 21, 2025

Summary

Adds a new workflow that automatically manages the latest Docker tag when releases are edited or marked as latest, decoupling this from the initial release process.

Changes

New Workflow: update-latest-tag.yml

  • Triggers: on release edited or released events
  • Logic:
    • Checks if release is marked as latest (not prerelease, not draft)
    • Pulls the versioned image (e.g., 1.5.2)
    • Retags it as latest
    • Pushes the latest tag
  • Security: Uses environment variables to prevent command injection
  • Registries: Supports both Docker Hub and GHCR with auto-detection

Updated Workflow: build-and-publish.yml

  • Removed "Check if release is latest" step
  • Set TAG_LATEST to false (always)
  • Latest tag now managed by the separate workflow

Benefits

  1. Decoupled concerns: Release creation vs latest tag management
  2. Flexible: Can update latest tag when release status changes (e.g., marking as non-prerelease)
  3. Cleaner: Build workflow focuses only on building and publishing versioned images
  4. Safe: Proper handling of untrusted input via environment variables

Tagging Strategy

Matches temporalio/temporal on Docker Hub:

  • ✅ Full version tags (e.g., 1.5.1)
  • ✅ Latest tag (managed by new workflow)
  • ✅ SHA tags (e.g., abc123f) - extra, useful for debugging

Testing

After merging:

  1. Create a test release marked as prerelease - should NOT update latest
  2. Edit the release and unmark prerelease - should automatically update latest tag
  3. Verify latest points to the correct version

@chaptersix
Add separate workflow for managing latest Docker tag
bc8ab4e 
Creates a new workflow (update-latest-tag.yml) that runs when a release
is edited or published and automatically updates the 'latest' Docker tag
to point to the release version if the release is marked as latest.

Changes:
- Add .github/workflows/update-latest-tag.yml
  - Triggers on release edited/released events
  - Checks if release is latest (not prerelease, not draft)
  - Pulls the versioned image and retags it as 'latest'
  - Supports both Docker Hub and GHCR
  - Uses environment variables to prevent command injection

- Update .github/workflows/build-and-publish.yml
  - Remove 'Check if release is latest' step
  - Set TAG_LATEST to false (always)
  - Latest tag is now managed by the separate workflow

Benefits:
- Decouples latest tag management from release creation
- Allows updating latest tag when release status changes
- Cleaner separation of concerns

Tagging strategy matches temporalio/temporal on Docker Hub:
- Full version tags (e.g., 1.5.1)
- Latest tag
- SHA tags (additional, useful for debugging)
@chaptersix
Merge remote-tracking branch 'origin/main' into fix-ghcr-registry-prefix
9b61fa8
@chaptersix
Remove artifact uploading and add packages permission
8bdf5ef 
- Remove 'Upload build artifacts' step from build-and-publish.yml
  (no longer needed)
- Add 'packages: write' permission to goreleaser.yml
  (required for pushing Docker images to GHCR)
@chaptersix chaptersix merged commit 16e76e4 into main Nov 21, 2025
4 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chaptersix