chaptersix · chaptersix · Nov 21, 2025 · Nov 21, 2025 · Nov 21, 2025 · Nov 21, 2025
diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml
@@ -178,21 +178,6 @@ jobs:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
-      - name: Check if release is latest
-        if: inputs.publish
-        id: check_latest
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const { data: release } = await github.rest.repos.getReleaseByTag({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              tag: context.ref.replace('refs/tags/', '')
-            });
-            // Tag as latest only if release is marked as latest (not pre-release)
-            core.setOutput('tag_latest', release.prerelease ? 'false' : 'true');
-            console.log(`Release prerelease: ${release.prerelease}, tag_latest: ${!release.prerelease}`)
-
       - name: Build and push Docker image
         if: inputs.publish
         run: |
@@ -205,7 +190,7 @@ jobs:
           IMAGE_SHA_TAG: ${{ steps.meta.outputs.image_sha_tag }}
           IMAGE_BRANCH_TAG: ${{ steps.meta.outputs.image_branch_tag }}
           VERSION: ${{ steps.meta.outputs.version }}
-          TAG_LATEST: ${{ steps.check_latest.outputs.tag_latest }}
+          TAG_LATEST: false
           IMAGE_REPO: ${{ steps.meta.outputs.image_repo }}
           IMAGE_NAMESPACE: ${{ steps.meta.outputs.image_namespace }}
           IMAGE_NAME: ${{ steps.meta.outputs.image_name }}
@@ -225,11 +210,3 @@ jobs:
           IMAGE_REPO: ${{ steps.meta.outputs.image_repo }}
           IMAGE_NAMESPACE: ${{ steps.meta.outputs.image_namespace }}
           IMAGE_NAME: ${{ steps.meta.outputs.image_name }}
-
-      - name: Upload build artifacts
-        if: ${{ !inputs.publish }}
-        uses: actions/upload-artifact@v4
-        with:
-          name: temporal-cli-dist
-          path: dist/
-          retention-days: 7
diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
@@ -8,6 +8,7 @@ on:
 
 permissions:
   contents: write
+  packages: write
 
 jobs:
   release:

diff --git a/.github/workflows/update-latest-tag.yml b/.github/workflows/update-latest-tag.yml
@@ -0,0 +1,120 @@
+name: Update Latest Docker Tag
+
+on:
+  release:
+    types:
+      - edited
+      - released
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  update-latest:
+    name: Update Latest Tag
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          ref: ${{ github.event.release.tag_name }}
+
+      - name: Check if release is latest
+        id: check_latest
+        env:
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const releaseTag = process.env.RELEASE_TAG;
+            const { data: release } = await github.rest.repos.getReleaseByTag({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              tag: releaseTag
+            });
+
+            const isLatest = !release.prerelease && !release.draft;
+            core.setOutput('is_latest', isLatest);
+            console.log(`Release: ${release.tag_name}`);
+            console.log(`Prerelease: ${release.prerelease}, Draft: ${release.draft}`);
+            console.log(`Should tag as latest: ${isLatest}`);
+
+      - name: Set up Docker Buildx
+        if: steps.check_latest.outputs.is_latest == 'true'
+        uses: docker/setup-buildx-action@v3
+
+      - name: Get registry configuration
+        if: steps.check_latest.outputs.is_latest == 'true'
+        id: registry
+        run: |
+          REPO_OWNER="${{ github.repository_owner }}"
+
+          # Auto-detect registry based on repository owner
+          if [[ "$REPO_OWNER" == "temporalio" ]]; then
+            REGISTRY="docker.io"
+            echo "type=dockerhub" >> $GITHUB_OUTPUT
+            echo "repo=" >> $GITHUB_OUTPUT
+          else
+            REGISTRY="ghcr.io"
+            echo "type=ghcr" >> $GITHUB_OUTPUT
+            echo "repo=${REGISTRY}" >> $GITHUB_OUTPUT
+          fi
+
+          echo "namespace=${REPO_OWNER}" >> $GITHUB_OUTPUT
+          echo "image=temporal" >> $GITHUB_OUTPUT
+
+      - name: Log in to GitHub Container Registry
+        if: steps.check_latest.outputs.is_latest == 'true' && steps.registry.outputs.type == 'ghcr'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Log in to Docker Hub
+        if: steps.check_latest.outputs.is_latest == 'true' && steps.registry.outputs.type == 'dockerhub'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Get version tag
+        if: steps.check_latest.outputs.is_latest == 'true'
+        id: version
+        env:
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
+        run: |
+          VERSION="$RELEASE_TAG"
+          VERSION="${VERSION#v}"
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+
+      - name: Pull and retag image as latest
+        if: steps.check_latest.outputs.is_latest == 'true'
+        run: |
+          # Construct image paths
+          REPO="${{ steps.registry.outputs.repo }}"
+          NAMESPACE="${{ steps.registry.outputs.namespace }}"
+          IMAGE="${{ steps.registry.outputs.image }}"
+          VERSION="${{ steps.version.outputs.version }}"
+
+          if [[ -z "$REPO" ]]; then
+            # Docker Hub format
+            SOURCE_IMAGE="${NAMESPACE}/${IMAGE}:${VERSION}"
+            LATEST_IMAGE="${NAMESPACE}/${IMAGE}:latest"
+          else
+            # Other registries
+            SOURCE_IMAGE="${REPO}/${NAMESPACE}/${IMAGE}:${VERSION}"
+            LATEST_IMAGE="${REPO}/${NAMESPACE}/${IMAGE}:latest"
+          fi
+
+          echo "Pulling ${SOURCE_IMAGE}..."
+          docker pull ${SOURCE_IMAGE}
+
+          echo "Tagging as ${LATEST_IMAGE}..."
+          docker tag ${SOURCE_IMAGE} ${LATEST_IMAGE}
+
+          echo "Pushing ${LATEST_IMAGE}..."
+          docker push ${LATEST_IMAGE}
+
+          echo "✅ Successfully updated latest tag to point to version ${VERSION}"