ci: also publish release images to Docker Hub#587
Merged
Conversation
PR Docker Image PublishedRun locallydocker run --rm -p 3000:3000 ghcr.io/vechain/block-explorer:pr.587.06b0009 |
Block explorer – Preview
Preview environment destroyed after PR was closed |
Extend the release-image workflow to push the same per-arch image
and the same tag set to docker.io/vechain/block-explorer alongside
ghcr.io. PR images are intentionally not duplicated; they stay on
GHCR only.
The push happens in a single buildx invocation via multi-line
`outputs:`, so each arch gets one digest that is pushed to both
registries. The merge job then runs `docker buildx imagetools
create` twice (once per registry) reusing the same digest sources
and the same version-tag derivation logic via a small shell helper.
Docker Hub does not support OIDC federation, so authentication is a
long-lived token. The workflow expects:
- `vars.DOCKERHUB_USERNAME` — Docker Hub org or service account name
- `secrets.DOCKERHUB_TOKEN` — Organization Access Token scoped to
the `block-explorer` repository
Both have to be configured on the repo (Settings → Actions →
Variables / Secrets) before the workflow can publish to Docker Hub.
Workflow filename stays `publish-ghcr-image.yml` so branch
protection required-status references keep resolving; only the
`name:` header is updated to "Build & Publish Release Image".
b1214a5 to
ea2b1d5
Compare
Build job now pushes per-arch digests to GHCR only. The merge job creates the GHCR manifest list and mirrors each tag from GHCR to Docker Hub with `docker buildx imagetools create`.
daithihearn
approved these changes
Jun 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Extend the release-image workflow to push the same per-arch image and the same tag set to
docker.io/vechain/block-exploreralongside GHCR, so OSS consumers candocker pull vechain/block-explorerwithout authenticating. PR images stay on GHCR only.A single
docker buildxinvocation pushes each architecture's digest to both registries via multi-lineoutputs:, and the merge job creates the manifest list on both registries with identical tag derivation.Before merging, the user needs to:
block-explorerrepository (Read & Write).vars.DOCKERHUB_USERNAME(Docker Hub org or service-account login) andsecrets.DOCKERHUB_TOKEN(the OAT) to the repository.Docker Hub does not support OIDC federation from GitHub Actions; a long-lived token is the only supported auth.