Prevent re-tagging from rebuilding image

danschmidt5189 · danschmidt5189 · commit bf28c3b76795 · 2025-09-26T12:47:17.000-07:00
Pass the build image around a given GHA workflow run using artifacts rather than the registry, manually pushing all tags at the end of the build.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -3,14 +3,19 @@ name: Build / Test / Push
 on:
   push:
     branches:
-      - '*'
+      - '**'
   workflow_dispatch:
 
+env:
+  COMPOSE_FILE: docker-compose.yml:docker-compose.ci.yml
+  DOCKER_METADATA_SET_OUTPUT_ENV: "true"
+  IMAGE_ARTIFACT_NAME: iipsrv-${{ github.run_id }}_${{ github.run_attempt }}.tar
+
 jobs:
   build:
     runs-on: ubuntu-latest
     outputs:
-      build-image: ${{ steps.build-meta.outputs.tags }}
+      build-image: ${{ steps.id-image-tag.outputs.build_image }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -21,38 +26,43 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Produce the build image tag
-        id: build-meta
+      - id: build-meta
+        name: Produce the build image tag
         uses: docker/metadata-action@v5
         with:
           images: ghcr.io/${{ github.repository }}
-          tags: type=sha,suffix=-build-${{ github.run_id }}_${{ github.run_attempt }}
+          tags: | # sorted most to least specific
+            type=sha,suffix=-build-${{ github.run_id }}_${{ github.run_attempt }}
+            type=sha
+            type=ref,event=branch
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - id: id-image-tag
+        name: Identify the build-specific image tag
+        run: |
+          echo build_image="$(echo $DOCKER_METADATA_OUTPUT_TAGS | tr ' ' '\n' | grep -E 'sha-\w+-build-${{ github.run_id }}_${{ github.run_attempt }}')" >> "$GITHUB_OUTPUT"
 
-      - name: Build and push the untested image
+      - name: Build the untested image
         uses: docker/build-push-action@v6
         with:
           cache-from: type=gha
           cache-to: type=gha
           labels: ${{ steps.build-meta.outputs.labels }}
-          platforms: linux/amd64,linux/arm64
-          provenance: true
-          push: true
-          sbom: true
+          outputs: type=docker,dest=${{ runner.temp }}/${{ env.IMAGE_ARTIFACT_NAME }}
+          push: false
           tags: ${{ steps.build-meta.outputs.tags }}
 
+      - name: Upload untested image as an artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.IMAGE_ARTIFACT_NAME }}
+          path: ${{ runner.temp }}/${{ env.IMAGE_ARTIFACT_NAME }}
+
   test:
     runs-on: ubuntu-latest
     needs:
       - build
     env:
-      COMPOSE_FILE: docker-compose.yml:docker-compose.ci.yml
       DOCKER_APP_IMAGE: ${{ needs.build.outputs.build-image }}
     steps:
       - name: Checkout code
@@ -61,12 +71,16 @@ jobs:
       - name: Set up Docker Compose
         uses: docker/setup-compose-action@v1
 
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+      - name: Download untested image
+        uses: actions/download-artifact@v4
         with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          name: ${{ env.IMAGE_ARTIFACT_NAME }}
+          path: ${{ runner.temp }}
+
+      - name: Load the image
+        run: |
+          docker image load --input "${{ runner.temp }}/$IMAGE_ARTIFACT_NAME"
+          docker image ls --all
 
       - name: Run the test script
         run: |
@@ -78,31 +92,30 @@ jobs:
     needs:
       - build
       - test
+    env:
+      DOCKER_APP_IMAGE: ${{ needs.build.outputs.build-image }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Download tested image
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ env.IMAGE_ARTIFACT_NAME }}
+          path: ${{ runner.temp }}
+
+      - name: Load the image
+        run: |
+          docker image load --input "${{ runner.temp }}/$IMAGE_ARTIFACT_NAME"
+          docker image ls --all
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Produce permanent image tags
-        id: branch-meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/${{ github.repository }}
-          tags: |
-            type=sha
-            type=ref,event=branch
-            type=raw,value=latest,enable={{is_default_branch}}
-
-      - name: Retag and push the image
-        uses: docker/build-push-action@v6
-        with:
-          cache-from: type=registry,ref=${{ needs.build.outputs.build-image }}
-          labels: ${{ steps.branch-meta.outputs.labels }}
-          push: true
-          tags: ${{ steps.branch-meta.outputs.tags }}
+      - name: Push the image
+        run: |
+          docker push --all-tags "$(echo $DOCKER_APP_IMAGE | cut -f1 -d:)"
