fix: Resolve Docker image tag mismatch in multi-variant build workflow

[Copilot]

Problem

The GitHub Actions workflow was failing when building the Playwright variant image with the following error:

ERROR: failed to solve: ghcr.io/gordonbeeming/copilot_here:sha-e4cc1c4dd89220fe053bcfe51911f93319c044f8: not found

Failed workflow run: https://github.com/GordonBeeming/copilot_here/actions/runs/18372997964/job/52340446791

Root Cause

There was a mismatch between Docker image tag formats used by different parts of the workflow:

1. The docker/metadata-action@v5 with type=sha creates tags using the short SHA format:

   • main
   • latest
   • sha-e4cc1c4 ← 7-character short SHA

2. The Playwright and .NET build steps attempted to reference base images using the full SHA format:

   • BASE_IMAGE_TAG=sha-${{ github.sha }} → sha-e4cc1c4dd89220fe053bcfe51911f93319c044f8 ← 40-character full SHA

Since the full SHA tag was never created, the variant image builds failed with "not found" errors.

Solution

Added explicit full SHA tagging to the base image push step, then updated variant builds to use SHA-based references for concurrent-run safety:

Base image push step:

- name: Push image to registry
  if: steps.push_decision.outputs.push_needed == 'true'
  run: |
    docker push --all-tags ghcr.io/${{ steps.repo.outputs.name }}
    # Tag with full SHA for variant builds to reference
    docker tag ghcr.io/${{ steps.repo.outputs.name }}:latest ghcr.io/${{ steps.repo.outputs.name }}:sha-${{ github.sha }}
    docker push ghcr.io/${{ steps.repo.outputs.name }}:sha-${{ github.sha }}

Playwright image:

build-args: |
  BASE_IMAGE_TAG=sha-${{ github.sha }}  # ✅ Full SHA tag now exists

dotnet image:

build-args: |
  PLAYWRIGHT_IMAGE_TAG=playwright-sha-${{ github.sha }}  # ✅ References variant's SHA tag

Benefits

• ✅ Concurrent-Safe: Multiple workflow runs can execute simultaneously without tag conflicts
• ✅ Traceable: Every image variant is tagged with its source commit SHA
• ✅ Reliable: Tags are created immediately before they're needed
• ✅ No Format Issues: Uses full SHA consistently across all build steps

How It Works

The workflow builds and pushes images sequentially:

1. Base image → pushed with latest, main, and sha-e4cc1c4 tags, then explicitly tagged and pushed with full sha-<commit-sha> tag
2. Playwright image → builds from sha-<commit-sha> base image, then pushed with playwright and playwright-sha-<commit-sha> tags
3. .NET image → builds from playwright-sha-<commit-sha> image, then pushed with dotnet and dotnet-sha-<commit-sha> tags

Each workflow run uses unique, commit-specific SHA tags, ensuring no conflicts during concurrent executions while maintaining full traceability.

Original prompt

can you help me fix this

https://github.com/GordonBeeming/copilot_here/actions/runs/18372997964/job/52340446791

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[GordonBeeming]

@copilot I'd like to force using the sha if possible in case multiple runs go at the same time... please update it

[Copilot]

@copilot I'd like to force using the sha if possible in case multiple runs go at the same time... please update it

Updated in commit 8ba8a68. The base image now creates a full SHA tag (sha-${{ github.sha }}) which the Playwright and .NET images reference. This ensures each workflow run uses its own unique SHA-based images, preventing conflicts during concurrent executions.

[GordonBeeming]

@copilot the playwright image should use the base sha, dotnet should use the playwright-sha ... is that the case currently? they stack on each other

[Copilot]

@copilot the playwright image should use the base sha, dotnet should use the playwright-sha ... is that the case currently? they stack on each other

Yes, that's correct. The images stack properly:

• Playwright builds from base image using BASE_IMAGE_TAG=sha-${{ github.sha }}
• .NET builds from Playwright using PLAYWRIGHT_IMAGE_TAG=playwright-sha-${{ github.sha }}

Each image builds on top of the previous one with SHA-specific tags to ensure proper isolation during concurrent runs.

[Copilot]

Pull Request Overview

This PR fixes a Docker image tag mismatch issue in the GitHub Actions workflow that was causing Playwright variant image builds to fail. The workflow was attempting to reference a base image with a full SHA tag that didn't exist, since the metadata action only creates short SHA tags.

Key changes:

• Added explicit full SHA tagging to the base image push step
• Updated variant builds to use consistent SHA-based references for concurrent-run safety
• Enhanced workflow documentation with detailed troubleshooting information

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
.github/workflows/publish.yml	Added full SHA tagging after base image push to support variant image builds
docs/tasks/20251009-01-fix-workflow-image-tag-mismatch.md	Added comprehensive task documentation explaining the problem, solution, and implementation details

[Copilot]

The date appears to be in the future. Based on the current date being October 2025, this should likely be 2025-01-09 to match the filename format.

Suggested change

	**Date:** 2025-10-09
	**Date:** 2025-01-09

[Copilot]

[nitpick] Minor grammatical improvement: 'to registry' should be 'to the registry' for consistency with the step name.

Suggested change

	# Step 9: Push the image to registry only if needed
	- name: Push image to registry
	# Step 9: Push the image to the registry only if needed
	- name: Push image to the registry