@@ -17,16 +17,23 @@ name: "Docker image - release tag"
1717
1818# ----------------------------------------------------------------------------
1919# Trigger: When a release is published (NOT draft or prerelease)
20+ # OR manually via workflow_dispatch
2021# ----------------------------------------------------------------------------
2122on :
2223 release :
2324 types : [published]
25+ workflow_dispatch :
26+ inputs :
27+ tag :
28+ description : ' Release tag (e.g., v0.1.0)'
29+ required : true
30+ type : string
2431
2532jobs :
2633 tag-and-push :
27- # ------------------------------------------------------------------------
28- # Only run if the release tag starts with 'v', and is not a draft/prerelease
29- # ------------------------------------------------------------------------
34+ # ------------------------------------------------------------------
35+ # Only run if the release tag starts with 'v', and is not draft/prerelease
36+ # ------------------------------------------------------------------
3037 if : |
3138 startsWith(github.event.release.tag_name, 'v') &&
3239 github.event.release.draft == false &&
@@ -35,60 +42,42 @@ jobs:
3542runs-on : ubuntu-latest
3643
3744 permissions :
38- contents : read # read repository info
45+ contents : read # read repo info
3946 packages : write # push Docker image
40- statuses : read # check status API to ensure commit checks passed
47+ statuses : read # check commit status API
4148
4249 steps :
43- # ----------------------------------------------------------------------
44- # Step 1: Capture release tag and resolve the commit SHA it points to
45- # ----------------------------------------------------------------------
50+ # ----------------------------------------------------------------
51+ # Step 1 Capture release tag and resolve the commit SHA it points to
52+ # ----------------------------------------------------------------
4653 - name : 🏷️ Extract tag & commit SHA
4754 id : meta
55+ shell : bash
4856 run : |
57+ set -euo pipefail
4958 TAG="${{ github.event.release.tag_name }}"
50- echo "tag=$TAG" >> "$GITHUB_OUTPUT"
51-
52- # Method 1: Use the target_commitish from the release event if available
53- if [ -n "${{ github.event.release.target_commitish }}" ]; then
54- SHA="${{ github.event.release.target_commitish }}"
55- echo "Using release target_commitish: $SHA"
56- else
57- # Method 2: Use GitHub API to get the commit SHA for the tag
58- SHA=$(curl -sSL \
59- -H "Accept: application/vnd.github+json" \
60- -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
61- "https://api.github.com/repos/${{ github.repository }}/git/refs/tags/$TAG" \
62- | jq -r '.object.sha')
59+ echo "tag=$TAG" >>"$GITHUB_OUTPUT"
6360
64- # If it's an annotated tag, we need to get the commit it points to
65- if [ -z "$SHA" ] || [ "$SHA" = "null" ]; then
66- # Try getting the tag object
67- TAG_SHA=$(curl -sSL \
68- -H "Accept: application/vnd.github+json" \
69- -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
70- "https://api.github.com/repos/${{ github.repository }}/git/refs/tags/$TAG" \
71- | jq -r '.object.sha')
61+ # Ask the remote repo which commit the tag points to
62+ SHA=$(git ls-remote --quiet --refs \
63+ "https://github.com/${{ github.repository }}.git" \
64+ "refs/tags/$TAG" | cut -f1)
7265
73- # Get the commit SHA from the tag object
74- SHA=$(curl -sSL \
75- -H "Accept: application/vnd.github+json" \
76- -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
77- "https://api.github.com/repos/${{ github.repository }}/git/tags/$TAG_SHA" \
78- | jq -r '.object.sha')
79- fi
66+ # Fallback to the release's target_commitish (covers annotated tags/branch releases)
67+ if [ -z "$SHA" ] || [ "$SHA" = "null" ]; then
68+ SHA="${{ github.event.release.target_commitish }}"
8069 fi
8170
8271 echo "Resolved commit SHA: $SHA"
83- echo "sha=$SHA" >> "$GITHUB_OUTPUT"
72+ echo "sha=$SHA" >>"$GITHUB_OUTPUT"
8473
85- # ----------------------------------------------------------------------
86- # Step 2: Confirm all checks on that commit were successful
87- # ----------------------------------------------------------------------
74+ # ----------------------------------------------------------------
75+ # Step 2 Confirm all checks on that commit were successful
76+ # ----------------------------------------------------------------
8877 - name : ✅ Verify commit checks passed
8978 env :
90- SHA : ${{ steps.meta.outputs.sha }}
91- REPO : ${{ github.repository }}
79+ SHA : ${{ steps.meta.outputs.sha }}
80+ REPO : ${{ github.repository }}
9281 run : |
9382 set -euo pipefail
9483 STATUS=$(curl -sSL \
@@ -98,39 +87,40 @@ jobs:
9887 | jq -r '.state')
9988 echo "Combined status: $STATUS"
10089 if [ "$STATUS" != "success" ]; then
101- echo "Required workflows have not all succeeded - aborting." >&2
90+ echo "Required workflows have not all succeeded – aborting." >&2
10291 exit 1
10392 fi
10493
105- # ----------------------------------------------------------------------
106- # Step 3: Authenticate with GitHub Container Registry (GHCR)
107- # ----------------------------------------------------------------------
94+ # ----------------------------------------------------------------
95+ # Step 3 Authenticate with GitHub Container Registry (GHCR)
96+ # ----------------------------------------------------------------
10897 - name : 🔐 Log in to GHCR
10998 uses : docker/login-action@v3
11099 with :
111100 registry : ghcr.io
112101 username : ${{ github.actor }}
113102 password : ${{ secrets.GITHUB_TOKEN }}
114103
115- # ----------------------------------------------------------------------
116- # Step 4: Pull the image using the commit SHA tag
117- # ----------------------------------------------------------------------
104+ # ----------------------------------------------------------------
105+ # Step 4 Pull the image using the commit SHA tag
106+ # ----------------------------------------------------------------
118107 - name : ⬇️ Pull image by commit SHA
119108 run : |
120109 IMAGE="ghcr.io/$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')"
121110 docker pull "$IMAGE:${{ steps.meta.outputs.sha }}"
122111
123- # ----------------------------------------------------------------------
124- # Step 5: Tag the image with the semantic version tag
125- # ----------------------------------------------------------------------
112+ # ----------------------------------------------------------------
113+ # Step 5 Tag the image with the semantic version tag
114+ # ----------------------------------------------------------------
126115 - name : 🏷️ Tag image with version
127116 run : |
128117 IMAGE="ghcr.io/$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')"
129- docker tag "$IMAGE:${{ steps.meta.outputs.sha }}" "$IMAGE:${{ steps.meta.outputs.tag }}"
118+ docker tag "$IMAGE:${{ steps.meta.outputs.sha }}" \
119+ "$IMAGE:${{ steps.meta.outputs.tag }}"
130120
131- # ----------------------------------------------------------------------
132- # Step 6: Push the new tag to GHCR
133- # ----------------------------------------------------------------------
121+ # ----------------------------------------------------------------
122+ # Step 6 Push the new tag to GHCR
123+ # ----------------------------------------------------------------
134124 - name : 🚀 Push new version tag
135125 run : |
136126 IMAGE="ghcr.io/$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')"
0 commit comments