From 629609acca41406717b9198b1893e7b222f7c228 Mon Sep 17 00:00:00 2001
From: InDieTasten <indietasten@gmail.com>
Date: Thu, 8 Jan 2026 15:42:10 +0100
Subject: [PATCH] ci: fix issues with retagging by removing retagging and non
 hash tags

---
 .github/workflows/continuous-integration.yml | 106 +++++--------------
 1 file changed, 27 insertions(+), 79 deletions(-)

diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
index 684413db..8ded8f5b 100644
--- a/.github/workflows/continuous-integration.yml
+++ b/.github/workflows/continuous-integration.yml
@@ -154,67 +154,6 @@ jobs:
             [ "$newerVersion" = "$newVersion" ] || exit 1
             echo "✅ Success Version was updated!"
 
-  retag-and-push:
-    runs-on: ubuntu-latest
-    needs: [check-recording-bot-changes, chart-version-checks]
-    if: |
-      (github.event_name == 'push' || github.event_name == 'schedule') &&
-      needs.chart-version-checks.result == 'success' &&
-      (
-        needs.check-recording-bot-changes.outputs.build == 'True' || 
-        needs.check-recording-bot-changes.outputs.scripts == 'True' || 
-        needs.check-recording-bot-changes.outputs.src == 'True'
-      )
-
-    permissions:
-      packages: write
-
-    outputs:
-      image-exists: ${{ steps.check-image.outputs.image-exists }}
-
-    steps:
-      - uses: actions/checkout@v4
-        
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Generate Docker image tag
-        id: generate-tag
-        run: |
-            hash=$(find src build scripts -type f -exec sha256sum {} \; | sort | sha256sum | awk '{print $1}')
-            echo "tag=$hash" >> $GITHUB_OUTPUT
-      
-      - name: Check if image exists
-        id: check-image
-        run: |
-          if docker manifest inspect ${{ vars.CR_NAMESPACE_REPOSITORY }}:${{ steps.generate-tag.outputs.tag }} > /dev/null 2>&1; then
-            echo "Image already exists"
-            echo "image-exists=true" >> $GITHUB_OUTPUT
-          else
-            echo "image-exists=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Pull PR image and retag as latest
-        if: steps.check-image.outputs.image-exists == 'true'
-        run: |
-          TAG="${{ steps.generate-tag.outputs.tag }}"
-          REGISTRY="${{ vars.CR_NAMESPACE_REPOSITORY }}"
-
-          echo "🔍 Pulling image with tag: $TAG"
-          docker pull ${REGISTRY}:${TAG}
-
-          echo "🏷️ Retagging image as latest"
-          docker tag ${REGISTRY}:${TAG} ${REGISTRY}:latest
-
-          echo "🚀 Pushing latest image"
-          docker push ${REGISTRY}:latest
-
-          echo "✅ Successfully promoted ${REGISTRY}:${TAG} to ${REGISTRY}:latest"
-
   start-cluster:
     needs: [check-recording-bot-changes, chart-version-checks]
     if: |
@@ -235,26 +174,29 @@ jobs:
       AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
 
   generate-image-tag:
-    needs: [check-recording-bot-changes, chart-version-checks, retag-and-push]
+    needs: [check-recording-bot-changes, chart-version-checks]
     if: |
-      always() &&
       needs.chart-version-checks.result == 'success' &&
       (
         needs.check-recording-bot-changes.outputs.build == 'True' || 
         needs.check-recording-bot-changes.outputs.src == 'True' ||
         needs.check-recording-bot-changes.outputs.scripts == 'True'
-      ) &&
-      (
-        github.event_name == 'pull_request' ||
-        ((github.event_name == 'push' || github.event_name == 'schedule') && needs.retag-and-push.outputs.image-exists == 'false')
       )
     runs-on: ubuntu-latest
     
     outputs:
       image-tag: ${{ steps.generate-tag.outputs.tag }}
+      image-exists: ${{ steps.check-image.outputs.image-exists }}
     
     steps:
       - uses: actions/checkout@v4
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
         
       - name: Generate content-based image tag
         id: generate-tag
@@ -263,23 +205,29 @@ jobs:
             if [ '${{ github.event_name }}' = 'pull_request' ]; then
               echo "tag=pr-${{ github.event.number }}-${hash:0:8}" >> $GITHUB_OUTPUT
             else
-              echo "tag=latest" >> $GITHUB_OUTPUT
+              echo "tag=${hash:0:8}" >> $GITHUB_OUTPUT
             fi
 
+      - name: Check if image exists
+        id: check-image
+        run: |
+          if docker manifest inspect ${{ vars.CR_NAMESPACE_REPOSITORY }}:${{ steps.generate-tag.outputs.tag }} > /dev/null 2>&1; then
+            echo "Image already exists"
+            echo "image-exists=true" >> $GITHUB_OUTPUT
+          else
+            echo "image-exists=false" >> $GITHUB_OUTPUT
+          fi
+
   build-docker-image:
-    needs: [check-recording-bot-changes, chart-version-checks, retag-and-push, generate-image-tag]
+    needs: [check-recording-bot-changes, chart-version-checks, generate-image-tag]
     if: |
-      always() &&
       needs.chart-version-checks.result == 'success' &&
       (
         needs.check-recording-bot-changes.outputs.build == 'True' || 
         needs.check-recording-bot-changes.outputs.src == 'True' ||
         needs.check-recording-bot-changes.outputs.scripts == 'True'
       ) &&
-      (
-        github.event_name == 'pull_request' ||
-        ((github.event_name == 'push' || github.event_name == 'schedule') && needs.retag-and-push.outputs.image-exists == 'false')
-      )
+      needs.generate-image-tag.outputs.image-exists == 'false'
     uses: ./.github/workflows/routine-buildimage.yml
     permissions:
       packages: write
@@ -289,14 +237,14 @@ jobs:
     secrets: inherit
 
   deploy-to-environment:
-    needs: [check-recording-bot-changes, chart-version-checks, start-cluster, build-docker-image, retag-and-push, generate-image-tag]
+    needs: [check-recording-bot-changes, chart-version-checks, start-cluster, build-docker-image, generate-image-tag]
     if: |
       always() &&
       needs.start-cluster.result == 'success' &&
       (
         needs.build-docker-image.result == 'success' ||
-        (needs.retag-and-push.result == 'success' && (github.event_name == 'push' || github.event_name == 'schedule')) ||
-        (needs.check-recording-bot-changes.outputs.deploy == 'True' && (needs.build-docker-image.result == 'skipped' || needs.retag-and-push.result == 'skipped'))
+        (needs.generate-image-tag.outputs.image-exists == 'true' && (needs.build-docker-image.result == 'skipped')) ||
+        (needs.check-recording-bot-changes.outputs.deploy == 'True' && needs.build-docker-image.result == 'skipped')
       )
     uses: ./.github/workflows/routine-deployenvironment.yml
     with:
@@ -309,7 +257,7 @@ jobs:
       host: ${{ needs.start-cluster.outputs.cluster-fqdn }}
       image-registry: ${{ vars.CR_REGISTRY }}
       image-name: ${{ vars.CR_IMAGE_NAME }}
-      image-tag: ${{ needs.generate-image-tag.outputs.image-tag || 'latest' }}
+      image-tag: ${{ needs.generate-image-tag.outputs.image-tag }}
       public-ip: ${{ needs.start-cluster.outputs.cluster-ip }}
       tls-email: ${{ vars.TLS_EMAIL }}
       enable-nginx: true
@@ -323,7 +271,7 @@ jobs:
     uses: ./.github/workflows/routine-runtests.yml
     with:
       headless-mode: true
-      test-environment: ${{ needs.generate-image-tag.outputs.image-tag || 'latest' }}
+      test-environment: ${{ needs.generate-image-tag.outputs.image-tag }}
       github-issue-number: ${{ github.event.number || '' }}
     secrets:
       USER_A_USERNAME: ${{ vars.TEST_USER_A_USERNAME }}