Merge pull request #50 from RadCod3/fix/42-docker-publish-workflow

fix: ensure 'latest' Docker tag points only to releases

Author: RadCod3

.github/workflows/docker-publish.yml

@@ -5,7 +5,7 @@ on:
     branches:
       - main
     tags:
-      - 'v*'
+      - "v*"
 
 env:
   REGISTRY: ghcr.io
@@ -23,103 +23,106 @@ jobs:
       image-version: ${{ steps.meta.outputs.version }}
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
-
-    - name: Validate version tag
-      if: startsWith(github.ref, 'refs/tags/v')
-      run: |
-        # Extract version from tag (e.g., v0.1.0 -> 0.1.0)
-        TAG_VERSION=${GITHUB_REF#refs/tags/v}
-        echo "Tag version: $TAG_VERSION"
-
-        # Extract version from pyproject.toml
-        PYPROJECT_VERSION=$(grep '^version = ' pyproject.toml | cut -d'"' -f2)
-        echo "pyproject.toml version: $PYPROJECT_VERSION"
-
-        # Compare versions
-        if [ "$TAG_VERSION" != "$PYPROJECT_VERSION" ]; then
-          echo "::error::Version mismatch! Tag version ($TAG_VERSION) doesn't match pyproject.toml version ($PYPROJECT_VERSION)"
-          exit 1
-        fi
-
-        echo "::notice::Version validation passed: $TAG_VERSION"
-
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
-
-    - name: Log in to Container Registry
-      if: github.event_name != 'pull_request'
-      uses: docker/login-action@v3
-      with:
-        registry: ${{ env.REGISTRY }}
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
-
-    - name: Extract metadata (tags, labels) for Docker
-      id: meta
-      uses: docker/metadata-action@v5
-      with:
-        images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-        tags: |
-          type=ref,event=branch
-          type=ref,event=pr
-          type=semver,pattern={{version}}
-          type=semver,pattern={{major}}.{{minor}}
-          type=semver,pattern={{major}}
-          type=raw,value=latest,enable={{is_default_branch}}
-
-    - name: Build and push Docker image
-      id: build
-      uses: docker/build-push-action@v5
-      with:
-        context: .
-        file: ./Dockerfile
-        platforms: linux/amd64,linux/arm64
-        push: ${{ github.event_name != 'pull_request' }}
-        tags: ${{ steps.meta.outputs.tags }}
-        labels: ${{ steps.meta.outputs.labels }}
-        cache-from: type=gha
-        cache-to: type=gha,mode=max
-        build-args: |
-          BUILDKIT_INLINE_CACHE=1
-
-    - name: Determine scan tag
-      id: scan-tag
-      if: github.event_name != 'pull_request'
-      run: |
-        # Lowercase the image name (Docker registries require lowercase)
-        IMAGE_NAME_LOWER=$(echo "${{ env.IMAGE_NAME }}" | tr '[:upper:]' '[:lower:]')
-
-        # Use the version tag if this is a tag push, otherwise use latest
-        if [[ "${{ github.ref }}" == refs/tags/* ]]; then
-          TAG="${GITHUB_REF#refs/tags/}"
-          SCAN_TAG="${{ env.REGISTRY }}/${IMAGE_NAME_LOWER}:${TAG#v}"
-        else
-          SCAN_TAG="${{ env.REGISTRY }}/${IMAGE_NAME_LOWER}:latest"
-        fi
-        echo "tag=$SCAN_TAG" >> $GITHUB_OUTPUT
-        echo "Scanning image: $SCAN_TAG"
-
-    - name: Run security scan on image
-      if: github.event_name != 'pull_request'
-      uses: aquasecurity/trivy-action@master
-      with:
-        image-ref: ${{ steps.scan-tag.outputs.tag }}
-        format: 'sarif'
-        output: 'trivy-results.sarif'
-
-    - name: Upload Trivy scan results to GitHub Security tab
-      if: github.event_name != 'pull_request'
-      uses: github/codeql-action/upload-sarif@v3
-      with:
-        sarif_file: 'trivy-results.sarif'
-
-    - name: Generate build summary
-      if: github.event_name != 'pull_request'
-      run: |
-        echo "## Docker Build Summary" >> $GITHUB_STEP_SUMMARY
-        echo "- **Image**: \`${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}\`" >> $GITHUB_STEP_SUMMARY
-        echo "- **Tags**: \`${{ steps.meta.outputs.tags }}\`" >> $GITHUB_STEP_SUMMARY
-        echo "- **Platforms**: \`linux/amd64, linux/arm64\`" >> $GITHUB_STEP_SUMMARY
-        echo "- **Registry**: \`${{ env.REGISTRY }}\`" >> $GITHUB_STEP_SUMMARY
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Validate version tag
+        if: startsWith(github.ref, 'refs/tags/v')
+        run: |
+          # Extract version from tag (e.g., v0.1.0 -> 0.1.0)
+          TAG_VERSION=${GITHUB_REF#refs/tags/v}
+          echo "Tag version: $TAG_VERSION"
+
+          # Extract version from pyproject.toml
+          PYPROJECT_VERSION=$(grep '^version = ' pyproject.toml | cut -d'"' -f2)
+          echo "pyproject.toml version: $PYPROJECT_VERSION"
+
+          # Compare versions
+          if [ "$TAG_VERSION" != "$PYPROJECT_VERSION" ]; then
+            echo "::error::Version mismatch! Tag version ($TAG_VERSION) doesn't match pyproject.toml version ($PYPROJECT_VERSION)"
+            exit 1
+          fi
+
+          echo "::notice::Version validation passed: $TAG_VERSION"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          flavor: |
+            latest=false
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=raw,value=edge,enable={{is_default_branch}}
+            type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/v') }}
+
+      - name: Build and push Docker image
+        id: build
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            BUILDKIT_INLINE_CACHE=1
+
+      - name: Determine scan tag
+        id: scan-tag
+        if: github.event_name != 'pull_request'
+        run: |
+          # Lowercase the image name (Docker registries require lowercase)
+          IMAGE_NAME_LOWER=$(echo "${{ env.IMAGE_NAME }}" | tr '[:upper:]' '[:lower:]')
+
+          # Use the version tag if this is a tag push, otherwise use edge
+          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            TAG="${GITHUB_REF#refs/tags/}"
+            SCAN_TAG="${{ env.REGISTRY }}/${IMAGE_NAME_LOWER}:${TAG#v}"
+          else
+            SCAN_TAG="${{ env.REGISTRY }}/${IMAGE_NAME_LOWER}:edge"
+          fi
+          echo "tag=$SCAN_TAG" >> $GITHUB_OUTPUT
+          echo "Scanning image: $SCAN_TAG"
+
+      - name: Run security scan on image
+        if: github.event_name != 'pull_request'
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ steps.scan-tag.outputs.tag }}
+          format: "sarif"
+          output: "trivy-results.sarif"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        if: github.event_name != 'pull_request'
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: "trivy-results.sarif"
+
+      - name: Generate build summary
+        if: github.event_name != 'pull_request'
+        run: |
+          echo "## Docker Build Summary" >> $GITHUB_STEP_SUMMARY
+          echo "- **Image**: \`${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- **Tags**: \`${{ steps.meta.outputs.tags }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- **Platforms**: \`linux/amd64, linux/arm64\`" >> $GITHUB_STEP_SUMMARY
+          echo "- **Registry**: \`${{ env.REGISTRY }}\`" >> $GITHUB_STEP_SUMMARY

.github/workflows/release.yml

@@ -3,11 +3,11 @@ name: Create Release
 on:
   push:
     tags:
-      - 'v*'
+      - "v*"
   workflow_dispatch:
     inputs:
       tag:
-        description: 'Tag to create release for (e.g., v0.1.0)'
+        description: "Tag to create release for (e.g., v0.1.0)"
         required: true
         type: string
 
@@ -26,7 +26,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
-          fetch-depth: 0  # Fetch all history for changelog generation
+          fetch-depth: 0 # Fetch all history for changelog generation
 
       - name: Get version from tag
         id: get-version
@@ -83,7 +83,7 @@ jobs:
         uses: lewagon/[email protected]
         with:
           ref: ${{ github.ref }}
-          check-name: 'build'
+          check-name: "build"
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           wait-interval: 10
           allowed-conclusions: success

README.md

@@ -315,7 +315,8 @@ LamPyrid provides production-ready Docker images published to GitHub Container R
 
 ### Available Images
 
-- **Latest**: `ghcr.io/radcod3/lampyrid:latest` (main branch)
+- **Latest Stable**: `ghcr.io/radcod3/lampyrid:latest` (latest release - recommended for production)
+- **Development**: `ghcr.io/radcod3/lampyrid:edge` (main branch - latest features, may be unstable)
 - **Versioned**: `ghcr.io/radcod3/lampyrid:0.2.0`, `ghcr.io/radcod3/lampyrid:0.2`, `ghcr.io/radcod3/lampyrid:0`
 - **Platforms**: linux/amd64, linux/arm64