Merge pull request #1 from dysnix/claude/slack-update-github-workflows-QusXO

voron · web-flow · commit f58e65ce8fb0 · 2026-02-11T23:54:05.000Z
chore: update GitHub workflow to modern standards
diff --git a/.github/workflows/build-and-push.yaml b/.github/workflows/build-and-push.yaml
@@ -1,11 +1,29 @@
 name: Build and Push
+
 on:
   push:
     branches:
       - '**'
     tags:
       - 'v[0-9]+.[0-9]+.[0-9]+'
       - 'v[0-9]+.[0-9]+.[0-9]+-*'
+  workflow_dispatch:
+    inputs:
+      force_push:
+        description: 'Force push to registry even if not latest tag'
+        required: false
+        default: false
+        type: boolean
+
+# Explicit permissions following least-privilege principle
+permissions:
+  contents: read
+  packages: write
+
+# Prevent duplicate workflow runs
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 # env:
 #   ## overrides the docker image name (name is repo name with docker- prefix stripped)
@@ -17,7 +35,7 @@ jobs:
     outputs:
       image: ${{ steps.set.outputs.image }}
     steps:
-      -
+      - name: Set image name
         uses: actions/github-script@v7
         id: set
         with:
@@ -34,18 +52,20 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - uses: hadolint/hadolint-action@v3.1.0
+      - name: Lint Dockerfile
+        uses: hadolint/hadolint-action@v3.1.0
         with:
           dockerfile: Dockerfile
-      -
+
+      - name: Find latest tag
         uses: dysnix/find-latest-tag@v1
         id: latest
         with:
           regex: '^v\d'
           compared-to-tag: ${{ github.ref }}
           repository: ${{ github.repository }}
-      -
-        name: Docker meta
+
+      - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
         with:
@@ -55,16 +75,18 @@ jobs:
           tags: |
             type=ref,event=tag
             type=ref,event=branch
+            type=sha,prefix=,format=short
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
         with:
-          # amd64 is native platform at the moment and should not be specified here to keep amd64 builds fast
+          # amd64 is native platform and should not be specified here to keep amd64 builds fast
           platforms: linux/arm64
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-      -
+
+      - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
@@ -75,7 +97,11 @@ jobs:
         with:
           platforms: linux/amd64,linux/arm64
           context: .
-          push: ${{ steps.latest.outputs.newer == 'true' || steps.latest.outputs.equal == 'true' }}
+          push: ${{ steps.latest.outputs.newer == 'true' || steps.latest.outputs.equal == 'true' || inputs.force_push == true }}
           file: Dockerfile
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          provenance: true
+          sbom: true
