GH workflows: docker publish update

explicit permissions added
explicit tag handling added

Author: GGoetzelmann

.github/workflows/docker_publish.yml

@@ -18,6 +18,12 @@ env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
+permissions:
+  contents: read
+  packages: write
+  attestations: write
+  id-token: write
+
 jobs:
   build-and-push-image:
     runs-on: ubuntu-latest
@@ -31,13 +37,21 @@ jobs:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-
+          ref: ${{ github.event_name == 'workflow_dispatch' && inputs.tag || github.ref }}
+          
       - name: Extract metadata (tags, labels) for Docker
         id: meta
         uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-
+          tags: |
+            # Defaults for normal push/PR/schedule events:
+            type=schedule
+            type=ref,event=branch
+            type=ref,event=tag
+            type=ref,event=pr
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=raw,value=${{ inputs.tag }},event=workflow_dispatch
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3