ci: fix docker (#67)

Author: fmorency

.github/workflows/docker.yml

@@ -36,17 +36,25 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }} # works if org allows Actions to publish packages
 
       - name: Set IMAGE env
-        run: echo "IMAGE=${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}/yaci" >> "$GITHUB_ENV"
+        run: echo "IMAGE=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/yaci" >> "$GITHUB_ENV"
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE }}
+          tags: |
+            type=raw,value=latest
+            type=sha,format=long   # equals ${{ github.sha }}
 
       - name: Build & Push
         id: docker_build
         uses: docker/build-push-action@v6
         with:
           context: .
           push: true
-          tags: |
-            ${{ env.IMAGE }}:latest
-            ${{ env.IMAGE }}:${{ github.sha }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
           provenance: mode=max
@@ -59,6 +67,6 @@ jobs:
       - name: Generate artifact attestation
         uses: actions/attest-build-provenance@v2
         with:
-          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-name: ${{ env.IMAGE }}
           subject-digest: ${{ steps.docker_build.outputs.digest }}
           push-to-registry: true  # publish as an OCI referrer alongside the image