Migrate to docker actions

[halkeye]

Originally just wanted to add the standard opencontainer labels that docker/metadata provide

but with "mr-smithers-excellent" seemed to only half implement docker support, and a higher risk than docker for supply chain issues, so I went all out and also added cosign to sign the images.

Docker metadata tags supports all the custom code to create version tags, out of the box and fully maintained

Also dropped the manual workflow, just merged it into cd.yml since you can select tags when you manual dispatch, and thats less to maintain

[vercel]

@halkeye is attempting to deploy a commit to the umami-software Team on Vercel.

A member of the Team first needs to authorize it.

[halkeye]

Labels!

regctl image config --format '{{ jsonPretty .Config.Labels }}' ghcr.io/halkeye/umami:postgresql-master
{
  "org.opencontainers.image.created": "2025-09-06T14:06:53.068Z",
  "org.opencontainers.image.description": "Umami is a modern, privacy-focused alternative to Google Analytics.",
  "org.opencontainers.image.licenses": "MIT",
  "org.opencontainers.image.revision": "bf4e6ea96f4449d88c797aad60f3b850a1081a4e",
  "org.opencontainers.image.source": "https://github.com/halkeye/umami",
  "org.opencontainers.image.title": "umami",
  "org.opencontainers.image.url": "https://github.com/halkeye/umami",
  "org.opencontainers.image.version": "postgresql-master"
}

[greptile-apps]

Greptile Summary

This PR modernizes the Docker CI/CD pipeline by migrating from third-party actions to official Docker GitHub Actions. The changes include three main components:

1. Complete removal of cd-manual.yml: The separate manual workflow has been eliminated to reduce code duplication and maintenance overhead. Its functionality is now consolidated into the main cd.yml workflow through the workflow_dispatch trigger.

2. Major overhaul of cd.yml: The workflow has been completely modernized with several improvements:

   • Expanded triggers now include pull requests, manual dispatch, and branch pushes (in addition to tags)
   • Migration from mr-smithers-excellent/docker-build-push to official Docker actions (docker/login-action, docker/metadata-action, docker/build-push-action)
   • Added Cosign image signing for supply chain security
   • Implemented GitHub Actions caching for better build performance
   • Automatic metadata and tag generation using Docker's official metadata action
   • Proper permissions configuration for package registry access and identity tokens

3. Partial update to cd-cloud.yml: Only the workflow name was changed to avoid confusion, but the implementation still uses the older third-party action.

The migration addresses supply chain security concerns by moving to officially maintained Docker actions, adds standard OpenContainer labels automatically, and provides better long-term maintainability. The consolidated workflow approach reduces the number of files to maintain while preserving all original functionality.

Confidence score: 3/5

• This PR introduces significant workflow changes that require careful testing to ensure all deployment scenarios work correctly
• Score reflects concerns about incomplete migration in cd-cloud.yml and the substantial changes to critical deployment infrastructure
• Pay close attention to cd-cloud.yml which still uses the deprecated third-party action, creating inconsistency in the codebase

_{3 files reviewed, no comments}

_{Edit Code Review Bot Settings | Greptile}

[halkeye]

I think the list of branches should be dropped, so a docker image will be created for people's forks (but on their own account)

[halkeye]

I didn't expect it to run my new CI right, but you can see it doesn't push with a PR, and still builds the entire image to make sure everything still works