ci: push to ghcr.io (again) (#201)

mccutchen · web-flow · commit ae8a6edd26d4 · 2025-03-08T20:06:28.000Z
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -5,41 +5,68 @@
 # - https://github.com/docker/build-push-action/#usage
 # - https://docs.github.com/en/actions/publishing-packages/publishing-docker-images
 
-name: Release
+name: release
 
 "on":
   release:
     types: [published]
 
+  # we do not build and push images for every commit, only for tagged releases.
+  # uncomment this to enablle building for pull requests, to debug this
+  # workflow.
+  #
+  # pull_request:
+  #   branches: [main]
+
 jobs:
   docker:
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+
     steps:
       - uses: actions/checkout@v4
-      - uses: docker/setup-qemu-action@v2
-      - uses: docker/setup-buildx-action@v2
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
 
-      - uses: docker/login-action@v2
+      - uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - uses: docker/login-action@v2
+      - uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: docker/metadata-action@v4
+      - uses: docker/metadata-action@v5
         with:
           images: |
             mccutchen/go-httpbin
             ghcr.io/${{ github.repository }}
+          tags: |
+            # For releases, use the standard tags and special "latest" tag
+            type=semver,pattern={{version}},enable=${{ github.event_name == 'release' }}
+            type=semver,pattern={{major}}.{{minor}},enable=${{ github.event_name == 'release' }}
+            type=raw,value=latest,enable=${{ github.event_name == 'release' }}
+
+            # For pull requests, use the commit SHA
+            #
+            # Note that this is disabled by default, but can be enabled for
+            # debugging purposes by uncommenting the pull_request trigger at
+            # top of the workflow.
+            type=sha,format=short,enable=${{ github.event_name == 'pull_request' }}
         id: meta
 
-      - uses: docker/build-push-action@v3
+      - uses: docker/build-push-action@v6
         with:
           platforms: linux/amd64,linux/arm64
           push: true
+          sbom: true
+          provenance: mode=max
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          annotations: ${{ steps.meta.outputs.annotations }}
