Modernize Docker build with parameterization and registry flexibility

Major improvements:
- Add full parameterization (registry, namespace, image name)
- Auto-detect registry: temporalio → docker.io, others → ghcr.io
- Separate workflow for managing 'latest' tag on release events
- Dynamic Docker labels using GITHUB_REPOSITORY variable
- Add packages:write permission for GHCR
- Remove artifact uploading (no longer needed)

Benefits:
- Works out-of-box for both upstream and forks
- Flexible registry support (Docker Hub, GHCR, any registry)
- Clean separation of release vs latest-tag concerns
- Proper package association in GitHub

Configuration requirements:
- DOCKER_USERNAME and DOCKER_PASSWORD secrets needed for Docker Hub
- GITHUB_TOKEN automatically provides GHCR access

Author: chaptersix

.github/docker/docker-bake.hcl

@@ -1,5 +1,17 @@
 variable "IMAGE_REPO" {
-  default = "temporalio"
+  default = "ghcr.io"
+}
+
+variable "IMAGE_NAMESPACE" {
+  default = ""
+}
+
+variable "IMAGE_NAME" {
+  default = "temporal"
+}
+
+variable "GITHUB_REPOSITORY" {
+  default = "temporalio/cli"
 }
 
 variable "IMAGE_SHA_TAG" {}
@@ -27,9 +39,9 @@ target "cli" {
   dockerfile = ".github/docker/cli.Dockerfile"
   context = "."
   tags = compact([
-    "${IMAGE_REPO}/temporal:${IMAGE_SHA_TAG}",
-    "${IMAGE_REPO}/temporal:${VERSION}",
-    TAG_LATEST ? "${IMAGE_REPO}/temporal:latest" : "",
+    IMAGE_REPO == "" ? "${IMAGE_NAMESPACE}/${IMAGE_NAME}:${IMAGE_SHA_TAG}" : "${IMAGE_REPO}/${IMAGE_NAMESPACE}/${IMAGE_NAME}:${IMAGE_SHA_TAG}",
+    IMAGE_REPO == "" ? "${IMAGE_NAMESPACE}/${IMAGE_NAME}:${VERSION}" : "${IMAGE_REPO}/${IMAGE_NAMESPACE}/${IMAGE_NAME}:${VERSION}",
+    TAG_LATEST ? (IMAGE_REPO == "" ? "${IMAGE_NAMESPACE}/${IMAGE_NAME}:latest" : "${IMAGE_REPO}/${IMAGE_NAMESPACE}/${IMAGE_NAME}:latest") : "",
   ])
   platforms = ["linux/amd64", "linux/arm64"]
   args = {
@@ -38,8 +50,8 @@ target "cli" {
   labels = {
     "org.opencontainers.image.title" = "temporal"
     "org.opencontainers.image.description" = "Temporal CLI"
-    "org.opencontainers.image.url" = "https://github.com/temporalio/cli"
-    "org.opencontainers.image.source" = "https://github.com/temporalio/cli"
+    "org.opencontainers.image.url" = "https://github.com/${GITHUB_REPOSITORY}"
+    "org.opencontainers.image.source" = "https://github.com/${GITHUB_REPOSITORY}"
     "org.opencontainers.image.licenses" = "MIT"
     "org.opencontainers.image.revision" = "${CLI_SHA}"
     "org.opencontainers.image.created" = timestamp()

.github/workflows/build-and-publish.yml

@@ -11,6 +11,21 @@ on:
         description: "Version tag for the release (required if publish is true)"
         required: false
         type: string
+      registry:
+        description: "Container registry (docker.io, ghcr.io, etc.)"
+        required: false
+        type: string
+        default: ""
+      registry_namespace:
+        description: "Registry namespace/organization"
+        required: false
+        type: string
+        default: ""
+      image_name:
+        description: "Image name"
+        required: false
+        type: string
+        default: "temporal"
     secrets:
       DOCKER_USERNAME:
         required: false
@@ -84,18 +99,14 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Log in to Docker Hub
-        if: inputs.publish && github.repository_owner == 'temporalio'
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-
       - name: Get build metadata
         id: meta
         env:
           INPUT_VERSION: ${{ inputs.version }}
           INPUT_PUBLISH: ${{ inputs.publish }}
+          INPUT_REGISTRY: ${{ inputs.registry }}
+          INPUT_REGISTRY_NAMESPACE: ${{ inputs.registry_namespace }}
+          INPUT_IMAGE_NAME: ${{ inputs.image_name }}
           REPO_OWNER: ${{ github.repository_owner }}
         run: |
           echo "cli_sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
@@ -111,30 +122,64 @@ jobs:
             echo "version=snapshot" >> $GITHUB_OUTPUT
           fi
 
-          # Determine image repo based on repository owner
-          if [[ "$REPO_OWNER" == "temporalio" ]]; then
-            echo "image_repo=temporalio" >> $GITHUB_OUTPUT
+          # Determine registry (with auto-detection for temporalio vs forks)
+          REGISTRY="$INPUT_REGISTRY"
+          if [[ -z "$REGISTRY" ]]; then
+            if [[ "$REPO_OWNER" == "temporalio" ]]; then
+              REGISTRY="docker.io"
+            else
+              REGISTRY="ghcr.io"
+            fi
+          fi
+
+          # Determine registry type for authentication
+          if [[ "$REGISTRY" == "ghcr.io" ]]; then
+            echo "registry_type=ghcr" >> $GITHUB_OUTPUT
+          elif [[ "$REGISTRY" == "docker.io" ]]; then
+            echo "registry_type=dockerhub" >> $GITHUB_OUTPUT
           else
-            echo "image_repo=$REPO_OWNER" >> $GITHUB_OUTPUT
+            echo "registry_type=other" >> $GITHUB_OUTPUT
           fi
 
-      - name: Check if release is latest
-        if: inputs.publish
-        id: check_latest
-        uses: actions/github-script@v7
+          # Set namespace (defaults to repository owner)
+          NAMESPACE="$INPUT_REGISTRY_NAMESPACE"
+          if [[ -z "$NAMESPACE" ]]; then
+            NAMESPACE="$REPO_OWNER"
+          fi
+
+          # Set image name (defaults to 'temporal')
+          IMAGE_NAME="$INPUT_IMAGE_NAME"
+          if [[ -z "$IMAGE_NAME" ]]; then
+            IMAGE_NAME="temporal"
+          fi
+
+          # For Docker Hub, use empty string as registry (special case)
+          if [[ "$REGISTRY" == "docker.io" ]]; then
+            echo "image_repo=" >> $GITHUB_OUTPUT
+          else
+            echo "image_repo=${REGISTRY}" >> $GITHUB_OUTPUT
+          fi
+
+          echo "image_namespace=${NAMESPACE}" >> $GITHUB_OUTPUT
+          echo "image_name=${IMAGE_NAME}" >> $GITHUB_OUTPUT
+
+      - name: Log in to GitHub Container Registry
+        if: inputs.publish && steps.meta.outputs.registry_type == 'ghcr'
+        uses: docker/login-action@v3
         with:
-          script: |
-            const { data: release } = await github.rest.repos.getReleaseByTag({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              tag: context.ref.replace('refs/tags/', '')
-            });
-            // Tag as latest only if release is marked as latest (not pre-release)
-            core.setOutput('tag_latest', release.prerelease ? 'false' : 'true');
-            console.log(`Release prerelease: ${release.prerelease}, tag_latest: ${!release.prerelease}`)
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Log in to Docker Hub
+        if: inputs.publish && steps.meta.outputs.registry_type == 'dockerhub'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Build and push Docker image
-        if: inputs.publish && github.repository_owner == 'temporalio'
+        if: inputs.publish
         run: |
           docker buildx bake \
             --file .github/docker/docker-bake.hcl \
@@ -145,8 +190,11 @@ jobs:
           IMAGE_SHA_TAG: ${{ steps.meta.outputs.image_sha_tag }}
           IMAGE_BRANCH_TAG: ${{ steps.meta.outputs.image_branch_tag }}
           VERSION: ${{ steps.meta.outputs.version }}
-          TAG_LATEST: ${{ steps.check_latest.outputs.tag_latest }}
-          IMAGE_REPO: temporalio
+          TAG_LATEST: false
+          IMAGE_REPO: ${{ steps.meta.outputs.image_repo }}
+          IMAGE_NAMESPACE: ${{ steps.meta.outputs.image_namespace }}
+          IMAGE_NAME: ${{ steps.meta.outputs.image_name }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
 
       - name: Build Docker image
         if: ${{ !inputs.publish }}
@@ -160,12 +208,7 @@ jobs:
           IMAGE_BRANCH_TAG: ${{ steps.meta.outputs.image_branch_tag }}
           VERSION: ${{ steps.meta.outputs.version }}
           TAG_LATEST: false
-          IMAGE_REPO: temporalio
-
-      - name: Upload build artifacts
-        if: ${{ !inputs.publish }}
-        uses: actions/upload-artifact@v4
-        with:
-          name: temporal-cli-dist
-          path: dist/
-          retention-days: 7
+          IMAGE_REPO: ${{ steps.meta.outputs.image_repo }}
+          IMAGE_NAMESPACE: ${{ steps.meta.outputs.image_namespace }}
+          IMAGE_NAME: ${{ steps.meta.outputs.image_name }}
+          GITHUB_REPOSITORY: ${{ github.repository }}

.github/workflows/goreleaser.yml

@@ -8,6 +8,7 @@ on:
 
 permissions:
   contents: write
+  packages: write
 
 jobs:
   release:

.github/workflows/update-latest-tag.yml

@@ -0,0 +1,120 @@
+name: Update Latest Docker Tag
+
+on:
+  release:
+    types:
+      - edited
+      - released
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  update-latest:
+    name: Update Latest Tag
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          ref: ${{ github.event.release.tag_name }}
+
+      - name: Check if release is latest
+        id: check_latest
+        env:
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const releaseTag = process.env.RELEASE_TAG;
+            const { data: release } = await github.rest.repos.getReleaseByTag({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              tag: releaseTag
+            });
+
+            const isLatest = !release.prerelease && !release.draft;
+            core.setOutput('is_latest', isLatest);
+            console.log(`Release: ${release.tag_name}`);
+            console.log(`Prerelease: ${release.prerelease}, Draft: ${release.draft}`);
+            console.log(`Should tag as latest: ${isLatest}`);
+
+      - name: Set up Docker Buildx
+        if: steps.check_latest.outputs.is_latest == 'true'
+        uses: docker/setup-buildx-action@v3
+
+      - name: Get registry configuration
+        if: steps.check_latest.outputs.is_latest == 'true'
+        id: registry
+        run: |
+          REPO_OWNER="${{ github.repository_owner }}"
+
+          # Auto-detect registry based on repository owner
+          if [[ "$REPO_OWNER" == "temporalio" ]]; then
+            REGISTRY="docker.io"
+            echo "type=dockerhub" >> $GITHUB_OUTPUT
+            echo "repo=" >> $GITHUB_OUTPUT
+          else
+            REGISTRY="ghcr.io"
+            echo "type=ghcr" >> $GITHUB_OUTPUT
+            echo "repo=${REGISTRY}" >> $GITHUB_OUTPUT
+          fi
+
+          echo "namespace=${REPO_OWNER}" >> $GITHUB_OUTPUT
+          echo "image=temporal" >> $GITHUB_OUTPUT
+
+      - name: Log in to GitHub Container Registry
+        if: steps.check_latest.outputs.is_latest == 'true' && steps.registry.outputs.type == 'ghcr'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Log in to Docker Hub
+        if: steps.check_latest.outputs.is_latest == 'true' && steps.registry.outputs.type == 'dockerhub'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Get version tag
+        if: steps.check_latest.outputs.is_latest == 'true'
+        id: version
+        env:
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
+        run: |
+          VERSION="$RELEASE_TAG"
+          VERSION="${VERSION#v}"
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+
+      - name: Pull and retag image as latest
+        if: steps.check_latest.outputs.is_latest == 'true'
+        run: |
+          # Construct image paths
+          REPO="${{ steps.registry.outputs.repo }}"
+          NAMESPACE="${{ steps.registry.outputs.namespace }}"
+          IMAGE="${{ steps.registry.outputs.image }}"
+          VERSION="${{ steps.version.outputs.version }}"
+
+          if [[ -z "$REPO" ]]; then
+            # Docker Hub format
+            SOURCE_IMAGE="${NAMESPACE}/${IMAGE}:${VERSION}"
+            LATEST_IMAGE="${NAMESPACE}/${IMAGE}:latest"
+          else
+            # Other registries
+            SOURCE_IMAGE="${REPO}/${NAMESPACE}/${IMAGE}:${VERSION}"
+            LATEST_IMAGE="${REPO}/${NAMESPACE}/${IMAGE}:latest"
+          fi
+
+          echo "Pulling ${SOURCE_IMAGE}..."
+          docker pull ${SOURCE_IMAGE}
+
+          echo "Tagging as ${LATEST_IMAGE}..."
+          docker tag ${SOURCE_IMAGE} ${LATEST_IMAGE}
+
+          echo "Pushing ${LATEST_IMAGE}..."
+          docker push ${LATEST_IMAGE}
+
+          echo "✅ Successfully updated latest tag to point to version ${VERSION}"