Publish Docker image #102
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # .github/workflows/release-docker.yml | |
| name: Publish Docker image | |
| ############################################################################### | |
| # Triggers | |
| ############################################################################### | |
| on: | |
| # 1️⃣ Traditional: run automatically when a GitHub Release is published | |
| release: | |
| types: [published] | |
| # 2️⃣ Option 2: run every time the build-and-release workflow | |
| # completes successfully on the main branch | |
| workflow_run: | |
| workflows: ["build-and-release"] | |
| types: [completed] | |
| branches: [main] | |
| # 3️⃣ Manual: “Run workflow” button or `gh workflow run` | |
| workflow_dispatch: | |
| inputs: | |
| tag: | |
| description: "Tag to push (leave blank → latest release)" | |
| required: false | |
| type: string | |
| ############################################################################### | |
| permissions: | |
| contents: read # needed for checkout + GH API | |
| packages: write # push to ghcr.io | |
| ############################################################################### | |
| jobs: | |
| build-and-push: | |
| # Run if: | |
| # - event is NOT workflow_run (release, workflow_dispatch) | |
| # - OR workflow_run completed successfully | |
| # - OR this is a re-run (run_attempt > 1) so we force it to run | |
| if: > | |
| github.event_name != 'workflow_run' || | |
| github.event.workflow_run.conclusion == 'success' || | |
| github.run_attempt > 1 | |
| runs-on: ubuntu-latest | |
| steps: | |
| # ----------------------------------------------------------------------- | |
| # Check out the exact commit that produced the artifacts (workflow_run), | |
| # otherwise just use the SHA tied to the release / manual dispatch. | |
| # ----------------------------------------------------------------------- | |
| - uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }} | |
| # ----------------------------------------------------------------------- | |
| # Decide which tag we’re going to publish | |
| # ----------------------------------------------------------------------- | |
| - name: Determine tag | |
| id: tag | |
| shell: bash | |
| env: | |
| # populated only for workflow_dispatch | |
| MANUAL_TAG: ${{ github.event.inputs.tag }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -euo pipefail | |
| if [[ "${GITHUB_EVENT_NAME}" == "release" ]]; then | |
| RAW_TAG="${{ github.event.release.tag_name }}" | |
| elif [[ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" && -n "${MANUAL_TAG}" ]]; then | |
| RAW_TAG="${MANUAL_TAG}" | |
| else | |
| # workflow_run (or manual w/o tag) → ask GitHub API for latest release tag | |
| RAW_TAG=$(curl -sSL -H "Authorization: Bearer ${GH_TOKEN}" \ | |
| "https://api.github.com/repos/${{ github.repository }}/releases/latest" \ | |
| | jq -r .tag_name) | |
| fi | |
| # Strip a leading "v" so v1.2.3 → 1.2.3 | |
| TAG=${RAW_TAG#v} | |
| echo "Selected tag: ${TAG}" | |
| echo "tag=${TAG}" >> "${GITHUB_OUTPUT}" | |
| # ----------------------------------------------------------------------- | |
| # Build & push | |
| # ----------------------------------------------------------------------- | |
| - uses: docker/setup-buildx-action@v3 | |
| - uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: docker/Dockerfile | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: | | |
| ghcr.io/mongodb/kingfisher:latest | |
| ghcr.io/mongodb/kingfisher:${{ steps.tag.outputs.tag }} |