release: publish dev images to a separate package

Author: usnavy13

.github/workflows/release.yml

@@ -16,14 +16,17 @@ permissions:
 
 env:
   PYTHON_VERSION: "3.11"
-  REGISTRY_IMAGE: ghcr.io/usnavy13/librecodeinterpreter
+  REGISTRY_IMAGE_MAIN: ghcr.io/usnavy13/librecodeinterpreter
+  REGISTRY_IMAGE_DEV: ghcr.io/usnavy13/librecodeinterpreter-dev
 
 jobs:
   prepare:
     runs-on: ubuntu-latest
     outputs:
+      registry_image: ${{ steps.tags.outputs.registry_image }}
       sha_tag: ${{ steps.tags.outputs.sha_tag }}
       moving_tag: ${{ steps.tags.outputs.moving_tag }}
+      publish_latest: ${{ steps.tags.outputs.publish_latest }}
       version_tag: ${{ steps.tags.outputs.version_tag }}
     steps:
       - uses: actions/checkout@v4
@@ -33,11 +36,21 @@ jobs:
           echo "sha_tag=sha-${GITHUB_SHA}" >> "${GITHUB_OUTPUT}"
 
           if [[ "${GITHUB_REF}" == "refs/heads/main" ]]; then
+            echo "registry_image=${REGISTRY_IMAGE_MAIN}" >> "${GITHUB_OUTPUT}"
             echo "moving_tag=main" >> "${GITHUB_OUTPUT}"
+            echo "publish_latest=true" >> "${GITHUB_OUTPUT}"
           elif [[ "${GITHUB_REF}" == "refs/heads/dev" ]]; then
+            echo "registry_image=${REGISTRY_IMAGE_DEV}" >> "${GITHUB_OUTPUT}"
             echo "moving_tag=dev" >> "${GITHUB_OUTPUT}"
+            echo "publish_latest=true" >> "${GITHUB_OUTPUT}"
+          elif [[ "${GITHUB_REF}" == refs/tags/* ]]; then
+            echo "registry_image=${REGISTRY_IMAGE_MAIN}" >> "${GITHUB_OUTPUT}"
+            echo "moving_tag=" >> "${GITHUB_OUTPUT}"
+            echo "publish_latest=false" >> "${GITHUB_OUTPUT}"
           else
+            echo "registry_image=${REGISTRY_IMAGE_MAIN}" >> "${GITHUB_OUTPUT}"
             echo "moving_tag=" >> "${GITHUB_OUTPUT}"
+            echo "publish_latest=false" >> "${GITHUB_OUTPUT}"
           fi
 
           if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
@@ -78,7 +91,7 @@ jobs:
           push: true
           platforms: ${{ matrix.platform }}
           provenance: false
-          tags: ${{ env.REGISTRY_IMAGE }}:${{ github.sha }}-${{ matrix.arch }}
+          tags: ${{ needs.prepare.outputs.registry_image }}:${{ github.sha }}-${{ matrix.arch }}
           cache-from: type=gha,scope=release-app-${{ matrix.arch }}
           cache-to: type=gha,scope=release-app-${{ matrix.arch }},mode=max
 
@@ -115,11 +128,11 @@ jobs:
           pip install pytest pytest-asyncio pytest-cov pytest-mock
 
       - name: Pull release candidate
-        run: docker pull "${REGISTRY_IMAGE}:${GITHUB_SHA}-${{ matrix.arch }}"
+        run: docker pull "${{ needs.prepare.outputs.registry_image }}:${GITHUB_SHA}-${{ matrix.arch }}"
 
       - name: Start smoke stack
         env:
-          API_IMAGE: ${{ env.REGISTRY_IMAGE }}:${{ github.sha }}-${{ matrix.arch }}
+          API_IMAGE: ${{ needs.prepare.outputs.registry_image }}:${{ github.sha }}-${{ matrix.arch }}
         run: |
           cp .env.example .env
           docker compose up -d
@@ -178,18 +191,22 @@ jobs:
       - name: Publish multi-arch manifest tags
         run: |
           tags=(
-            "-t" "${REGISTRY_IMAGE}:${{ needs.prepare.outputs.sha_tag }}"
+            "-t" "${{ needs.prepare.outputs.registry_image }}:${{ needs.prepare.outputs.sha_tag }}"
           )
 
           if [[ -n "${{ needs.prepare.outputs.moving_tag }}" ]]; then
-            tags+=("-t" "${REGISTRY_IMAGE}:${{ needs.prepare.outputs.moving_tag }}")
+            tags+=("-t" "${{ needs.prepare.outputs.registry_image }}:${{ needs.prepare.outputs.moving_tag }}")
+          fi
+
+          if [[ "${{ needs.prepare.outputs.publish_latest }}" == "true" ]]; then
+            tags+=("-t" "${{ needs.prepare.outputs.registry_image }}:latest")
           fi
 
           if [[ -n "${{ needs.prepare.outputs.version_tag }}" ]]; then
-            tags+=("-t" "${REGISTRY_IMAGE}:${{ needs.prepare.outputs.version_tag }}")
+            tags+=("-t" "${{ needs.prepare.outputs.registry_image }}:${{ needs.prepare.outputs.version_tag }}")
           fi
 
           docker buildx imagetools create \
             "${tags[@]}" \
-            "${REGISTRY_IMAGE}:${GITHUB_SHA}-amd64" \
-            "${REGISTRY_IMAGE}:${GITHUB_SHA}-arm64"
+            "${{ needs.prepare.outputs.registry_image }}:${GITHUB_SHA}-amd64" \
+            "${{ needs.prepare.outputs.registry_image }}:${GITHUB_SHA}-arm64"

README.md

@@ -63,6 +63,49 @@ docker compose -f docker-compose.prod.yml pull
 docker compose -f docker-compose.prod.yml up -d
 ```
 
+### Published Image Channels
+
+The project now publishes two app-image channels:
+
+- `ghcr.io/usnavy13/librecodeinterpreter`
+  - stable branch tags: `main`, `latest`
+  - immutable build tags: `sha-<commit>`, release tags like `v1.2.3`
+- `ghcr.io/usnavy13/librecodeinterpreter-dev`
+  - development branch tags: `dev`, `latest`
+  - immutable build tags: `sha-<commit>`
+
+`docker-compose.prod.yml` stays pinned to the stable package by default:
+
+```yaml
+image: ghcr.io/usnavy13/librecodeinterpreter:main
+```
+
+### Use A Local Override File
+
+If you want to pull the current `dev` image or build from your working tree without changing tracked compose files:
+
+1. Copy the example override:
+
+   ```bash
+   cp docker-compose.override.example.yml docker-compose.override.yml
+   ```
+
+2. Use it with the production compose stack:
+
+   ```bash
+   docker compose -f docker-compose.prod.yml -f docker-compose.override.yml pull
+   docker compose -f docker-compose.prod.yml -f docker-compose.override.yml up -d
+   ```
+
+The checked-in example defaults to `ghcr.io/usnavy13/librecodeinterpreter-dev:latest`.
+If you want to build from your local checkout instead, edit `docker-compose.override.yml`
+and switch to the commented `build:` block in the example. In that case, skip the
+`pull` step and run:
+
+```bash
+docker compose -f docker-compose.prod.yml -f docker-compose.override.yml up --build -d
+```
+
 ## Build From Source
 
 If you are developing locally or need to customize the image, use the source-backed workflow instead:
@@ -72,7 +115,7 @@ docker build --target app -t code-interpreter:nsjail .
 docker compose up -d
 ```
 
-The Dockerfile is split into `runtime-core`, `runtime-r`, and `app` targets so CI can reuse published runtime layers and avoid rebuilding the heavyweight R stage on every app change.
+The Dockerfile keeps `runtime-core` and `runtime-r` as internal build stages, but only the unified `app` image is published for deployment.
 
 ## Admin Dashboard
 
@@ -164,14 +207,13 @@ For comprehensive testing details, see [TESTING.md](docs/TESTING.md).
 
 ## CI/CD
 
-GitHub Actions is split into four workflows:
+GitHub Actions is split into three workflows:
 
 - `ci.yml`: PR validation and required checks
-- `runtime.yml`: publish `runtime-core` and `runtime-r` cacheable base images
 - `release.yml`: publish multi-arch app images for `main`, `dev`, and release tags
-- `nightly.yml`: rebuild heavy runtime layers and run slow/full live validation
+- `nightly.yml`: build the app image locally and run slow/full live validation
 
-Published images now use native `amd64` and `arm64` builds instead of a single emulated multi-arch build, and the app image can reuse the previously published `runtime-r` layer when runtime inputs have not changed.
+Published images use native `amd64` and `arm64` builds and are exposed as separate stable and dev GHCR packages.
 
 ## Security
 

docker-compose.override.example.yml

@@ -0,0 +1,20 @@
+# Copy this file to `docker-compose.override.yml` to customize how the API image
+# is sourced when running `docker compose -f docker-compose.prod.yml up -d`.
+#
+# `docker-compose.override.yml` is ignored by git so you can keep a local choice
+# without committing it.
+#
+# Default example: pull the latest dev image package.
+# To build from your local checkout instead, comment the `image`/`pull_policy`
+# lines below and uncomment the `build` block.
+
+services:
+  api:
+    image: ghcr.io/usnavy13/librecodeinterpreter-dev:latest
+    pull_policy: always
+
+    # build:
+    #   context: .
+    #   target: app
+    # image: code-interpreter:nsjail
+    # pull_policy: never