Skip to content

Commit ead0b2f

Browse files
Wizard1209Wizard1209claude
authored
Fix auto-publish: invoke publish workflows directly from tag.yml (#37)
After a protocol bump the tag was created but the image was never published. Root cause: tag.yml pushes the tag with the default GITHUB_TOKEN, and a tag pushed by GITHUB_TOKEN does not emit a `push: tags` event (GitHub's recursion-prevention), so dockerhub.yml / ghcr.yml never triggered. Fix: convert dockerhub.yml and ghcr.yml into reusable workflows (`on: workflow_call`) and have tag.yml call them via `jobs.<id>.uses` in the same run that creates the tag. No tag event is relied upon, so the GITHUB_TOKEN rule is irrelevant. The `push: tags` trigger is kept on both publish workflows as a manual safety-net (a real user pushing a tag still publishes). Also: - drop the broken `rhosys/github-action-rebuild-pull-requests` step (404s, reddened every run, unrelated to tagging) - bump actions/checkout v2->v4, docker/* actions to current major versions - ghcr: derive the image tag from the version input instead of the git ref (metadata-action keyed off the ref, which is `master` on the workflow_call path) Co-authored-by: Wizard1209 <wizard1209@gmail.com> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
1 parent 8d5aeeb commit ead0b2f

3 files changed

Lines changed: 79 additions & 49 deletions

File tree

.github/workflows/dockerhub.yml

Lines changed: 18 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,13 @@
11
name: Publish on Docker Hub
22

33
on:
4+
# Called by tag.yml right after the tag is created (the reliable path).
5+
workflow_call:
6+
inputs:
7+
version:
8+
required: true
9+
type: string
10+
# Safety-net: a tag pushed manually by a real user still publishes.
411
push:
512
tags:
613
- "v*"
@@ -9,34 +16,31 @@ jobs:
916
build:
1017
name: Docker images for Docker Hub
1118
runs-on: ubuntu-latest
19+
# workflow_call -> inputs.version ; manual tag push -> the tag name.
20+
env:
21+
VERSION: ${{ inputs.version || github.ref_name }}
1222
steps:
1323
- name: Check out the repo
14-
uses: actions/checkout@v2
24+
uses: actions/checkout@v4
1525

16-
- name: Set env
17-
run: echo "RELEASE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
18-
1926
- name: Log in to Docker Hub
20-
uses: docker/login-action@v1
27+
uses: docker/login-action@v3
2128
with:
2229
username: ${{ secrets.DOCKER_USERNAME }}
2330
password: ${{ secrets.DOCKER_PASSWORD }}
24-
31+
2532
- name: Set up QEMU
26-
uses: docker/setup-qemu-action@v1
33+
uses: docker/setup-qemu-action@v3
2734

2835
- name: Set up Docker Buildx
29-
id: buildx
30-
uses: docker/setup-buildx-action@v1
31-
with:
32-
install: true
36+
uses: docker/setup-buildx-action@v3
3337

3438
- name: Build and push image
35-
uses: docker/build-push-action@v2
39+
uses: docker/build-push-action@v6
3640
with:
3741
context: .
3842
file: Dockerfile
3943
push: true
40-
build-args: TAG=${{ env.RELEASE_VERSION }}
41-
tags: bakingbad/sandboxed-node:${{ env.RELEASE_VERSION }}
44+
build-args: TAG=${{ env.VERSION }}
45+
tags: bakingbad/sandboxed-node:${{ env.VERSION }}
4246
platforms: linux/amd64,linux/arm64

.github/workflows/ghcr.yml

Lines changed: 27 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,13 @@
11
name: Publish on GHCR
22

33
on:
4+
# Called by tag.yml right after the tag is created (the reliable path).
5+
workflow_call:
6+
inputs:
7+
version:
8+
required: true
9+
type: string
10+
# Safety-net: a tag pushed manually by a real user still publishes.
411
push:
512
tags:
613
- 'v*'
@@ -9,45 +16,39 @@ jobs:
916
build:
1017
name: Docker images for ghcr.io
1118
runs-on: ubuntu-latest
19+
# When called by tag.yml the GITHUB_TOKEN scope is granted by the caller job;
20+
# restated here so the manual `push: tags` path also gets packages:write.
21+
permissions:
22+
contents: read
23+
packages: write
24+
# workflow_call -> inputs.version ; manual tag push -> the tag name.
1225
env:
13-
ACTIONS_ALLOW_UNSECURE_COMMANDS: true
14-
DOCKER_REGISTRY: ghcr.io
15-
DOCKER_IMAGE_BASE: ${{ github.repository }}
26+
VERSION: ${{ inputs.version || github.ref_name }}
1627
steps:
17-
- name: Set tag
18-
run: echo "TAG=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
19-
2028
- name: Check out the repo
21-
uses: actions/checkout@v2
22-
23-
- name: Set up QEMU
24-
uses: docker/setup-qemu-action@v1
25-
26-
- name: Set up Docker Buildx
27-
uses: docker/setup-buildx-action@v1
29+
uses: actions/checkout@v4
2830

2931
- name: Log in to the registry
30-
uses: docker/login-action@v1
32+
uses: docker/login-action@v3
3133
with:
32-
registry: ${{ env.DOCKER_REGISTRY }}
34+
registry: ghcr.io
3335
username: ${{ github.actor }}
3436
password: ${{ secrets.GITHUB_TOKEN }}
3537

36-
- name: Image tags & labels
37-
id: meta
38-
uses: docker/metadata-action@v3
39-
with:
40-
images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_BASE }}
38+
- name: Set up QEMU
39+
uses: docker/setup-qemu-action@v3
40+
41+
- name: Set up Docker Buildx
42+
uses: docker/setup-buildx-action@v3
4143

42-
- name: Image build & push
43-
uses: docker/build-push-action@v2
44+
- name: Build and push image
45+
uses: docker/build-push-action@v6
4446
with:
4547
context: .
4648
file: Dockerfile
4749
push: true
50+
build-args: TAG=${{ env.VERSION }}
51+
tags: ghcr.io/${{ github.repository }}:${{ env.VERSION }}
52+
platforms: linux/amd64,linux/arm64
4853
cache-from: type=gha
4954
cache-to: type=gha,mode=max
50-
tags: ${{ steps.meta.outputs.tags }}
51-
labels: ${{ steps.meta.outputs.labels }}
52-
platforms: linux/amd64,linux/arm64
53-
build-args: TAG=${{ env.TAG }}

.github/workflows/tag.yml

Lines changed: 34 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,26 +1,51 @@
11
name: Tag the current Octez release
22

3-
43
on:
54
push:
65
branches:
76
- 'master'
87

8+
# contents:write lets the tag job push the tag.
9+
# The publish workflows are invoked directly (jobs.<id>.uses) in this same run, so we
10+
# do NOT rely on the tag-push emitting a `push: tags` event — a tag pushed by
11+
# GITHUB_TOKEN never emits one (GitHub's recursion-prevention), which is exactly the
12+
# bug that left the image unpublished after every protocol bump.
913
permissions:
1014
contents: write
11-
actions: write
1215

1316
jobs:
14-
build:
15-
name: Force push tag of the current Octez release
17+
tag:
18+
name: Tag the current Octez release
1619
runs-on: ubuntu-latest
20+
outputs:
21+
version: ${{ steps.release.outputs.version }}
1722
steps:
1823
- name: Check out the repo
19-
uses: actions/checkout@v2
24+
uses: actions/checkout@v4
25+
with:
26+
fetch-depth: 0
2027

2128
- name: make release
22-
run: make release
29+
id: release
30+
run: |
31+
make release
32+
echo "version=$(cat octez_version)" >> "$GITHUB_OUTPUT"
2333
24-
- uses: rhosys/github-action-rebuild-pull-requests@v1.0
25-
with:
26-
github_token: ${{ secrets.GITHUB_TOKEN }}
34+
dockerhub:
35+
name: Publish on Docker Hub
36+
needs: tag
37+
uses: ./.github/workflows/dockerhub.yml
38+
with:
39+
version: ${{ needs.tag.outputs.version }}
40+
secrets: inherit
41+
42+
ghcr:
43+
name: Publish on GHCR
44+
needs: tag
45+
permissions:
46+
contents: read
47+
packages: write
48+
uses: ./.github/workflows/ghcr.yml
49+
with:
50+
version: ${{ needs.tag.outputs.version }}
51+
secrets: inherit

0 commit comments

Comments
 (0)