From a9364e284f0730dd955d43a1af0b4825359c161d Mon Sep 17 00:00:00 2001 From: Sam Doran Date: Fri, 12 Jun 2026 13:07:31 -0400 Subject: [PATCH 1/2] Only apply latest tag to container if it is the latest stable tag Add a program to determine the latest stable tag and compare it to the tag that triggered the workflow run. Only apply the latest tag if they match. Update the workflow to apply the latest tag based on the results of that program. This prevents new tags for older releases from getting the latst tag applied. --- .github/workflows/build_and_push_release.yaml | 7 ++- scripts/latest-tag.py | 55 +++++++++++++++++++ 2 files changed, 61 insertions(+), 1 deletion(-) create mode 100755 scripts/latest-tag.py diff --git a/.github/workflows/build_and_push_release.yaml b/.github/workflows/build_and_push_release.yaml index fc9a7372f..68a70bb25 100644 --- a/.github/workflows/build_and_push_release.yaml +++ b/.github/workflows/build_and_push_release.yaml @@ -31,6 +31,11 @@ jobs: with: # Fetch submodules (required for lightspeed-providers) submodules: 'recursive' + # Fetch all tags to determine latest stable version + fetch-tags: true + - name: Determine if latest tag should be applied + id: check_latest + run: ./scripts/latest-tag.py - name: Build image with Buildah id: build_image uses: redhat-actions/buildah-build@v2 @@ -38,7 +43,7 @@ jobs: image: ${{ env.IMAGE_NAME }} tags: | ${{ env.GIT_TAG }} - ${{ env.LATEST_TAG }} + ${{ steps.check_latest.outputs.apply_latest == 'true' && env.LATEST_TAG || '' }} containerfiles: | ${{ env.CONTAINER_FILE }} archs: amd64, arm64 diff --git a/scripts/latest-tag.py b/scripts/latest-tag.py new file mode 100755 index 000000000..683e3f7f8 --- /dev/null +++ b/scripts/latest-tag.py @@ -0,0 +1,55 @@ +#!/usr/bin/env python3 + +import os +import subprocess + + +def version_split(value: str) -> tuple[int, ...]: + """Split string into a tuple of ints.""" + try: + return tuple(int(n) for n in value.split(".")) + except ValueError: + return (-1,) + + +def is_prerelease(tag: str) -> bool: + """Determine if a tag is a pre-release version.""" + omit = {"rc", "alpha", "beta", "dev"} + + return any(n in tag for n in omit) + + +def get_latest_stable() -> str | None: + """Return the latest stable tag.""" + stdout = subprocess.check_output(["git", "tag"], text=True) + tags = [tag for tag in stdout.splitlines() if not is_prerelease(tag)] + tags.sort(key=version_split) + + return tags[-1] if tags else None + + +def main() -> None: + if not (current_tag := os.environ.get("GIT_TAG")): + reason = "GIT_TAG environment variable not set, skipping latest tag" + apply_latest = "false" + elif is_prerelease(current_tag): + reason = f"{current_tag} is a pre-release" + apply_latest = "false" + else: + latest_stable = get_latest_stable() + if current_tag == latest_stable: + reason = f"{current_tag} is the latest stable" + apply_latest = "true" + else: + reason = f"{current_tag} is not the latest stable ({latest_stable} is)" + apply_latest = "false" + + print(reason) + + if github_output := os.environ.get("GITHUB_OUTPUT"): + with open(github_output, "a") as f: + f.write(f"apply_latest={apply_latest}\n") + + +if __name__ == "__main__": + main() From 7770d98a3ece985fcd0821e3c90e399d5f02bc45 Mon Sep 17 00:00:00 2001 From: Sam Doran Date: Fri, 12 Jun 2026 13:36:42 -0400 Subject: [PATCH 2/2] Inspect the image using task output The image may not get the latst tag applied, so this step could inspect the incorrect image. Use the output from the build_image step to ensure the correct image is always inspected. --- .github/workflows/build_and_push_release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_and_push_release.yaml b/.github/workflows/build_and_push_release.yaml index 68a70bb25..a5cd2897e 100644 --- a/.github/workflows/build_and_push_release.yaml +++ b/.github/workflows/build_and_push_release.yaml @@ -56,7 +56,7 @@ jobs: - name: Check manifest run: | set -x - buildah manifest inspect ${{ steps.build_image.outputs.image }}:${{ env.LATEST_TAG }} + buildah manifest inspect ${{ steps.build_image.outputs.image-with-tag }} - name: Push image to Quay.io uses: redhat-actions/push-to-registry@v2 with: