ci(docker): simplify publish to match working repo pattern

Revert the over-engineered linking attempts (provenance: false,
index annotations, dispatch tag input, Dockerfile source LABEL). Our
working repos (e.g. offendingcommit/infra) link GHCR packages with the
plain metadata-action labels + GITHUB_TOKEN push — none of the extras
helped or were needed. Match that.

Package<->repo linking is handled by the one-time Connect Repository
step in package settings.

Type ci → no version bump.

Author: offendingcommit

.github/workflows/docker-publish.yml

@@ -4,11 +4,6 @@ on:
   release:
     types: [published]
   workflow_dispatch:
-    inputs:
-      tag:
-        description: Existing tag to (re)build and publish, e.g. v0.13.0. Defaults to the triggering ref.
-        required: false
-        type: string
 
 permissions:
   contents: read
@@ -20,18 +15,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.inputs.tag || github.ref }}
-
-      # Derive the image version from the tag (release ref or dispatch input) so
-      # raw tags work for both triggers — semver-from-ref doesn't fire on dispatch.
-      - id: ver
-        shell: bash
-        run: |
-          REF="${{ github.event.inputs.tag || github.ref_name }}"
-          V="${REF#v}"
-          echo "version=$V" >> "$GITHUB_OUTPUT"
-          echo "minor=${V%.*}" >> "$GITHUB_OUTPUT"
 
       - uses: docker/setup-qemu-action@v3
       - uses: docker/setup-buildx-action@v3
@@ -44,15 +27,11 @@ jobs:
 
       - id: meta
         uses: docker/metadata-action@v5
-        # Annotate the INDEX (not just per-platform configs) so GHCR can read
-        # org.opencontainers.image.source and auto-link the package to the repo.
-        env:
-          DOCKER_METADATA_ANNOTATIONS_LEVELS: index
         with:
           images: ghcr.io/${{ github.repository_owner }}/openconcho-web
           tags: |
-            type=raw,value=${{ steps.ver.outputs.version }}
-            type=raw,value=${{ steps.ver.outputs.minor }}
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
             type=raw,value=latest
             type=sha,format=short
 
@@ -61,11 +40,7 @@ jobs:
           context: .
           platforms: linux/amd64,linux/arm64
           push: true
-          # provenance off keeps the pushed artifact a plain multi-arch index,
-          # so the index annotation below is what GHCR sees for repo linking.
-          provenance: false
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          annotations: ${{ steps.meta.outputs.annotations }}
           cache-from: type=gha
           cache-to: type=gha,mode=max

Dockerfile

@@ -30,12 +30,6 @@ RUN pnpm --filter @openconcho/web build
 # under a read-only filesystem with cap_drop ALL.
 FROM nginxinc/nginx-unprivileged:alpine
 
-# Baked into the image config — the canonical, build-tool-independent signal GHCR
-# reads to connect the published package to this repo. Evaluated at package
-# creation, so it links freshly-created packages without relying on buildx
-# annotation levels.
-LABEL org.opencontainers.image.source="https://github.com/offendingcommit/openconcho"
-
 COPY --chown=101:101 --from=builder /app/packages/web/dist /usr/share/nginx/html
 # Rendered to /etc/nginx/conf.d/default.conf by the image's envsubst entrypoint.
 COPY --chown=101:101 docker/nginx.conf.template /etc/nginx/templates/default.conf.template