feat(ci): render Docker Hub readme from versions.yml at build time (#715)

Fixes #709

#### Short description of what this resolves:

Step 15 of the release runbook — updating the Docker Hub readme on
https://hub.docker.com/r/openemr/openemr — was manual: maintainers
edited `docker/openemr/OVERVIEW.md` by hand, then a workflow propagated
it to Docker Hub. This PR removes that manual step. The readme is now
rendered from `tools/release/versions.yml` (the same registry the slot
rotation workflow already uses) and pushed by each production build
workflow after a successful image push.

#### Changes proposed in this pull request:

- New Twig template `tools/release/templates/dockerhub-overview.md.twig`
(renamed from `docker/openemr/OVERVIEW.md`, with version-dependent
values parameterized on slot scalars).
- New renderer `OpenEMR\Release\DockerHubOverviewRenderer`
(`tools/release/src/`) with a thin Symfony Console wrapper at
`tools/release/bin/render-dockerhub-overview.php` and a
`release:render-dockerhub-overview` Task entry. Unit tests cover slot
interpolation, determinism, and error paths.
- New composite action `.github/actions/push-dockerhub-readme` that
checks out, renders, then calls `peter-evans/dockerhub-description@v5`.
- Build workflows `build-704`, `build-800`, `build-810`, `build-811`
call the composite action as their final step (last-writer-wins is
benign because renders are deterministic).
- Retire `.github/workflows/dockerhub-description.yml` and the
hand-edited `docker/openemr/OVERVIEW.md`. Drop the corresponding entry
from `tools/release/versions.yml`.
- Drop the per-build dated tags (e.g. `8.0.0.3-2026-03-25`) from the
readme — they're an immutable-naming mechanism for pinning, not
date-display, and Docker Hub's Tags page already lists them. Replaced
with one sentence explaining the scheme.

#### Notes

- Blocked on the Docker Hub credential rotation in #714 — the previous
workflow has been failing with `Forbidden` on its last two runs. The new
push uses the same `DOCKERHUB_USERNAME` / `DOCKERHUB_TOKEN` secrets, so
the same fix unblocks both.
- Flex tracks (`build-322`, `build-323`, `build-edge`,
`build-flex-core`) are intentionally not wired up — they aren't in the
rotation registry and their portion of the readme is hand-curated. Easy
follow-up if/when they join the rotation.
- Follow-up on `openemr/openemr` to remove step 15 from
`docs/RELEASE_PROCESS.md`'s release runbook.

#### Test plan

- `composer check` clean in `tools/release/` (phpcs, phpstan, rector
dry-run, require-checker, phpunit — 83 tests).
- `actionlint` clean on the four modified build workflows.
- Local render of the template against the real `versions.yml` produces
the expected markdown.
- End-to-end push verifiable once #714 lands: workflow_dispatch on
`build-800.yml` from a topic branch and confirm the Docker Hub readme
reflects the rendered output.

Author: kojiromike

.github/actions/push-dockerhub-readme/action.yml

@@ -0,0 +1,41 @@
+name: 'Push Docker Hub readme for openemr/openemr'
+description: 'Render the readme from versions.yml + the Twig template and PATCH it to Docker Hub'
+
+inputs:
+  username:
+    description: 'Docker Hub username'
+    required: true
+  password:
+    description: 'Docker Hub access token (R/W/D scope on openemr/openemr)'
+    required: true
+  repository:
+    description: 'Docker Hub repository to update'
+    required: false
+    default: 'openemr/openemr'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Checkout
+      uses: actions/checkout@v6
+
+    - name: Setup PHP
+      uses: shivammathur/setup-php@v2
+      with:
+        php-version: '8.5'
+
+    - name: Install Task
+      uses: arduino/setup-task@v2
+
+    - name: Render readme
+      shell: bash
+      working-directory: tools/release
+      run: task release:render-dockerhub-overview OUTPUT="${RUNNER_TEMP}/dockerhub-readme.md"
+
+    - name: Push readme to Docker Hub
+      uses: peter-evans/dockerhub-description@v5
+      with:
+        username: ${{ inputs.username }}
+        password: ${{ inputs.password }}
+        repository: ${{ inputs.repository }}
+        readme-filepath: ${{ runner.temp }}/dockerhub-readme.md

.github/workflows/build-704.yml

@@ -29,3 +29,9 @@ jobs:
           platforms: linux/amd64,linux/arm64
           push: true
           no-cache: true
+
+      - name: Push Docker Hub readme
+        uses: ./.github/actions/push-dockerhub-readme
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}

.github/workflows/build-800.yml

@@ -29,3 +29,9 @@ jobs:
           platforms: linux/amd64,linux/arm64
           push: true
           no-cache: true
+
+      - name: Push Docker Hub readme
+        uses: ./.github/actions/push-dockerhub-readme
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}

.github/workflows/build-810.yml

@@ -88,3 +88,9 @@ jobs:
             -t openemr/openemr:next \
             -t "openemr/openemr:8.1.0-${{ steps.build_date.outputs.date }}" \
             "${digests[@]}"
+
+      - name: Push Docker Hub readme
+        uses: ./.github/actions/push-dockerhub-readme
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}

.github/workflows/build-811.yml

@@ -88,3 +88,9 @@ jobs:
             -t openemr/openemr:dev \
             -t "openemr/openemr:8.1.1-${{ steps.build_date.outputs.date }}" \
             "${digests[@]}"
+
+      - name: Push Docker Hub readme
+        uses: ./.github/actions/push-dockerhub-readme
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}

.github/workflows/dockerhub-description.yml

@@ -161,6 +161,15 @@ tasks:
         php bin/check-dockerhub-credential.php
         {{if .REPOSITORY}}--repository={{shellQuote .REPOSITORY}}{{end}}
 
+  release:render-dockerhub-overview:
+    desc: Render the Docker Hub readme for openemr/openemr from versions.yml
+    deps: [setup]
+    cmds:
+      - >-
+        php bin/render-dockerhub-overview.php
+        --repo={{shellQuote (default "../.." .ROTATE_REPO)}}
+        {{if .OUTPUT}}--output={{shellQuote .OUTPUT}}{{end}}
+
   release:verify-tag:
     desc: Verify a release tag is annotated and well-formed per #664 spec
     requires:

tools/release/Taskfile.yml

@@ -0,0 +1,87 @@
+#!/usr/bin/env php
+<?php
+
+/**
+ * Render the Docker Hub readme for openemr/openemr.
+ *
+ * Called from the build workflows after a successful image push; the rendered
+ * output is fed to peter-evans/dockerhub-description, which PATCHes Docker
+ * Hub's repo description endpoint.
+ *
+ * @package   openemr-devops
+ * @link      https://www.open-emr.org
+ * @author    Michael A. Smith <michael@opencoreemr.com>
+ * @copyright Copyright (c) 2026 OpenCoreEMR Inc.
+ * @license   https://github.com/openemr/openemr-devops/blob/master/LICENSE GNU General Public License 3
+ */
+
+declare(strict_types=1);
+
+require dirname(__DIR__) . '/vendor/autoload.php';
+
+use OpenEMR\Release\DockerHubOverviewRenderer;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\SingleCommandApplication;
+
+(new SingleCommandApplication())
+    ->setName('render-dockerhub-overview')
+    ->setDescription('Render the Docker Hub readme for openemr/openemr from versions.yml')
+    ->addOption(
+        'repo',
+        null,
+        InputOption::VALUE_REQUIRED,
+        'Path to the repo root',
+        getcwd() === false ? '.' : getcwd(),
+    )
+    ->addOption(
+        'registry',
+        null,
+        InputOption::VALUE_REQUIRED,
+        'Path to versions.yml (defaults to <repo>/tools/release/versions.yml)',
+    )
+    ->addOption(
+        'template-dir',
+        null,
+        InputOption::VALUE_REQUIRED,
+        'Twig template directory (defaults to <repo>/tools/release/templates)',
+    )
+    ->addOption('output', 'o', InputOption::VALUE_REQUIRED, 'Output file (defaults to stdout)')
+    ->setCode(function (InputInterface $input, OutputInterface $output): int {
+        $repo = $input->getOption('repo');
+        if (!is_string($repo) || $repo === '') {
+            $output->writeln('<error>--repo is required</error>');
+            return 1;
+        }
+
+        $registry = $input->getOption('registry');
+        if (!is_string($registry) || $registry === '') {
+            $registry = $repo . '/tools/release/versions.yml';
+        }
+        if (!is_file($registry)) {
+            $output->writeln("<error>Registry not found: {$registry}</error>");
+            return 1;
+        }
+
+        $templateDir = $input->getOption('template-dir');
+        if (!is_string($templateDir) || $templateDir === '') {
+            $templateDir = $repo . '/tools/release/templates';
+        }
+        if (!is_dir($templateDir)) {
+            $output->writeln("<error>Template directory not found: {$templateDir}</error>");
+            return 1;
+        }
+
+        $rendered = (new DockerHubOverviewRenderer($registry, $templateDir))->render();
+
+        $target = $input->getOption('output');
+        if (is_string($target) && $target !== '') {
+            file_put_contents($target, $rendered);
+            $output->writeln("Rendered to <info>{$target}</info>");
+            return 0;
+        }
+        $output->write($rendered);
+        return 0;
+    })
+    ->run();

tools/release/bin/render-dockerhub-overview.php

@@ -0,0 +1,74 @@
+<?php
+
+/**
+ * Render the Docker Hub readme for openemr/openemr from versions.yml.
+ *
+ * The rendered output is what the build workflows push to Docker Hub via the
+ * peter-evans/dockerhub-description action. Pure: same input → same output;
+ * no filesystem side effects beyond reading the registry path.
+ *
+ * @package   openemr-devops
+ * @link      https://www.open-emr.org
+ * @author    Michael A. Smith <michael@opencoreemr.com>
+ * @copyright Copyright (c) 2026 OpenCoreEMR Inc.
+ * @license   https://github.com/openemr/openemr-devops/blob/master/LICENSE GNU General Public License 3
+ */
+
+declare(strict_types=1);
+
+namespace OpenEMR\Release;
+
+use Symfony\Component\Yaml\Yaml;
+use Twig\Environment;
+use Twig\Loader\FilesystemLoader;
+
+final readonly class DockerHubOverviewRenderer
+{
+    public const TEMPLATE_NAME = 'dockerhub-overview.md.twig';
+
+    public function __construct(
+        private string $registryPath,
+        private string $templateDir,
+    ) {
+    }
+
+    public function render(): string
+    {
+        $registry = $this->loadRegistry();
+        $twig = new Environment(
+            new FilesystemLoader($this->templateDir),
+            ['autoescape' => false],
+        );
+        return $twig->render(self::TEMPLATE_NAME, [
+            'current' => $this->slot($registry, 'current'),
+            'next' => $this->slot($registry, 'next'),
+            'dev' => $this->slot($registry, 'dev'),
+        ]);
+    }
+
+    /**
+     * @return array<string, array<string, string>>
+     */
+    private function loadRegistry(): array
+    {
+        $parsed = Yaml::parseFile($this->registryPath);
+        if (!is_array($parsed) || !isset($parsed['slots']) || !is_array($parsed['slots'])) {
+            throw new \RuntimeException("Registry malformed: {$this->registryPath}");
+        }
+        /** @var array<string, array<string, string>> $slots */
+        $slots = $parsed['slots'];
+        return $slots;
+    }
+
+    /**
+     * @param array<string, array<string, string>> $registry
+     * @return array<string, string>
+     */
+    private function slot(array $registry, string $name): array
+    {
+        if (!isset($registry[$name])) {
+            throw new \RuntimeException("Registry missing slot: {$name}");
+        }
+        return $registry[$name];
+    }
+}

tools/release/src/DockerHubOverviewRenderer.php

@@ -1,13 +1,13 @@
 [OpenEMR](https://www.open-emr.org) is the most popular open source electronic health records and medical practice management solution. OpenEMR's goal is a superior alternative to its proprietary counterparts. With passionate volunteers and contributors dedicated to guarding OpenEMR's status as a free, open source software solution for medical practices with a commitment to openness, kindness and cooperation.
 
-**Current production OpenEMR version is 8.0.0**
+**Current production OpenEMR version is {{ current.full }}**
 
 Supported tags:
 
-* `8.0.0`, `8.0.0.3`, `8.0.0.3-2026-03-25`, `latest` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/8.0.0/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/8.0.0/#openemr-official-docker-image)
-* `7.0.4`, `7.0.4.0`, `7.0.4.0-2025-12-24` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/7.0.4/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/7.0.4/#openemr-official-docker-image)
-* `8.1.0`, `next` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/8.1.0/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/8.1.0/#openemr-official-docker-image)
-* `8.1.1`, `dev` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/8.1.1/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/8.1.1/#openemr-official-docker-image)
+* `{{ current.full }}`, `{{ current.patch }}`, `latest` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/{{ current.docker_dir }}/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/{{ current.docker_dir }}/#openemr-official-docker-image)
+* `7.0.4`, `7.0.4.0` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/7.0.4/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/7.0.4/#openemr-official-docker-image)
+* `{{ next.full }}`, `next` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/{{ next.docker_dir }}/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/{{ next.docker_dir }}/#openemr-official-docker-image)
+* `{{ dev.full }}`, `dev` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/{{ dev.docker_dir }}/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/{{ dev.docker_dir }}/#openemr-official-docker-image)
 * `flex-3.23-php-8.5` `flex-3.23` `flex` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/flex/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/flex/#openemr-official-docker-image)
 * `flex-3.23-php-8.4` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/flex/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/flex/#openemr-official-docker-image)
 * `flex-3.23-php-8.3` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/flex/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/flex/#openemr-official-docker-image)
@@ -18,6 +18,8 @@ Supported tags:
 * `flex-edge-php-8.4` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/flex/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/flex/#openemr-official-docker-image)
 * `flex-edge-php-8.3` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/flex/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/flex/#openemr-official-docker-image)
 
+Each production build also pushes an immutable `X.Y.Z-YYYY-MM-DD` tag (e.g. `{{ current.patch }}-2026-03-25`) so a deployment can pin a specific build and survive future rebuilds of the same version. See the [Tags page](https://hub.docker.com/r/openemr/openemr/tags) for the most recent dated tag of each track.
+
 This [OpenEMR](http://www.open-emr.org) official docker supports automated installation/configuration of OpenEMR. It requires a companion mysql/mariadb container to work.
 
 * Required environment settings for auto installation are `MYSQL_HOST` and `MYSQL_ROOT_PASS`
@@ -36,4 +38,4 @@ This [OpenEMR](http://www.open-emr.org) official docker supports automated insta
 * Can turn on kubernetes/orchestration/swarm/replication support with the `SWARM_MODE` (set it to 'yes'). This only works for the `5.0.2+` and `flex*` images on Docker Swarm and can see [docker-compose.yml](https://gist.github.com/bradymiller/980086836af187285bf28b8db9eecabc) for an example of use in Docker Swarm. This only works for the `6.0.0+` and `flex*` images on Kubernetes and can see [README.md](https://github.com/openemr/openemr-devops/tree/master/kubernetes) for examples of use in Kubernetes. Note the shared volumes /var/www/localhost/htdocs/openemr/sites, /etc/ssl and /etc/letsencrypt are needed in this mode.
 * Can force database SSL or X509 connection by setting one of the following parameters to "1", `FORCE_DATABASE_SSL_CONNECT` or `FORCE_DATABASE_X509_CONNECT`. (ensure you have the SSL or X509 properly configured in the database). This is supported in `7.0.1`+ and flex (`3.15-8`, `edge`, `3.17`+) series.
 * The `flex*` images (`flex-3.22` is Alpine 3.22, `flex-edge` is Alpine Edge, etc.) are for testers and developers and allows use of a OpenEMR version from the specified git repository. Required environment settings for these images are `FLEX_REPOSITORY` and (`FLEX_REPOSITORY_BRANCH` or `FLEX_REPOSITORY_TAG`). `FLEX_REPOSITORY` is the public git repository holding the openemr version that will be used. And `FLEX_REPOSITORY_BRANCH` or `FLEX_REPOSITORY_TAG` represent the branch or tag to use in this git repository, respectively. An exception to the above required settings for these images is if the user sets `EMPTY` environment setting to 'yes'; then these images will not install any openemr in it (this gives a developer flexibility to set up shared volume(s) from host). Another special flag in the `flex*` docker series is `FORCE_NO_BUILD_MODE`, which will force the docker to not build openemr dependent packages/assets via composer/npm if it is set to 'yes'. Two other special flags in the `flex*` docker series is `EASY_DEV_MODE` and `EASY_DEV_MODE_NEW`, which allows use of the "easy development environment" if they are set to 'yes'. Another special flag in the `flex*` docker series is `INSANE_DEV_MODE`, which allows use of devtools in the "insane development environment" if it is set to 'yes'. Another special flag in the `flex*` docker series is `DEVELOPER_TOOLS`, which installs developer/testing tools/packages. Yet another special flag in the `flex*` docker series is `GITHUB_COMPOSER_TOKEN`, which is used to place a github auth token. Another set of special flags in the `flex*` docker series are `XDEBUG_ON`, which will turn on support for xdebug when set to 1 and `XDEBUG_PROFILER_ON`, which will turn on support for xdebug profiling when set to `1` (optional setting for xdebug support are `XDEBUG_IDE_KEY`, `XDEBUG_CLIENT_HOST` and `XDEBUG_CLIENT_PORT`). Another special setting in the `flex*` docker series is `DEMO_MODE`, which when set to `standard`, will load in standard demo data. Another special setting in the `flex*` docker series is `SQL_DATA_DRIVE`, which can be set to a path in the docker; all of the *.sql in this path will be loaded into the OpenEMR database.
-* Automatic upgrading of OpenEMR is supported when upgrade from `5.0.1` to most recent production image tag (for example `8.0.0`) (note this is not supported in the `flex*` series). In your docker-compose.yml file, you can basically change the image version tag (such as `5.0.1`) to the most recent production image version tag (for example `8.0.0`) and then do a `docker-compose up`. Note it will not work for patch version upgrades (ie. `7.0.3` to `7.0.3.4` will not work). Also noted this will only work if you have set a shared volume for the `/var/www/localhost/htdocs/openemr/sites` directory (it will not work if either you didn't set a shared volume or you set the shared volume to be the entire `/var/www/localhost/htdocs/openemr` directory). Before you do this, recommend backing everything up.
+* Automatic upgrading of OpenEMR is supported when upgrade from `5.0.1` to most recent production image tag (for example `{{ current.full }}`) (note this is not supported in the `flex*` series). In your docker-compose.yml file, you can basically change the image version tag (such as `5.0.1`) to the most recent production image version tag (for example `{{ current.full }}`) and then do a `docker-compose up`. Note it will not work for patch version upgrades (ie. `7.0.3` to `7.0.3.4` will not work). Also noted this will only work if you have set a shared volume for the `/var/www/localhost/htdocs/openemr/sites` directory (it will not work if either you didn't set a shared volume or you set the shared volume to be the entire `/var/www/localhost/htdocs/openemr` directory). Before you do this, recommend backing everything up.