feat(ci): render Docker Hub readme from versions.yml at build time

The Docker Hub readme update for openemr/openemr was previously triggered
by edits to docker/openemr/OVERVIEW.md, which release runbook step 15
required maintainers to update by hand. The peter-evans/dockerhub-description
workflow then propagated the file. This left the readme out of sync
whenever the manual edit was forgotten and was the sole reason a maintainer
had to touch a markdown file as part of the release runbook.

Replace the hand-edited file with a Twig template
(tools/release/templates/dockerhub-overview.md.twig) rendered from
tools/release/versions.yml — the same registry that already drives slot
rotation for build workflows and Dockerfiles. A new composite action
(.github/actions/push-dockerhub-readme) renders the template and pushes
to the Docker Hub API. Each production build workflow (build-704,
build-800, build-810, build-811) calls it after a successful image push.
Render is deterministic from versions.yml so the same-day race between
nightly cron builds is benign — last writer wins with identical content.

Drop the per-build dated tags (e.g. 8.0.0.3-2026-03-25) from the readme.
Each build still pushes the immutable dated tag for pinning; users who
want a specific build find it on the Docker Hub Tags page or via
docker inspect. The readme now explains the scheme in one sentence
instead of mirroring listings Docker Hub already displays natively.

Closes #709.

Assisted-by: Claude Code

Author: kojiromike

.github/actions/push-dockerhub-readme/action.yml

@@ -0,0 +1,41 @@
+name: 'Push Docker Hub readme for openemr/openemr'
+description: 'Render the readme from versions.yml + the Twig template and PATCH it to Docker Hub'
+
+inputs:
+  username:
+    description: 'Docker Hub username'
+    required: true
+  password:
+    description: 'Docker Hub access token (R/W/D scope on openemr/openemr)'
+    required: true
+  repository:
+    description: 'Docker Hub repository to update'
+    required: false
+    default: 'openemr/openemr'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Checkout
+      uses: actions/checkout@v6
+
+    - name: Setup PHP
+      uses: shivammathur/setup-php@v2
+      with:
+        php-version: '8.5'
+
+    - name: Install Task
+      uses: arduino/setup-task@v2
+
+    - name: Render readme
+      shell: bash
+      working-directory: tools/release
+      run: task release:render-dockerhub-overview OUTPUT="${RUNNER_TEMP}/dockerhub-readme.md"
+
+    - name: Push readme to Docker Hub
+      uses: peter-evans/dockerhub-description@v5
+      with:
+        username: ${{ inputs.username }}
+        password: ${{ inputs.password }}
+        repository: ${{ inputs.repository }}
+        readme-filepath: ${{ runner.temp }}/dockerhub-readme.md

.github/workflows/build-704.yml

@@ -29,3 +29,9 @@ jobs:
           platforms: linux/amd64,linux/arm64
           push: true
           no-cache: true
+
+      - name: Push Docker Hub readme
+        uses: ./.github/actions/push-dockerhub-readme
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}

.github/workflows/build-800.yml

@@ -29,3 +29,9 @@ jobs:
           platforms: linux/amd64,linux/arm64
           push: true
           no-cache: true
+
+      - name: Push Docker Hub readme
+        uses: ./.github/actions/push-dockerhub-readme
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}

.github/workflows/build-810.yml

@@ -88,3 +88,9 @@ jobs:
             -t openemr/openemr:next \
             -t "openemr/openemr:8.1.0-${{ steps.build_date.outputs.date }}" \
             "${digests[@]}"
+
+      - name: Push Docker Hub readme
+        uses: ./.github/actions/push-dockerhub-readme
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}

.github/workflows/build-811.yml

@@ -88,3 +88,9 @@ jobs:
             -t openemr/openemr:dev \
             -t "openemr/openemr:8.1.1-${{ steps.build_date.outputs.date }}" \
             "${digests[@]}"
+
+      - name: Push Docker Hub readme
+        uses: ./.github/actions/push-dockerhub-readme
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}

.github/workflows/dockerhub-description.yml

@@ -153,6 +153,15 @@ tasks:
         php bin/lint-versions.php
         --repo={{shellQuote (default "../.." .ROTATE_REPO)}}
 
+  release:render-dockerhub-overview:
+    desc: Render the Docker Hub readme for openemr/openemr from versions.yml
+    deps: [setup]
+    cmds:
+      - >-
+        php bin/render-dockerhub-overview.php
+        --repo={{shellQuote (default "../.." .ROTATE_REPO)}}
+        {{if .OUTPUT}}--output={{shellQuote .OUTPUT}}{{end}}
+
   release:verify-tag:
     desc: Verify a release tag is annotated and well-formed per #664 spec
     requires:

tools/release/Taskfile.yml

@@ -0,0 +1,87 @@
+#!/usr/bin/env php
+<?php
+
+/**
+ * Render the Docker Hub readme for openemr/openemr.
+ *
+ * Called from the build workflows after a successful image push; the rendered
+ * output is fed to peter-evans/dockerhub-description, which PATCHes Docker
+ * Hub's repo description endpoint.
+ *
+ * @package   openemr-devops
+ * @link      https://www.open-emr.org
+ * @author    Michael A. Smith <michael@opencoreemr.com>
+ * @copyright Copyright (c) 2026 OpenCoreEMR Inc.
+ * @license   https://github.com/openemr/openemr-devops/blob/master/LICENSE GNU General Public License 3
+ */
+
+declare(strict_types=1);
+
+require dirname(__DIR__) . '/vendor/autoload.php';
+
+use OpenEMR\Release\DockerHubOverviewRenderer;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\SingleCommandApplication;
+
+(new SingleCommandApplication())
+    ->setName('render-dockerhub-overview')
+    ->setDescription('Render the Docker Hub readme for openemr/openemr from versions.yml')
+    ->addOption(
+        'repo',
+        null,
+        InputOption::VALUE_REQUIRED,
+        'Path to the repo root',
+        getcwd() === false ? '.' : getcwd(),
+    )
+    ->addOption(
+        'registry',
+        null,
+        InputOption::VALUE_REQUIRED,
+        'Path to versions.yml (defaults to <repo>/tools/release/versions.yml)',
+    )
+    ->addOption(
+        'template-dir',
+        null,
+        InputOption::VALUE_REQUIRED,
+        'Twig template directory (defaults to <repo>/tools/release/templates)',
+    )
+    ->addOption('output', 'o', InputOption::VALUE_REQUIRED, 'Output file (defaults to stdout)')
+    ->setCode(function (InputInterface $input, OutputInterface $output): int {
+        $repo = $input->getOption('repo');
+        if (!is_string($repo) || $repo === '') {
+            $output->writeln('<error>--repo is required</error>');
+            return 1;
+        }
+
+        $registry = $input->getOption('registry');
+        if (!is_string($registry) || $registry === '') {
+            $registry = $repo . '/tools/release/versions.yml';
+        }
+        if (!is_file($registry)) {
+            $output->writeln("<error>Registry not found: {$registry}</error>");
+            return 1;
+        }
+
+        $templateDir = $input->getOption('template-dir');
+        if (!is_string($templateDir) || $templateDir === '') {
+            $templateDir = $repo . '/tools/release/templates';
+        }
+        if (!is_dir($templateDir)) {
+            $output->writeln("<error>Template directory not found: {$templateDir}</error>");
+            return 1;
+        }
+
+        $rendered = (new DockerHubOverviewRenderer($registry, $templateDir))->render();
+
+        $target = $input->getOption('output');
+        if (is_string($target) && $target !== '') {
+            file_put_contents($target, $rendered);
+            $output->writeln("Rendered to <info>{$target}</info>");
+            return 0;
+        }
+        $output->write($rendered);
+        return 0;
+    })
+    ->run();

tools/release/bin/render-dockerhub-overview.php

@@ -0,0 +1,74 @@
+<?php
+
+/**
+ * Render the Docker Hub readme for openemr/openemr from versions.yml.
+ *
+ * The rendered output is what the build workflows push to Docker Hub via the
+ * peter-evans/dockerhub-description action. Pure: same input → same output;
+ * no filesystem side effects beyond reading the registry path.
+ *
+ * @package   openemr-devops
+ * @link      https://www.open-emr.org
+ * @author    Michael A. Smith <michael@opencoreemr.com>
+ * @copyright Copyright (c) 2026 OpenCoreEMR Inc.
+ * @license   https://github.com/openemr/openemr-devops/blob/master/LICENSE GNU General Public License 3
+ */
+
+declare(strict_types=1);
+
+namespace OpenEMR\Release;
+
+use Symfony\Component\Yaml\Yaml;
+use Twig\Environment;
+use Twig\Loader\FilesystemLoader;
+
+final readonly class DockerHubOverviewRenderer
+{
+    public const TEMPLATE_NAME = 'dockerhub-overview.md.twig';
+
+    public function __construct(
+        private string $registryPath,
+        private string $templateDir,
+    ) {
+    }
+
+    public function render(): string
+    {
+        $registry = $this->loadRegistry();
+        $twig = new Environment(
+            new FilesystemLoader($this->templateDir),
+            ['autoescape' => false],
+        );
+        return $twig->render(self::TEMPLATE_NAME, [
+            'current' => $this->slot($registry, 'current'),
+            'next' => $this->slot($registry, 'next'),
+            'dev' => $this->slot($registry, 'dev'),
+        ]);
+    }
+
+    /**
+     * @return array<string, array<string, string>>
+     */
+    private function loadRegistry(): array
+    {
+        $parsed = Yaml::parseFile($this->registryPath);
+        if (!is_array($parsed) || !isset($parsed['slots']) || !is_array($parsed['slots'])) {
+            throw new \RuntimeException("Registry malformed: {$this->registryPath}");
+        }
+        /** @var array<string, array<string, string>> $slots */
+        $slots = $parsed['slots'];
+        return $slots;
+    }
+
+    /**
+     * @param array<string, array<string, string>> $registry
+     * @return array<string, string>
+     */
+    private function slot(array $registry, string $name): array
+    {
+        if (!isset($registry[$name])) {
+            throw new \RuntimeException("Registry missing slot: {$name}");
+        }
+        return $registry[$name];
+    }
+}

tools/release/src/DockerHubOverviewRenderer.php

@@ -1,13 +1,13 @@
 [OpenEMR](https://www.open-emr.org) is the most popular open source electronic health records and medical practice management solution. OpenEMR's goal is a superior alternative to its proprietary counterparts. With passionate volunteers and contributors dedicated to guarding OpenEMR's status as a free, open source software solution for medical practices with a commitment to openness, kindness and cooperation.
 
-**Current production OpenEMR version is 8.0.0**
+**Current production OpenEMR version is {{ current.full }}**
 
 Supported tags:
 
-* `8.0.0`, `8.0.0.3`, `8.0.0.3-2026-03-25`, `latest` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/8.0.0/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/8.0.0/#openemr-official-docker-image)
-* `7.0.4`, `7.0.4.0`, `7.0.4.0-2025-12-24` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/7.0.4/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/7.0.4/#openemr-official-docker-image)
-* `8.1.0`, `next` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/8.1.0/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/8.1.0/#openemr-official-docker-image)
-* `8.1.1`, `dev` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/8.1.1/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/8.1.1/#openemr-official-docker-image)
+* `{{ current.full }}`, `{{ current.patch }}`, `latest` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/{{ current.docker_dir }}/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/{{ current.docker_dir }}/#openemr-official-docker-image)
+* `7.0.4`, `7.0.4.0` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/7.0.4/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/7.0.4/#openemr-official-docker-image)
+* `{{ next.full }}`, `next` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/{{ next.docker_dir }}/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/{{ next.docker_dir }}/#openemr-official-docker-image)
+* `{{ dev.full }}`, `dev` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/{{ dev.docker_dir }}/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/{{ dev.docker_dir }}/#openemr-official-docker-image)
 * `flex-3.23-php-8.5` `flex-3.23` `flex` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/flex/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/flex/#openemr-official-docker-image)
 * `flex-3.23-php-8.4` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/flex/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/flex/#openemr-official-docker-image)
 * `flex-3.23-php-8.3` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/flex/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/flex/#openemr-official-docker-image)
@@ -18,6 +18,8 @@ Supported tags:
 * `flex-edge-php-8.4` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/flex/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/flex/#openemr-official-docker-image)
 * `flex-edge-php-8.3` [Dockerfile](https://github.com/openemr/openemr-devops/blob/master/docker/openemr/flex/Dockerfile) | [Instructions](https://github.com/openemr/openemr-devops/tree/master/docker/openemr/flex/#openemr-official-docker-image)
 
+Each production build also pushes an immutable `X.Y.Z-YYYY-MM-DD` tag (e.g. `{{ current.patch }}-2026-03-25`) so a deployment can pin a specific build and survive future rebuilds of the same version. See the [Tags page](https://hub.docker.com/r/openemr/openemr/tags) for the most recent dated tag of each track.
+
 This [OpenEMR](http://www.open-emr.org) official docker supports automated installation/configuration of OpenEMR. It requires a companion mysql/mariadb container to work.
 
 * Required environment settings for auto installation are `MYSQL_HOST` and `MYSQL_ROOT_PASS`
@@ -36,4 +38,4 @@ This [OpenEMR](http://www.open-emr.org) official docker supports automated insta
 * Can turn on kubernetes/orchestration/swarm/replication support with the `SWARM_MODE` (set it to 'yes'). This only works for the `5.0.2+` and `flex*` images on Docker Swarm and can see [docker-compose.yml](https://gist.github.com/bradymiller/980086836af187285bf28b8db9eecabc) for an example of use in Docker Swarm. This only works for the `6.0.0+` and `flex*` images on Kubernetes and can see [README.md](https://github.com/openemr/openemr-devops/tree/master/kubernetes) for examples of use in Kubernetes. Note the shared volumes /var/www/localhost/htdocs/openemr/sites, /etc/ssl and /etc/letsencrypt are needed in this mode.
 * Can force database SSL or X509 connection by setting one of the following parameters to "1", `FORCE_DATABASE_SSL_CONNECT` or `FORCE_DATABASE_X509_CONNECT`. (ensure you have the SSL or X509 properly configured in the database). This is supported in `7.0.1`+ and flex (`3.15-8`, `edge`, `3.17`+) series.
 * The `flex*` images (`flex-3.22` is Alpine 3.22, `flex-edge` is Alpine Edge, etc.) are for testers and developers and allows use of a OpenEMR version from the specified git repository. Required environment settings for these images are `FLEX_REPOSITORY` and (`FLEX_REPOSITORY_BRANCH` or `FLEX_REPOSITORY_TAG`). `FLEX_REPOSITORY` is the public git repository holding the openemr version that will be used. And `FLEX_REPOSITORY_BRANCH` or `FLEX_REPOSITORY_TAG` represent the branch or tag to use in this git repository, respectively. An exception to the above required settings for these images is if the user sets `EMPTY` environment setting to 'yes'; then these images will not install any openemr in it (this gives a developer flexibility to set up shared volume(s) from host). Another special flag in the `flex*` docker series is `FORCE_NO_BUILD_MODE`, which will force the docker to not build openemr dependent packages/assets via composer/npm if it is set to 'yes'. Two other special flags in the `flex*` docker series is `EASY_DEV_MODE` and `EASY_DEV_MODE_NEW`, which allows use of the "easy development environment" if they are set to 'yes'. Another special flag in the `flex*` docker series is `INSANE_DEV_MODE`, which allows use of devtools in the "insane development environment" if it is set to 'yes'. Another special flag in the `flex*` docker series is `DEVELOPER_TOOLS`, which installs developer/testing tools/packages. Yet another special flag in the `flex*` docker series is `GITHUB_COMPOSER_TOKEN`, which is used to place a github auth token. Another set of special flags in the `flex*` docker series are `XDEBUG_ON`, which will turn on support for xdebug when set to 1 and `XDEBUG_PROFILER_ON`, which will turn on support for xdebug profiling when set to `1` (optional setting for xdebug support are `XDEBUG_IDE_KEY`, `XDEBUG_CLIENT_HOST` and `XDEBUG_CLIENT_PORT`). Another special setting in the `flex*` docker series is `DEMO_MODE`, which when set to `standard`, will load in standard demo data. Another special setting in the `flex*` docker series is `SQL_DATA_DRIVE`, which can be set to a path in the docker; all of the *.sql in this path will be loaded into the OpenEMR database.
-* Automatic upgrading of OpenEMR is supported when upgrade from `5.0.1` to most recent production image tag (for example `8.0.0`) (note this is not supported in the `flex*` series). In your docker-compose.yml file, you can basically change the image version tag (such as `5.0.1`) to the most recent production image version tag (for example `8.0.0`) and then do a `docker-compose up`. Note it will not work for patch version upgrades (ie. `7.0.3` to `7.0.3.4` will not work). Also noted this will only work if you have set a shared volume for the `/var/www/localhost/htdocs/openemr/sites` directory (it will not work if either you didn't set a shared volume or you set the shared volume to be the entire `/var/www/localhost/htdocs/openemr` directory). Before you do this, recommend backing everything up.
+* Automatic upgrading of OpenEMR is supported when upgrade from `5.0.1` to most recent production image tag (for example `{{ current.full }}`) (note this is not supported in the `flex*` series). In your docker-compose.yml file, you can basically change the image version tag (such as `5.0.1`) to the most recent production image version tag (for example `{{ current.full }}`) and then do a `docker-compose up`. Note it will not work for patch version upgrades (ie. `7.0.3` to `7.0.3.4` will not work). Also noted this will only work if you have set a shared volume for the `/var/www/localhost/htdocs/openemr/sites` directory (it will not work if either you didn't set a shared volume or you set the shared volume to be the entire `/var/www/localhost/htdocs/openemr` directory). Before you do this, recommend backing everything up.