feat: Add container publishing (#6)

AndyRae · web-flow · commit 71e84452292b · 2026-03-13T15:01:44.000Z
diff --git a/.github/workflows/publish-container.yml b/.github/workflows/publish-container.yml
@@ -0,0 +1,108 @@
+# Publishes an 'edge' container image to a registry, tagging with the current date and commit hash.
+name: Publish Container Image
+
+on:
+  workflow_call:
+    inputs:
+      image-name:
+        description: 'Container image name (e.g. my-app)'
+        required: true
+        type: string
+      image-description:
+        description: 'Description used in OCI annotations'
+        required: false
+        default: ''
+        type: string
+      registry:
+        description: 'Container registry host (e.g. ghcr.io)'
+        required: false
+        default: 'ghcr.io'
+        type: string
+      repo-owner:
+        description: 'Owner/namespace for the image (defaults to calling repo owner)'
+        required: false
+        default: ''
+        type: string
+      context:
+        description: 'Build context passed to Docker (e.g. . or ./app)'
+        required: false
+        default: '.'
+        type: string
+      dockerfile:
+        description: 'Relative path to Dockerfile'
+        required: false
+        default: 'Dockerfile'
+        type: string
+      platforms:
+        description: 'Target platforms for the image (comma-separated)'
+        required: false
+        default: 'linux/amd64,linux/arm64'
+        type: string
+
+env:
+  image-name: ${{ inputs.image-name }}
+  image-description: ${{ inputs.image-description }}
+  repo-owner: ${{ inputs.repo-owner || github.repository_owner }}
+  registry: ${{ inputs.registry }}
+  context: ${{ inputs.context }}
+  dockerfile: ${{ inputs.dockerfile }}
+  platforms: ${{ inputs.platforms }}
+
+jobs:
+  publish-container:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+
+      - name: Docker Login
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ${{ env.registry }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker Metadata action
+        id: meta
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
+        with:
+          images: ${{ env.registry }}/${{ env.repo-owner }}/${{ env.image-name }}
+          # Tag notes:
+          # - RFC3339 is not suitable for docker tags, so we squash the date
+          # - We tag both the short (7-char prefixed) and full sha commit hashes; both are useful
+          # - `edge` represents latest main branch commit (potentially unstable)
+          tags: |
+            type=sha
+            ${{ github.sha }}
+            type=raw,value={{date 'YYYYMMDDHHmmss[Z]'}}
+            edge
+          # Label notes:
+          # - Static labels are applied in the Dockerfile
+          # - Date format in `org.opencontainers.image.created` must be RFC3339
+          # - version should be considered a semver candidate only, unless revision aligns with a git tag
+          labels: |
+            org.opencontainers.image.revision={{sha}}
+            org.opencontainers.image.created={{date 'YYYY-MM-DD HH:mm:ss[Z]'}}
+          annotations: |
+            org.opencontainers.image.description=${{ env.image-description }}
+
+      - name: Build and push Docker images
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        with:
+          context: ${{ env.context }}
+          file: ${{ env.dockerfile }}
+          push: true
+          platforms: ${{ env.platforms }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          annotations: ${{ steps.meta.outputs.annotations }}
diff --git a/.github/workflows/semver-container.yml b/.github/workflows/semver-container.yml
@@ -0,0 +1,77 @@
+name: Publish Semver Container
+
+on:
+  workflow_call:
+    inputs:
+      image-name:
+        description: 'Container image name (e.g. my-app)'
+        required: true
+        type: string
+      registry:
+        description: 'Container registry host (e.g. ghcr.io)'
+        required: false
+        default: 'ghcr.io'
+        type: string
+      release-name-prefix:
+        description: 'Prefix for the GitHub Release title'
+        required: false
+        default: ''
+        type: string
+
+env:
+  image-name: ${{ inputs.image-name }}
+  registry: ${{ inputs.registry }}
+  release-name-prefix: ${{ inputs.release-name-prefix }}
+
+jobs:
+  version-tag:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write # container images
+      contents: write # releases
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+
+      # some docker actions need all lowercase
+      - name: downcase repo-owner
+        run: |
+          echo "REPO_OWNER_LOWER=${GITHUB_REPOSITORY_OWNER,,}" >>${GITHUB_ENV}
+
+      - name: Parse version from tag
+        id: version
+        uses: release-kit/semver@97491c46500b6e758ced599794164a234b8aa08c # v2.0.7
+
+      # check image exists for commit
+      - uses: tyriis/docker-image-tag-exists@71a750a41aa78e4efb0842f538140c5df5b8166f # v2.1.0
+        with:
+          registry: ${{ env.registry }}
+          repository: ${{ env.REPO_OWNER_LOWER }}/${{ env.image-name }}
+          tag: ${{ github.sha }}
+
+      # standard login to the container registry
+      - name: Docker Login
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ${{ env.registry }}
+          username: ${{github.actor}}
+          password: ${{secrets.GITHUB_TOKEN}}
+
+      # We still use the metadata action to help build out our tags from the Workflow Run
+      - name: Docker Metadata action
+        id: meta
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
+        with:
+          images: ${{ env.registry }}/${{ env.REPO_OWNER_LOWER }}/${{ env.image-name }}
+          tags: | # new tags only
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}
+            type=semver,pattern={{major}}.{{minor}}
+
+      # apply the new tags to the existing images
+      - name: Push updated image tags
+        uses: akhilerm/tag-push-action@f35ff2cb99d407368b5c727adbcc14a2ed81d509 # v2.2.0
+        with:
+          src: ${{ env.registry }}/${{ env.REPO_OWNER_LOWER }}/${{ env.image-name }}:${{ github.sha }}
+          dst: |
+            ${{ steps.meta.outputs.tags }}
diff --git a/docs/publish-container.md b/docs/publish-container.md
@@ -0,0 +1,58 @@
+# Publish Container Image
+
+Reusable workflow that builds and pushes a multi-architecture container image to a registry (e.g. `ghcr.io`). It tags the image with:
+
+- the current commit SHA
+- a timestamp (`YYYYMMDDHHmmssZ`)
+- `edge` (representing the latest main/dev build)
+
+This is intended for releasing dev/edge images, not stable semver releases.
+
+## Inputs
+
+| Input              | Required | Default                         | Description                                           |
+|--------------------|----------|---------------------------------|-------------------------------------------------------|
+| `image-name`       | Yes      | —                               | Image name, e.g. `my-app` or `services/api`.         |
+| `image-description`| No       | `''`                            | Description used in OCI annotations.                 |
+| `registry`         | No       | `'ghcr.io'`                     | Registry host.                                       |
+| `repo-owner`       | No       | calling repo owner             | Owner/namespace (e.g. `Health-Informatics-UoN`).     |
+| `context`          | No       | `'.'`                           | Docker build context.                                |
+| `dockerfile`       | No       | `'Dockerfile'`                  | Path to `Dockerfile` relative to repo root/context.  |
+| `platforms`        | No       | `'linux/amd64,linux/arm64'`     | Target platforms for the image.                      |
+
+## Secrets
+
+- `GITHUB_TOKEN` — Pass with `secrets: inherit` so the workflow can log in to the registry and push images.
+
+## Usage
+
+In your repo, add a workflow that runs on push to your main/dev branch:
+
+```yaml
+name: Publish Dev Container
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  publish-container:
+    uses: health-informatics-uon/workflows/.github/workflows/publish-container.yml@main
+    with:
+      image-name: my-service
+      image-description: 'My service edge build'
+      registry: ghcr.io
+      # repo-owner: Health-Informatics-UoN   # optional override
+      context: .
+      dockerfile: Dockerfile
+      platforms: linux/amd64,linux/arm64
+    secrets: inherit
+```
+
+This will publish images like:
+
+- `ghcr.io/<owner>/my-service:<sha>`
+- `ghcr.io/<owner>/my-service:<timestamp>`
+- `ghcr.io/<owner>/my-service:edge`
+
diff --git a/docs/semver-container.md b/docs/semver-container.md
@@ -0,0 +1,42 @@
+# Semver Container Release
+
+Reusable workflow that:
+
+- tags an existing container image with semver tags (`x.y.z`, `x`, `x.y`) based on the git tag
+- verifies that a corresponding container image (tagged with the commit SHA) already exists
+
+Use this when you already have an \"edge\" or commit-SHA container image (for example from the `publish-container` workflow) and you want to promote it to a semver release.
+
+## Inputs
+
+| Input               | Required | Default                            | Description                                                      |
+|---------------------|----------|------------------------------------|------------------------------------------------------------------|
+| `image-name`        | Yes      | —                                  | Image name, e.g. `my-app` or `services/api`.                     |
+| `registry`          | No       | `'ghcr.io'`                        | Registry host.                                                   |
+| `release-name-prefix` | No     | `''`                               | String prefixed to the Release title (e.g. project name + space).|
+
+
+## Secrets
+
+- `GITHUB_TOKEN` — Pass with `secrets: inherit` so the workflow can read tags, create releases, and push tags in the container registry.
+
+## Usage
+
+This workflow is designed to as part of a release process.
+
+```yaml
+jobs:
+  semver-container:
+    uses: health-informatics-uon/workflows/.github/workflows/semver-container.yml@main
+    with:
+      image-name: my-service
+      registry: ghcr.io
+      release-name-prefix: 'My Service '
+    secrets: inherit
+```
+
+This will:
+
+- check that an image `ghcr.io/<owner>/my-service:<sha>` exists
+- push additional tags like `1.2.3`, `1`, and `1.2` to that image
+
