From b40787ffc5e908e7d6c59e3d3ccbae977a34733f Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Fri, 12 Dec 2025 22:50:33 +0100 Subject: [PATCH] ci: publish GHCR images after successful mark-stable workflow Trigger container publishing via workflow_run on "Mark stable commit", gate on success, checkout the workflow_run head SHA, force-refresh tags, and derive version from the v* tag pointing at the tested commit to correctly detect and publish stable images. https://chatgpt.com/share/693c836b-0b00-800f-9536-9e273abd0fb5 --- .github/workflows/publish-containers.yml | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/.github/workflows/publish-containers.yml b/.github/workflows/publish-containers.yml index 15cd3c7..329bc7c 100644 --- a/.github/workflows/publish-containers.yml +++ b/.github/workflows/publish-containers.yml @@ -1,12 +1,13 @@ name: Publish container images (GHCR) on: - push: - tags: - - "v*" + workflow_run: + workflows: ["Mark stable commit"] + types: [completed] jobs: publish: + if: ${{ github.event.workflow_run.conclusion == 'success' }} runs-on: ubuntu-latest permissions: @@ -20,13 +21,22 @@ jobs: fetch-depth: 0 fetch-tags: true + - name: Checkout workflow_run commit and refresh tags + run: | + set -euo pipefail + git checkout -f "${{ github.event.workflow_run.head_sha }}" + git fetch --tags --force + git tag --list 'stable' 'v*' --sort=version:refname | tail -n 20 + - name: Compute version and stable flag id: info run: | set -euo pipefail - SHA="$(git rev-parse HEAD)" - VERSION="${GITHUB_REF_NAME#v}" + + V_TAG="$(git tag --points-at "${SHA}" --list 'v*' | sort -V | tail -n1)" + [[ -n "$V_TAG" ]] || { echo "No version tag found"; exit 1; } + VERSION="${V_TAG#v}" STABLE_SHA="$(git rev-parse -q --verify refs/tags/stable^{commit} 2>/dev/null || true)" IS_STABLE=false