name: Publish container images (GHCR) on: workflow_run: workflows: ["Mark stable commit"] types: [completed] jobs: publish: if: ${{ github.event.workflow_run.conclusion == 'success' }} runs-on: ubuntu-latest permissions: contents: read packages: write steps: - name: Checkout repository (with tags) uses: actions/checkout@v4 with: fetch-depth: 0 - name: Checkout workflow_run commit and refresh tags run: | set -euo pipefail git checkout -f "${{ github.event.workflow_run.head_sha }}" git fetch --tags --force git tag --list 'stable' 'v*' --sort=version:refname | tail -n 20 - name: Compute version and stable flag id: info run: | set -euo pipefail SHA="$(git rev-parse HEAD)" V_TAG="$(git tag --points-at "${SHA}" --list 'v*' | sort -V | tail -n1)" if [[ -z "${V_TAG}" ]]; then echo "No version tag found for ${SHA}. Skipping publish." echo "should_publish=false" >> "$GITHUB_OUTPUT" exit 0 fi VERSION="${V_TAG#v}" STABLE_SHA="$(git rev-parse -q --verify refs/tags/stable^{commit} 2>/dev/null || true)" IS_STABLE=false [[ -n "${STABLE_SHA}" && "${STABLE_SHA}" == "${SHA}" ]] && IS_STABLE=true echo "should_publish=true" >> "$GITHUB_OUTPUT" echo "version=${VERSION}" >> "$GITHUB_OUTPUT" echo "is_stable=${IS_STABLE}" >> "$GITHUB_OUTPUT" - name: Set up Docker Buildx if: ${{ steps.info.outputs.should_publish == 'true' }} uses: docker/setup-buildx-action@v3 with: use: true - name: Login to GHCR if: ${{ steps.info.outputs.should_publish == 'true' }} uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Publish all images if: ${{ steps.info.outputs.should_publish == 'true' }} run: | set -euo pipefail OWNER="${{ github.repository_owner }}" \ VERSION="${{ steps.info.outputs.version }}" \ IS_STABLE="${{ steps.info.outputs.is_stable }}" \ bash scripts/build/publish.sh