Refactors build image identification

Author: danschmidt5189

.github/workflows/build.yml

@@ -2,18 +2,15 @@ name: Build / Test / Push
 
 on:
   push:
-  workflow_call:
+    branches:
+      - '*'
   workflow_dispatch:
 
-env:
-  COMPOSE_FILE: docker-compose.yml:docker-compose.ci.yml
-  DOCKER_METADATA_SET_OUTPUT_ENV: 'true'
-
 jobs:
   build:
     runs-on: ubuntu-latest
     outputs:
-      image: ${{ steps.meta.outputs.tags }}
+      build-image: ${{ steps.build-meta.outputs.tags }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -31,20 +28,19 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Produce image tag 'sha-*-pre'
-        id: meta
+      - name: Produce the build image tag
+        id: build-meta
         uses: docker/metadata-action@v5
         with:
           images: ghcr.io/${{ github.repository }}
-          tags: type=sha,suffix=-pre
+          tags: type=sha,suffix=-build-${{ github.run_id }}_${{ github.run_attempt }}
 
       - name: Build and push the untested image
-        id: build
         uses: docker/build-push-action@v6
         with:
           push: true
-          labels: ${{ steps.meta.outputs.labels }}
-          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.build-meta.outputs.labels }}
+          tags: ${{ steps.build-meta.outputs.tags }}
           provenance: true
           cache-from: type=gha
           cache-to: type=gha
@@ -54,7 +50,7 @@ jobs:
     needs:
       - build
     env:
-      DOCKER_APP_IMAGE: ${{ needs.build.outputs.image }}
+      DOCKER_APP_IMAGE: ${{ needs.build.outputs.build-image }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -74,10 +70,40 @@ jobs:
 
       - name: Run the tests
         run: bin/test
+        env:
+          COMPOSE_FILE: docker-compose.yml:docker-compose.ci.yml
+
+  push:
+    runs-on: ubuntu-latest
+    needs:
+      - build
+      - test
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Produce permanent image tags
+        id: branch-meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=sha
+            type=ref,event=branch
+            type=raw,value=latest,enable={{is_default_branch}}
 
-            # type=ref,event=branch
-            # type=ref,event=tag
-            # type=semver,pattern={{major}}
-            # type=semver,pattern={{major}}.{{minor}}
-            # type=semver,pattern={{version}}
-            # type=raw,value=latest,enable={{is_default_branch}}
+      - name: Retag and push the image
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          labels: ${{ steps.branch-meta.outputs.labels }}
+          tags: ${{ steps.branch-meta.outputs.tags }}
+          provenance: true
+          cache-from: type=registry,ref=${{ needs.build.outputs.build-image }}

.github/workflows/tag.yml .github/workflows/release.yml.github/workflows/tag.yml renamed to .github/workflows/release.yml

@@ -1,25 +1,18 @@
 name: Push Release Tags
 
 on:
-  workflow_call:
+  push:
+    tags:
+      - '*'
   workflow_dispatch:
 
 jobs:
-  tag:
+  retag:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Output short SHA
-        run: echo "GITHUB_SHORT_SHA=${GITHUB_SHA::7}" >> "$GITHUB_ENV"
-
-      - name: Output Docker repo to be pulled from
-        run: echo "ghcr.io/${GITHUB_REPOSITORY}" | tr '[:upper:]' '[:lower:]' | sed 's/^/DOCKER_REPO=/' >> "$GITHUB_ENV"
-
-      - name: Output Docker image to be pulled
-        run: echo "DOCKER_IMAGE=${DOCKER_REPO}:sha-${GITHUB_SHORT_SHA}" >> "$GITHUB_ENV"
-
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
@@ -33,19 +26,34 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Determine long-lived Docker image tags
-        id: meta
+      - name: Determine the sha-based image tag to retag
+        id: get-base-image
         uses: docker/metadata-action@v5
         with:
           images: ${{ github.env.DOCKER_IMAGE }}
+          tags: type=sha
+
+      - name: Verify that the image was previously built
+        run: docker pull "$BASE_IMAGE"
+        env:
+          BASE_IMAGE: ${{ steps.get-base-image.outputs.tags }}
+
+      - name: Produce release tags
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}
           tags: |
-            type=sha
-            type=ref,event=branch
             type=ref,event=tag
             type=semver,pattern={{major}}
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{version}}
-            type=raw,value=latest,enable={{is_default_branch}}
 
-      - name: Pull the image to be retagged
-        run: docker pull "${DOCKER_IMAGE}"
+      - name: Retag and push the image
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.meta.outputs.tags }}
+          provenance: true
+          cache-from: type=registry,ref=${{ steps.get-base-image.outputs.tags }}