fix(ci): promote all image tags after attestation for GHCR UI

[nayrosk]

Summary

• Root cause: GHCR UI sorts package versions by push timestamp. When actions/attest@v4 pushes the attestation referrer manifest after the image, it becomes most-recent and displaces real tags (latest, semver) in the UI, showing only the sha256 digest link.
• Fix: Loop over all tags from steps.meta.outputs.tags after attestation completes, using docker buildx imagetools create to re-touch each real tag and bump their timestamp above the attestation referrer.
• Scope: Single file .github/workflows/release.yml — release job only, no code changes.

Testing

• Verify CI/CD: actionlint validates workflow syntax (no new warnings)
• Verify CI/CD: Release job runs without docker push regression (all images pushed to GHCR successfully)
• Post-merge verification: On next release tag, verify GHCR UI displays latest and semver tags (e.g., v0.4.2, 0.4) as primary options in package versions dropdown, NOT sha256 digest link as first option

Closes #74

Summary by CodeRabbit

• Chores
  • Enhanced the Docker image release pipeline with improved tag handling and stricter deployment checks.

[coderabbitai]

📝 Walkthrough

Walkthrough

The release workflow is updated to generalize tag promotion post-attestation. Instead of conditionally re-tagging only :latest, the workflow now reads all tags from docker/metadata-action output and applies each via docker buildx imagetools create against the attested image digest, with added shell safety (set -euo pipefail).

Changes

Cohort / File(s)	Summary
Release workflow tag promotion .github/workflows/release.yml	Replaces single-condition :latest re-tag with loop-based promotion of all semantic tags (latest, semver, major.minor) via docker buildx imagetools create to correct GHCR package page install hint from digest-based attestation tag to human-readable tag.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• ci: add darwin/arm64 target + artifact attestations #38 — Modifies release.yml's Docker attestation/publishing flow; uses multi-arch builds and attestation digest handling.
• fix(ci,container): GHCR package page — semver tag first + description inheritance #67 — Directly modifies the same release workflow and post-attestation re-tagging logic with gated latest-only approach.

Poem

🐰 Tags now dance in orderly rows,
No more sha256 in our install prose!
Imagetools create, a loop so divine,
Makes GHCR hints read perfectly fine! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(ci): promote all image tags after attestation for GHCR UI' directly and clearly summarizes the main change: promoting all image tags post-attestation to fix GHCR UI display.
Linked Issues check	✅ Passed	The PR implements all key requirements from issue #74: it loops over all tags from docker/metadata-action output, re-PUTs each via docker buildx imagetools create to bump their timestamps above the attestation manifest, preserves attestation publication, and includes stricter shell behavior.
Out of Scope Changes check	✅ Passed	All changes are scoped to .github/workflows/release.yml release job as specified in issue #74; no unrelated modifications or code changes are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ci-ghcr-install-hint-74

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}