feat: v0.3.0 — publish workflow-migrate Docker image to GHCR on release#4
Conversation
Adds a `docker` job to the release workflow that builds and pushes ghcr.io/gocodealone/workflow-migrate on every tag: - Multi-arch: linux/amd64 + linux/arm64 (single build-push-action step) - Versioned tag (e.g. :v0.3.0) always pushed - :latest pushed only for stable releases (no hyphen in tag) - Uses existing cmd/workflow-migrate/Dockerfile unchanged (distroless/static, nonroot user, no shell) - OCI labels: source, version, revision - Runs after goreleaser release job (needs: release) - GITHUB_TOKEN only, packages: write permission scoped to docker job Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds automated publishing of the workflow-migrate Docker image to GitHub Container Registry (GHCR) as part of the tag-based release workflow, and documents the release in a new changelog.
Changes:
- Add a
dockerjob to the release workflow to build/push a multi-arch (amd64/arm64) image to GHCR on tag pushes. - Compute and push versioned tags for every release, and conditionally push
:latestfor stable tags. - Add
CHANGELOG.mdentry for v0.3.0 describing the new official image publishing.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
CHANGELOG.md |
Introduces a changelog and documents v0.3.0, including GHCR image publishing behavior. |
.github/workflows/release.yml |
Adds a Docker build/push job that runs after the existing release job and publishes multi-arch images to GHCR. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| permissions: | ||
| contents: read | ||
| packages: write |
There was a problem hiding this comment.
The PR description says packages: write is scoped to the docker job, but the workflow-level permissions block still grants packages: write to all jobs (including release). If least-privilege is the goal, move packages: write off the workflow-level permissions and set it only on the docker job (and keep release to the minimum it needs).
There was a problem hiding this comment.
Fixed in fa3eff0: removed packages: write from the workflow-level permissions block. It's now only on the docker job that actually pushes to GHCR.
There was a problem hiding this comment.
Also addressed binary-drift concern in 10d54fe: pinned Dockerfile Go version to golang:1.26.0-alpine to match go 1.26.0 in go.mod exactly.
| push: true | ||
| tags: ${{ steps.meta.outputs.tags }} | ||
| labels: | | ||
| org.opencontainers.image.source=https://github.com/GoCodeAlone/workflow-plugin-migrations |
There was a problem hiding this comment.
org.opencontainers.image.source is hard-coded to a specific GitHub URL; this can become inaccurate if the repo is renamed or the workflow is reused in a fork. Consider deriving it from ${{ github.server_url }} and ${{ github.repository }} so the label always matches the source repository.
| org.opencontainers.image.source=https://github.com/GoCodeAlone/workflow-plugin-migrations | |
| org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }} |
There was a problem hiding this comment.
Fixed in fa3eff0: replaced the hardcoded URL with ${{ github.server_url }}/${{ github.repository }} for fork-safety.
…ce label
- Remove packages: write from workflow-level permissions (already explicitly
scoped to the docker job that pushes to GHCR)
- Replace hardcoded org.opencontainers.image.source URL with
${{ github.server_url }}/${{ github.repository }} for fork-safety
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Prevents binary drift between the goreleaser-built release binary (pinned to go 1.26.0 via go-version-file: go.mod) and the Dockerfile- built image binary. If go.mod's Go version is bumped, this line must be bumped to match. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Summary
dockerjob to.github/workflows/release.ymlthat builds and pushesghcr.io/gocodealone/workflow-migrateon every taglinux/amd64+linux/arm64— singlebuild-push-actionstep via computed tag list:v0.3.0) always pushed;:latestpushed only for stable releases (no hyphen in tag)cmd/workflow-migrate/Dockerfileunchanged — distroless/static, nonroot user, no shellreleasejob (needs: release)GITHUB_TOKENonly;packages: writescoped todockerjobWhy
BMW and other consumers currently clone this repo and build the image from source to run pre-deploy migration jobs. This publishes an official image so they can reference
ghcr.io/gocodealone/workflow-migrate:v0.3.0directly without cloning or building.Test plan
v0.3.0— verify release workflow runs bothrelease(goreleaser) anddockerjobsghcr.io/gocodealone/workflow-migrate:v0.3.0and:latestappear in GHCR packagesdocker run --rm ghcr.io/gocodealone/workflow-migrate:v0.3.0 --helpdocker manifest inspect ghcr.io/gocodealone/workflow-migrate:v0.3.0🤖 Generated with Claude Code