From 4df3a85338a11cd612da9b3fd7a25c172cf8ea98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Fri, 10 Apr 2026 12:56:31 +0200 Subject: [PATCH 1/3] disable automatic latest tag --- .github/workflows/release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6dce2fc5..904a13c3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,17 +11,17 @@ concurrency: jobs: build-docker-release: # Ignore tags with -, like v1.0.0-alpha - # This job will build the docker container with the "latest" tag which - # is a tag used in production, thus it should only be run for full releases. if: startsWith(github.ref, 'refs/tags/') && !contains(github.ref, '-') name: Build Release Docker image uses: ./.github/workflows/build-docker.yml with: tags: | - type=raw,value=latest type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=sha + # Explicitly disable latest tag. It will be added by publish-docker-latest.yml. + flavor: | + latest=false build-docker-prerelease: # Only build tags with -, like v1.0.0-alpha From b1e51b0a31eaa779d51a92a89d7a135db54d7f78 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Fri, 10 Apr 2026 12:56:48 +0200 Subject: [PATCH 2/3] tag image as latest on release publish --- .github/workflows/publish-docker-latest.yml | 54 +++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 .github/workflows/publish-docker-latest.yml diff --git a/.github/workflows/publish-docker-latest.yml b/.github/workflows/publish-docker-latest.yml new file mode 100644 index 00000000..c83c8540 --- /dev/null +++ b/.github/workflows/publish-docker-latest.yml @@ -0,0 +1,54 @@ +name: Publish Docker latest tag + +on: + release: + types: [published] + +jobs: + tag-docker-latest: + # Only run when the release is marked as "Latest release" in the GitHub UI + if: github.event.release.make_latest == 'true' + runs-on: [self-hosted, Linux] + + env: + GHCR_REPO: ghcr.io/defguard/gateway + + permissions: + packages: write + id-token: write # needed for Cosign keyless signing + + steps: + - name: Install Cosign + uses: sigstore/cosign-installer@v4.1.0 + + - name: Login to GitHub container registry + uses: docker/login-action@v4 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v4 + + - name: Derive semver tag + run: | + # Strip the leading 'v' from the release tag name (e.g. v1.2.3 -> 1.2.3) + VERSION="${{ github.event.release.tag_name }}" + echo "VERSION=${VERSION#v}" >> $GITHUB_ENV + + - name: Tag image as latest + run: | + docker buildx imagetools create \ + --tag ${{ env.GHCR_REPO }}:latest \ + ${{ env.GHCR_REPO }}:${{ env.VERSION }} + + - name: Sign the latest tag with GitHub OIDC Token + run: cosign sign --yes ${{ env.GHCR_REPO }}:latest + + - name: Verify image signature + run: | + cosign verify ${{ env.GHCR_REPO }}:latest \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + --certificate-identity-regexp="https://github.com/DefGuard/gateway" \ + -o text From 197c0980c59bb2abc4a62dcdae9df0b5b69d70e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Fri, 10 Apr 2026 13:00:45 +0200 Subject: [PATCH 3/3] bump action version --- .github/workflows/publish-docker-latest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-docker-latest.yml b/.github/workflows/publish-docker-latest.yml index c83c8540..a7cb236e 100644 --- a/.github/workflows/publish-docker-latest.yml +++ b/.github/workflows/publish-docker-latest.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Install Cosign - uses: sigstore/cosign-installer@v4.1.0 + uses: sigstore/cosign-installer@v4.1.1 - name: Login to GitHub container registry uses: docker/login-action@v4