Version workflow (#18)

* standardising docker tags and labels, theoretical version tag workflow

* stage 1 workflow testing

* docker labels need escapes

* quick description test

* longer description test...

* one last try for description

* theoretical versioned release workflow

logging versions to see why checks fail (#19)

versioned release workflow - fixing version comparison check (#20)

* possibly fixing version comparison

* removing test triggering

apparently org names must be lowercase (#21)

hopeful permissions fix (#22)

trying a different docker tag push action (#23)

uppercase org name again (#24)

.github/workflows/release.dev.yml

@@ -32,27 +32,43 @@ jobs:
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           registry: ${{ env.registry }}
-          username: ${{github.actor}}
-          password: ${{secrets.GITHUB_TOKEN}}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Set timestamp env var
-        run: echo "RUN_TIMESTAMP=$(TZ="Etc/UTC" date +'%Y%m%d%H%M%S')" >> $GITHUB_ENV
+      - uses: SebRollen/[email protected]
+        id: read_version
+        with:
+          file: pyproject.toml
+          field: project.version
 
       - name: Docker Metadata action
         id: meta
         uses: docker/[email protected]
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
         with:
-          images: ${{ env.registry }}/${{ env.repo-owner}}/${{ env.image-name}}
+          images: ${{ env.registry }}/${{ env.repo-owner }}/${{ env.image-name }}
+          # Tag notes:
+          # - RFC3339 is not suitable for docker tags, so we squash the date
+          # - We tag both the short (7-char prefixed) and full sha commit hashes; both are useful
+          # - `edge` represents latest main branch commit (potentially unstable)
           tags: |
+            type=sha
             ${{ github.sha }}
-            ${{ env.RUN_TIMESTAMP }}
-            dev-latest
+            type=raw,value={{date 'YYYYMMDDHHmmss[Z]'}}
+            edge
+          # Label notes:
+          # - Static labels are applied in the Dockerfile
+          # - Date format in `org.opencontainers.image.created` must be RFC3339
+          # - version should be considered a semver candidate only, unless revision aligns with a git tag
           labels: |
-            org.opencontainers.image.title=Hutch Bunny
-            org.opencontainers.image.vendor=University of Nottingham
-            org.opencontainers.image.version=0.0.1
-          # TODO: version label should reflect current source version?
-          # Could add more custom labels in the future here
+            org.opencontainers.image.revision={{sha}}
+            org.opencontainers.image.version=${{ steps.read_version.outputs.value }}
+            org.opencontainers.image.created={{date 'YYYY-MM-DD HH:mm:ss[Z]'}}
+          # TODO: More Annotations may be desirable instead of labels for some metadata,
+          # since we produce multiarch images
+          annotations: |
+            org.opencontainers.image.description=Hutch Bunny
 
       - name: Build and push Docker images
         uses: docker/[email protected]
@@ -63,3 +79,4 @@ jobs:
           platforms: linux/amd64,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          annotations: ${{ steps.meta.outputs.annotations }}

.github/workflows/release.versioned.yml

@@ -0,0 +1,93 @@
+# This workflow is used to tag an existing container image with a semver version
+# and create a GitHub Release
+name: Publish a Versioned Release
+
+on:
+  push:
+    tags:
+      - v*
+
+env:
+  image-name: hutch/bunny
+  repo-owner: ${{ github.repository_owner }}
+  registry: ghcr.io
+
+jobs:
+  version-tag:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write # container images
+      contents: write # releases
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+
+      # some docker actions need all lowercase, but our org name is mixed case 😠
+      - name: downcase repo-owner
+        run: |
+          echo "REPO_OWNER_LOWER=${GITHUB_REPOSITORY_OWNER,,}" >>${GITHUB_ENV}
+
+      # read source version
+      - uses: SebRollen/[email protected]
+        id: read_version
+        with:
+          file: pyproject.toml
+          field: project.version
+
+      - name: Parse version from tag
+        id: version
+        uses: release-kit/semver@v2
+
+      - name: Fail on Version Mismatch
+        if: ${{ steps.read_version.outputs.value != steps.version.outputs.full }}
+        run: |
+          echo "::error::Tag version '${{ steps.version.outputs.full }}' doesn't match source version '${{ steps.read_version.outputs.value }}'"
+          exit 1
+
+      # check image exists for commit
+      - uses: tyriis/[email protected]
+        with:
+          registry: ${{ env.registry }}
+          repository: ${{ env.REPO_OWNER_LOWER }}/${{ env.image-name }}
+          tag: ${{ github.sha }}
+
+      # standard login to the container registry
+      - name: Docker Login
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ${{ env.registry }}
+          username: ${{github.actor}}
+          password: ${{secrets.GITHUB_TOKEN}}
+
+      # We still use the metadata action to help build out our tags from the Workflow Run
+      - name: Docker Metadata action
+        id: meta
+        uses: docker/[email protected]
+        with:
+          images: ${{ env.registry }}/${{ env.repo-owner }}/${{ env.image-name }}
+          tags: | # new tags only
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}
+            type=semver,pattern={{major}}.{{minor}}
+
+      # Create Github Release
+      - uses: ncipollo/release-action@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          tag: ${{ github.ref_name }}
+          name: ${{ github.ref_name }}
+          body: |
+            # Hutch Bunny ${{ github.ref_name }}
+
+            [Tagged Container images](https://github.com/Health-Informatics-UoN/hutch-bunny/pkgs/container/hutch%2Fbunny)
+          generateReleaseNotes: true
+          prerelease: ${{ steps.version.outputs.prerelease != '' }}
+          makeLatest: false # TODO: can we reliably detect and automate this in future?
+
+      # apply the new tags to the existing images
+      - name: Push updated image tags
+        uses: akhilerm/[email protected]
+        with:
+          src: ${{ env.registry }}/${{ env.REPO_OWNER_LOWER }}/${{ env.image-name }}:${{ github.sha }}
+          dst: |
+            ${{ steps.meta.outputs.tags }}

Dockerfile

@@ -1,5 +1,13 @@
 FROM ghcr.io/astral-sh/uv:bookworm-slim
 
+LABEL org.opencontainers.image.title=Hutch\ Bunny
+LABEL org.opencontainers.image.description=Hutch\ Bunny
+LABEL org.opencontainers.image.vendor=University\ of\ Nottingham
+LABEL org.opencontainers.image.url=https://github.com/Health-Informatics-UoN/hutch-bunny/pkgs/container/hutch%2Fbunny
+LABEL org.opencontainers.image.documentation=https://health-informatics-uon.github.io/hutch/bunny
+LABEL org.opencontainers.image.source=https://github.com/Health-Informatics-UoN/hutch-bunny
+LABEL org.opencontainers.image.licenses=MIT
+
 COPY . /app
 WORKDIR /app