fix: only push images and charts on releases with proper package association (#217)

casibbald · web-flow · commit ca62f34e33dd · 2025-07-07T22:23:48.000+03:00
- Build job now only tests Docker builds (no pushing)
- Release job pushes images only when release-please creates a release
- Added comprehensive OCI labels for proper GitHub package association
- Images will be properly linked to repository in GitHub packages
- Helm charts published to ghcr.io/weaveworks/charts only on releases
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -11,28 +11,9 @@ on:
 
 env:
   REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
   GOPRIVATE: github.com/weaveworks/cluster-controller
 
 jobs:
-  release-please:
-    runs-on: ubuntu-latest
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
-      repository-projects: write
-    outputs:
-      release_created: ${{ steps.release.outputs.release_created }}
-      tag_name: ${{ steps.release.outputs.tag_name }}
-    steps:
-      - name: Run release-please
-        id: release
-        uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3
-        with:
-          release-type: go
-
   test:
     runs-on: ubuntu-latest
     permissions:
@@ -88,7 +69,6 @@ jobs:
     needs: [test]
     permissions:
       contents: read # for actions/checkout to fetch code
-      packages: write # for pushing to ghcr.io
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -100,43 +80,42 @@ jobs:
         id: get_version
         run: echo "VERSION=$(make version)" >> $GITHUB_OUTPUT
 
-      - name: Log in to the Container registry
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Extract metadata (tags, labels) for Docker
-        id: meta
-        uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          tags: |
-            type=ref,event=branch
-            type=ref,event=pr
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=raw,value=latest,enable={{is_default_branch}}
-
       - name: Configure git for private modules
         env:
           GITHUB_BUILD_USERNAME: ${{ secrets.BUILD_BOT_USER }}
           GITHUB_BUILD_TOKEN: ${{ secrets.BUILD_BOT_PERSONAL_ACCESS_TOKEN }}
         run: git config --global url."https://${GITHUB_BUILD_USERNAME}:${GITHUB_BUILD_TOKEN}@github.com".insteadOf "https://github.com"
 
-      - name: Build and push Docker image
+      - name: Build Docker image (test only)
         uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
         with:
           context: .
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          push: false
+          tags: gitopssets-controller:test
           build-args: VERSION=${{ steps.get_version.outputs.VERSION }}
 
+  release-please:
+    runs-on: ubuntu-latest
+    needs: [build]
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+      repository-projects: write
+    outputs:
+      release_created: ${{ steps.release.outputs.release_created }}
+      tag_name: ${{ steps.release.outputs.tag_name }}
+    steps:
+      - name: Run release-please
+        id: release
+        uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3
+        with:
+          release-type: go
+
   release:
     runs-on: ubuntu-latest
-    needs: [build, test, release-please]
+    needs: [release-please]
     # only run when release-please creates a release
     if: needs.release-please.outputs.release_created == 'true'
     permissions:
@@ -170,6 +149,31 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Configure git for private modules
+        env:
+          GITHUB_BUILD_USERNAME: ${{ secrets.BUILD_BOT_USER }}
+          GITHUB_BUILD_TOKEN: ${{ secrets.BUILD_BOT_PERSONAL_ACCESS_TOKEN }}
+        run: git config --global url."https://${GITHUB_BUILD_USERNAME}:${GITHUB_BUILD_TOKEN}@github.com".insteadOf "https://github.com"
+
+      - name: Build and push release Docker image
+        uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
+        with:
+          context: .
+          push: true
+          tags: |
+            ghcr.io/weaveworks/gitopssets-controller:${{ steps.get_version.outputs.VERSION }}
+            ghcr.io/weaveworks/gitopssets-controller:latest
+          labels: |
+            org.opencontainers.image.title=GitOpsSet Controller
+            org.opencontainers.image.description=A controller for managing GitOpsSet resources
+            org.opencontainers.image.source=https://github.com/weaveworks/gitopssets-controller
+            org.opencontainers.image.url=https://github.com/weaveworks/gitopssets-controller
+            org.opencontainers.image.documentation=https://github.com/weaveworks/gitopssets-controller
+            org.opencontainers.image.version=${{ steps.get_version.outputs.VERSION }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.licenses=Apache-2.0
+          build-args: VERSION=${{ steps.get_version.outputs.VERSION }}
+
       - name: Build and publish Helm chart
         run: |
           make publish-helm-chart
