From af5002feea047dedfc996bf729f8435de73f3aa6 Mon Sep 17 00:00:00 2001 From: Nando Vieira Date: Fri, 5 Jun 2026 15:03:58 -0700 Subject: [PATCH] Tag :latest only for the newest released version. --- .github/workflows/docker.yml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 971627caa..c630fb9b5 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -44,6 +44,7 @@ jobs: with: ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref }} path: source + fetch-depth: 0 - name: Check out Dockerfile ref uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -52,7 +53,9 @@ jobs: path: dockerfile # Resolve both refs to SHAs and compute Docker tags from the source ref. - # - Version tag (e.g. v1.2.3): push versioned + latest tags. + # - Highest version tag (e.g. v1.2.3): push versioned + latest tags. + # - Older version tag: push only the versioned tag, so :latest never + # moves back to an older line (e.g. a 25.x patch after 26.x ships). # - Any other ref: push a tag for the resolved source commit SHA. - name: Resolve refs and tags id: resolve @@ -65,7 +68,17 @@ jobs: if [[ "$ref" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then version="${ref#v}" - echo "tags=-t ${REGISTRY_IMAGE}:${version} -t ${REGISTRY_IMAGE}:latest" >> $GITHUB_OUTPUT + highest="$(git -C source tag --list 'v[0-9]*.[0-9]*.[0-9]*' \ + | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | sort -V | tail -n1)" + if [[ -z "$highest" ]]; then + echo "::error::Could not determine the highest version tag." + exit 1 + fi + if [[ "$ref" == "$highest" ]]; then + echo "tags=-t ${REGISTRY_IMAGE}:${version} -t ${REGISTRY_IMAGE}:latest" >> $GITHUB_OUTPUT + else + echo "tags=-t ${REGISTRY_IMAGE}:${version}" >> $GITHUB_OUTPUT + fi elif [[ "${{ github.event_name }}" == "release" ]]; then echo "::error::Release tag '${ref}' is not a valid version tag (expected vX.Y.Z)." exit 1