From 33ad166ce8e092f5dac70fea5a9063c3e6eb4277 Mon Sep 17 00:00:00 2001 From: Mathias Beaulieu-Duncan Date: Tue, 3 Feb 2026 04:25:21 -0500 Subject: [PATCH] Make versioned tags immutable - Full release (3.38.9): creates web-3.38.9 + web-latest - Prerelease (3.38.9-rebuild-20260203): creates web-3.38.9-rebuild-20260203 + web-dev - Versioned tags never get overwritten after initial publish Co-Authored-By: Claude Opus 4.5 --- .gitea/workflows/publish.yaml | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/.gitea/workflows/publish.yaml b/.gitea/workflows/publish.yaml index da38c1f..470b99c 100644 --- a/.gitea/workflows/publish.yaml +++ b/.gitea/workflows/publish.yaml @@ -33,16 +33,18 @@ jobs: id: version run: | if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then - # Pre-release: fetch latest stable version, tag as dev - FLUTTER_VERSION=$(curl -fsSL https://storage.googleapis.com/flutter_infra_release/releases/releases_linux.json \ - | jq -r '.current_release.stable as $hash | .releases[] | select(.hash == $hash and .channel == "stable") | .version') - echo "flutter_version=${FLUTTER_VERSION}" >> $GITHUB_OUTPUT - echo "tag=${{ matrix.variant }}-dev" >> $GITHUB_OUTPUT - echo "Using latest Flutter stable ${FLUTTER_VERSION} for pre-release test" + # Pre-release: use release tag as version, don't overwrite existing tags + # Extract base Flutter version for build-arg (e.g., 3.38.9 from 3.38.9-rebuild-20260203) + BASE_VERSION=$(echo "${{ github.event.release.tag_name }}" | grep -oP '^[0-9]+\.[0-9]+\.[0-9]+') + echo "flutter_version=${BASE_VERSION}" >> $GITHUB_OUTPUT + echo "tag=${{ matrix.variant }}-${{ github.event.release.tag_name }}" >> $GITHUB_OUTPUT + echo "secondary_tag=${{ matrix.variant }}-dev" >> $GITHUB_OUTPUT + echo "Pre-release: building Flutter ${BASE_VERSION}, tagging as ${{ github.event.release.tag_name }}" else # Full release: use the release tag as the Flutter version echo "flutter_version=${{ github.event.release.tag_name }}" >> $GITHUB_OUTPUT - echo "tag=${{ matrix.variant }}-latest" >> $GITHUB_OUTPUT + echo "tag=${{ matrix.variant }}-${{ github.event.release.tag_name }}" >> $GITHUB_OUTPUT + echo "secondary_tag=${{ matrix.variant }}-latest" >> $GITHUB_OUTPUT fi - name: Set up QEMU @@ -67,7 +69,7 @@ jobs: load: true build-args: | FLUTTER_VERSION=${{ steps.version.outputs.flutter_version }} - tags: ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.version.outputs.flutter_version }} + tags: ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.tag }} - name: Install Docker Scout run: | @@ -76,7 +78,7 @@ jobs: - name: Docker Scout CVE Scan run: | - docker scout cves ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.version.outputs.flutter_version }} --only-severity critical,high + docker scout cves ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.tag }} --only-severity critical,high - name: Build and push with attestations uses: docker/build-push-action@v5 @@ -90,12 +92,12 @@ jobs: build-args: | FLUTTER_VERSION=${{ steps.version.outputs.flutter_version }} tags: | - ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.version.outputs.flutter_version }} ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.tag }} + ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.secondary_tag }} labels: | org.opencontainers.image.title=${{ env.IMAGE_NAME }} org.opencontainers.image.description=${{ matrix.description }} - org.opencontainers.image.version=${{ matrix.variant }}-${{ steps.version.outputs.flutter_version }} + org.opencontainers.image.version=${{ steps.version.outputs.tag }} org.opencontainers.image.revision=${{ github.sha }} sync-readme: