From fa0f9687cdeb9705c158aa61ab85da1bb8c775a4 Mon Sep 17 00:00:00 2001 From: Matthew Valancy Date: Sat, 13 Jun 2026 14:01:24 -0700 Subject: [PATCH] Fix build-stack manifest tag on PRs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The build-stack job assembled the multi-image stack manifest from a `${GITHUB_SHA::8}` tag that the build-and-push job never pushes, so it failed on every PR (e.g. the develop→main promotion). Use a tag that is actually published: `pr-` on pull_request events (matches metadata-action's type=ref,event=pr), `latest` on main, the branch name on other branch pushes, and a `sha-` fallback that matches the type=sha tag. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/docker-publish.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index a4f0683b..c75e8a42 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -102,12 +102,19 @@ jobs: - name: Determine tag id: tag run: | - if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then + # Must match a tag the build-and-push job actually pushed (see the + # docker/metadata-action tags above), or imagetools can't find the + # per-image manifests. On PRs metadata pushes `pr-`; on main + # it pushes `latest`. The old `${GITHUB_SHA::8}` fallback was never a + # pushed tag, so build-stack failed on every PR. + if [[ "${{ github.event_name }}" == "pull_request" ]]; then + echo "tag=pr-${{ github.event.number }}" >> $GITHUB_OUTPUT + elif [[ "${{ github.ref }}" == "refs/heads/main" ]]; then echo "tag=latest" >> $GITHUB_OUTPUT elif [[ "${{ github.ref }}" == refs/heads/* ]]; then echo "tag=${GITHUB_REF#refs/heads/}" | sed 's/\//-/g' >> $GITHUB_OUTPUT else - echo "tag=${GITHUB_SHA::8}" >> $GITHUB_OUTPUT + echo "tag=sha-${GITHUB_SHA::7}" >> $GITHUB_OUTPUT fi - name: Create and push manifest for stack