push the image to GHCR on merge to main, slice 3 of M4

Tags :latest and the commit SHA, authenticated with the built-in
GITHUB_TOKEN via the packages:write permission. Making the package
public is a one-time manual step in the package settings after the
first push.
This commit is contained in:
Justin Visser 2026-06-11 14:23:05 +02:00
parent 33df4d33eb
commit 51af5acf6a

33
.github/workflows/image.yml vendored Normal file
View file

@ -0,0 +1,33 @@
# Builds the Dockerfile and pushes the result to GHCR on every merge to
# main, tagged :latest (what the server pulls) and :<sha> (rollback to
# any exact commit without a release process). The GITHUB_TOKEN is
# enough to push packages; no extra secret needed, only the
# packages: write permission below.
name: Image
on:
push:
branches: [main]
jobs:
image:
name: Build and push to ghcr.io
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v4
- uses: docker/setup-buildx-action@v3
- uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: docker/build-push-action@v6
with:
context: .
push: true
tags: |
ghcr.io/justinzeus/spreadlab:latest
ghcr.io/justinzeus/spreadlab:${{ github.sha }}