Fixed Docker permissions.

Fixed tags in build.
Updated GH workflow.
2025-12-06 01:18:00 +01:00 · 2025-11-07 18:17:51 -08:00 · 2025-11-07 14:35:05 -08:00 · 2025-11-07 13:59:50 -08:00 · 2025-11-07 12:21:17 -08:00
2 changed files with 44 additions and 50 deletions
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@ -7,7 +7,7 @@ on:
  workflow_dispatch:
    inputs:
      version:
-        description: 'Optional image version (e.g. 3.0.0, beta)'
+        description: 'Optional image version (e.g. 3.0.0, v3.0.0, or 3.0.0-beta.1)'
        required: false
        default: ''

@ -18,17 +18,20 @@ jobs:
    permissions:
      contents: read
      packages: write
-      id-token: write

    steps:
      - uses: actions/checkout@v5

-      - name: Install cosign
-        uses: sigstore/cosign-installer@v3
-
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

+      - name: Log into GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
      - name: Log into Docker Hub
        if: github.repository == 'umami-software/umami'
        uses: docker/login-action@v3
@ -37,62 +40,53 @@ jobs:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

-      - name: Log into GHCR
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      # Normalize manual input if provided
-      - name: Normalize manual version
-        id: normalize
+      - name: Compute version tags
+        id: compute
        run: |
          INPUT="${{ github.event.inputs.version }}"
+          REF_TYPE="${{ github.ref_type }}"
+          REF_NAME="${{ github.ref_name }}"
+
+          # Determine version source
          if [[ -n "$INPUT" ]]; then
            VERSION="${INPUT#v}"
-            MAJOR=$(echo "$VERSION" | cut -d. -f1)
-            MINOR=$(echo "$VERSION" | cut -d. -f2)
-            echo "version_tags=${VERSION},${MAJOR}.${MINOR},${MAJOR},latest" >> $GITHUB_ENV
+          elif [[ "$REF_TYPE" == "tag" ]]; then
+            VERSION="${REF_NAME#v}"
          else
-            echo "version_tags=" >> $GITHUB_ENV
+            VERSION=""
          fi

-      - name: Extract Docker metadata
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: |
-            umamisoftware/umami,enable=${{ github.repository == 'umami-software/umami' }}
-            ghcr.io/${{ github.repository }}
-          flavor: |
-            latest=auto
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-            type=raw,value=${{ env.version_tags }},enable=${{ env.version_tags != '' }}
-            type=ref,event=branch
-            type=sha
+          TAGS=""
+
+          if [[ -n "$VERSION" ]]; then
+            MAJOR=$(echo "$VERSION" | cut -d. -f1)
+            MINOR=$(echo "$VERSION" | cut -d. -f2)
+
+            if [[ "$VERSION" == *-* ]]; then
+              # prerelease: only version tag
+              TAGS="$VERSION"
+            else
+              # stable release: version + hierarchy + latest
+              TAGS="$VERSION,${MAJOR}.${MINOR},${MAJOR},postgresql-latest,latest"
+            fi
+          else
+            # Non-tag build (e.g. from main branch)
+            TAGS="${REF_NAME}"
+          fi
+
+          echo "tags=$TAGS" >> $GITHUB_OUTPUT
+          echo "Computed tags: $TAGS"

      - name: Build and push Docker image
-        id: build-and-push
+        id: build
        uses: docker/build-push-action@v6
        with:
          context: .
-          platforms: linux/amd64,linux/arm64
          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
          cache-from: type=gha
          cache-to: type=gha,mode=max
-          provenance: false # disable automatic attestations
-
-      # Generate a local provenance attestation instead of uploading signatures
-      - name: Generate provenance attestation
-        run: |
-          cosign attest --yes \
-            --predicate <(echo '{"build":"github-actions","repo":"${{ github.repository }}","run_id":"${{ github.run_id }}"}') \
-            --type slsaprovenance \
-            ${{ steps.meta.outputs.tags }}
-
+          provenance: false
+          tags: |
+            ghcr.io/${{ github.repository }}:${{ steps.compute.outputs.tags }}
+            ${{ github.repository == 'umami-software/umami' && format('umamisoftware/umami:{0}', steps.compute.outputs.tags) || '' }}
--- a/README.md
+++ b/README.md
@ -89,7 +89,7 @@ docker compose up -d
 Alternatively, to pull just the Umami Docker image with PostgreSQL support:

 ```bash
-docker pull docker.umami.is/umami-software/umami:postgresql-latest
+docker pull docker.umami.is/umami-software/umami:latest
 ```

 ---
Author	SHA1	Message	Date
Mike Cao	de6515139e	Fixed Docker permissions. Some checks are pending Node.js CI / build (postgresql, 18.18, 10) (push) Waiting to run Details	2025-11-07 18:17:51 -08:00
Mike Cao	e3ca002d77	Fixed tags in build.	2025-11-07 14:35:05 -08:00
Mike Cao	8119dae3c3	Updated GH workflow.	2025-11-07 13:59:50 -08:00
Mike Cao	6ee93f7ac9	Updated README and cd.yml.	2025-11-07 12:21:17 -08:00