fix: Change Docker publishing to trigger only on GitHub Releases

[Yeraze]

Summary

Update the Docker publish workflow to only build and publish images when a GitHub Release is published, rather than on every push to main.

Problem

The current workflow triggers Docker builds on:

• Every push to main branch
• Every tag push (v*)

This creates intermediate Docker images that aren't tied to official releases, cluttering the container registry.

Solution

Change the workflow trigger to:

• release: types: [published] - Only publish images for official GitHub Releases
• Keep PR builds for validation (without publishing)

Changes

✅ Workflow Trigger Update

• Removed: push to main branch
• Removed: push to tags (v*)
• Added: release with type published
• Kept: pull_request for validation builds

✅ Tag Generation Update

• Removed: type=ref,event=branch (no longer needed)
• Updated: latest tag now only applies when event_name == 'release'
• Kept: All semver patterns ({{version}}, {{major}}.{{minor}}, {{major}})
• Kept: PR reference tags for validation builds

Behavior After Merge

What Will Trigger Builds:

✅ Creating a GitHub Release (e.g., v1.2.0)

• Builds and publishes with tags: 1.2.0, 1.2, 1, latest

✅ Opening/updating a PR

• Builds for validation only (does not publish)

What Will NOT Trigger Builds:

❌ Pushing commits to main
❌ Pushing tags manually with git push --tags

Benefits

• Controlled Release Process - Images only for official releases
• Cleaner Registry - No intermediate or test images
• Clear Versioning - Each image corresponds to a GitHub Release
• Maintains PR Validation - Still tests builds on PRs

Test Plan

• Workflow syntax validated
• Merge to main
• Verify no build triggered by merge commit
• Create next release (e.g., v1.1.1)
• Verify Docker images are published automatically
• Confirm images appear at ghcr.io/yeraze/meshmonitor

Notes

This aligns with best practices where Docker images are only published for official releases, not on every commit to main. The workflow will automatically trigger when you create releases through the GitHub UI or gh release create.

🤖 Generated with Claude Code

[claude]

Claude finished @Yeraze's task —— View job

---

PR Review in Progress

Reviewing the Docker workflow changes for release-only publishing.

Todo List

• Read and analyze the workflow file changes
• Review code quality and best practices
• Check for potential bugs or issues
• Evaluate performance considerations
• Assess security concerns
• Review test coverage implications
• Provide comprehensive feedback

Analysis Complete - Providing Review

🔍 Code Review: Docker Workflow Changes

✅ Excellent Changes - Well Implemented

The modifications successfully achieve the stated goal of publishing Docker images only on GitHub Releases. Here's my detailed analysis:

Code Quality & Best Practices ⭐

• Clean trigger configuration: The change from push + tags to release: types: [published] is exactly right
• Proper conditional logic: The latest tag condition ${{ github.event_name == 'release' }} is correctly implemented
• Maintained validation: Keeping pull_request builds for validation is a smart practice

Security Assessment 🔒

• ✅ No security concerns: The workflow maintains proper permission scoping (contents: read, packages: write)
• ✅ Secure authentication: Uses GITHUB_TOKEN correctly with conditional login
• ✅ No secrets exposure: No hardcoded credentials or sensitive data

Performance Considerations ⚡

• ✅ Improved efficiency: Eliminates unnecessary builds on every main branch push
• ✅ Maintained caching: GitHub Actions cache (type=gha) is preserved
• ✅ Reduced registry bloat: Prevents intermediate image creation

Specific Changes Analysis

Removed (Good decisions):

# Before
on:
  push:
    branches: [main]
    tags: ['v*']

# Metadata tags removed:
type=ref,event=branch
type=raw,value=latest,enable={{is_default_branch}}

Added (Proper implementation):

# After  
on:
  release:
    types: [published]

# Updated metadata:
type=raw,value=latest,enable=${{ github.event_name == 'release' }}

🎯 Implementation Correctness

1. Trigger Logic: Perfect - only GitHub Releases will trigger publishing
2. Tag Generation: Correct - semver patterns preserved, latest only on releases
3. PR Validation: Maintained - PRs still build for validation without publishing
4. Registry Auth: Unchanged and secure - only authenticates when not a PR

📋 Test Coverage Implications

• No test changes needed: This is purely CI/CD configuration
• Validation preserved: PR builds continue to validate Docker builds
• Manual testing required: Will need to verify with actual release creation

🚀 Deployment Readiness

This change is ready for production with these expected behaviors:

• ✅ Merging to main → No Docker build triggered
• ✅ Creating GitHub Release → Docker images published with proper tags
• ✅ Opening PR → Validation build runs (no publish)

📝 Minor Suggestions

1. Documentation: Consider updating repository README to document the new release process
2. Release Notes: Ensure release creation process is documented for maintainers

⚠️ Testing Recommendation

After merge, create a test release (e.g., v1.1.1) to verify the workflow behaves as expected before the next major release.

---

Overall Assessment: ✅ APPROVED - This is a well-thought-out change that follows GitHub Actions best practices and achieves the stated goals without introducing any issues.

---