refactor: use GHCR as intermediate storage for Docker Hub publishing (#319)

sapientpants · claude · web-flow · commit 185a1d5c3711 · 2025-10-11T22:31:00.000+02:00
Previously attempted to publish multi-platform Docker images by extracting OCI tar archives, but docker buildx imagetools cannot work with oci-layout:// scheme or tar archives directly. This change refactors the Docker publishing workflow to: - Push multi-platform images to GHCR during Main workflow build - Use docker buildx imagetools create for registry-to-registry copy to Docker Hub - Maintain native Docker tooling without third-party dependencies - Preserve multi-platform manifest lists correctly Fixes: #<will be determined by PR> 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/.changeset/docker-publish-via-ghcr.md b/.changeset/docker-publish-via-ghcr.md
@@ -0,0 +1,21 @@
+---
+'sonarqube-mcp-server': patch
+---
+
+Refactor Docker Hub publishing to use GHCR as intermediate storage
+
+Previously attempted to publish multi-platform Docker images by extracting OCI tar archives and using `docker buildx imagetools create` with `oci-layout://` scheme, which is not supported.
+
+Now multi-platform images are pushed to GitHub Container Registry (GHCR) during the build phase, then copied to Docker Hub using `docker buildx imagetools create` for registry-to-registry transfer. This approach:
+
+- Uses Docker's native buildx imagetools tooling (no third-party dependencies)
+- Preserves multi-platform manifest lists correctly
+- Maintains "build once, publish everywhere" model
+- Leverages GHCR's free hosting for public repositories
+- Simplifies the publish workflow by eliminating artifact extraction logic
+
+Changes:
+
+- Modified `.github/workflows/reusable-docker.yml` to push multi-platform builds to GHCR
+- Updated `.github/workflows/main.yml` with `packages: write` permission for GHCR
+- Refactored `.github/workflows/publish.yml` to copy images from GHCR to Docker Hub
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -23,12 +23,14 @@ concurrency:
 # attestations: write - Attach attestations to artifacts
 # security-events: write - Upload security scan results
 # actions: read - Access workflow runs and artifacts
+# packages: write - Push Docker images to GitHub Container Registry
 permissions:
   contents: write
   id-token: write
   attestations: write
   security-events: write
   actions: read
+  packages: write
 
 jobs:
   # =============================================================================
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -258,7 +258,7 @@ jobs:
 
   # =============================================================================
   # DOCKER HUB PUBLISHING
-  # Uses pre-built and pre-scanned Docker image from main workflow
+  # Copies pre-built multi-platform image from GHCR to Docker Hub
   # =============================================================================
 
   docker:
@@ -269,8 +269,7 @@ jobs:
     if: vars.ENABLE_DOCKER_RELEASE == 'true'
     permissions:
       contents: read
-      packages: write # Push to GitHub Container Registry if needed
-      actions: read # Required to download artifacts
+      packages: read # Read from GitHub Container Registry
     steps:
       - name: Determine version
         id: version
@@ -296,87 +295,45 @@ jobs:
             exit 0
           fi
 
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ steps.version.outputs.tag }}
-
-      - name: Determine artifact source
-        id: artifact
+      - name: Set up Docker Buildx
+        # Required for imagetools commands
         if: steps.check-docker.outputs.has_credentials == 'true'
-        # Use shared script to find the correct Docker image artifact from the release build
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          chmod +x .github/scripts/determine-artifact.sh
-          .github/scripts/determine-artifact.sh \
-            --tag "${{ steps.version.outputs.tag }}" \
-            --repo "${{ github.repository }}" \
-            --version "${{ steps.version.outputs.version }}" \
-            --prefix "docker-image" \
-            --output "$GITHUB_OUTPUT"
+        uses: docker/setup-buildx-action@v3
 
-      - name: Download Docker image artifact
-        # Download the pre-built, pre-scanned image from main workflow
-        # This ensures we publish exactly what was tested
+      - name: Login to GitHub Container Registry
+        # Login to GHCR to pull the pre-built image
         if: steps.check-docker.outputs.has_credentials == 'true'
-        uses: actions/download-artifact@v4
+        uses: docker/login-action@v3
         with:
-          name: ${{ steps.artifact.outputs.artifact_name }}
-          path: ./docker-artifact
-          run-id: ${{ steps.artifact.outputs.run_id }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Verify artifact exists
-        if: steps.check-docker.outputs.has_credentials == 'true'
-        run: |
-          # The artifact name format has changed to use short SHA
-          EXPECTED_FILE="./docker-artifact/${{ steps.artifact.outputs.artifact_name }}.tar.gz"
-          if [ ! -f "$EXPECTED_FILE" ]; then
-            echo "❌ Docker image artifact not found!"
-            echo "Expected: $EXPECTED_FILE"
-            echo "Contents of ./docker-artifact:"
-            ls -la ./docker-artifact/ || echo "Directory does not exist"
-            echo ""
-            echo "This usually means the main workflow didn't build a Docker image."
-            echo "Ensure ENABLE_DOCKER_RELEASE was set to 'true' when the release was created."
-            exit 1
-          fi
-          echo "✅ Found Docker image artifact: $EXPECTED_FILE"
-
-      - name: Set up Docker Buildx
-        # Required for loading and pushing multi-platform images
-        if: steps.check-docker.outputs.has_credentials == 'true'
-        uses: docker/setup-buildx-action@v3
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Login to Docker Hub
-        # SECURITY: Authenticate with Docker Hub
+        # SECURITY: Authenticate with Docker Hub for pushing
         if: steps.check-docker.outputs.has_credentials == 'true'
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Push Docker image
-        # Push the pre-built OCI multi-platform image to Docker Hub
+      - name: Copy image from GHCR to Docker Hub
+        # Use buildx imagetools to copy multi-platform image between registries
+        # This properly handles multi-platform manifest lists
         if: steps.check-docker.outputs.has_credentials == 'true'
         run: |
-          echo "📥 Decompressing and extracting OCI image..."
-          gunzip ./docker-artifact/${{ steps.artifact.outputs.artifact_name }}.tar.gz
-
-          # Extract OCI layout from tar
-          mkdir -p oci-layout
-          tar -xf ./docker-artifact/${{ steps.artifact.outputs.artifact_name }}.tar -C oci-layout
-
+          SOURCE_IMAGE="ghcr.io/${{ github.repository_owner }}/sonarqube-mcp-server"
           TARGET_REPO="${{ secrets.DOCKERHUB_USERNAME }}/${{ github.event.repository.name }}"
           VERSION="${{ steps.version.outputs.version }}"
 
-          echo "📤 Pushing multi-platform OCI image to Docker Hub..."
-          # Use docker buildx imagetools create to push from OCI layout
-          # This properly handles multi-platform manifest lists
+          echo "📤 Copying multi-platform image from GHCR to Docker Hub..."
+          echo "Source: $SOURCE_IMAGE:$VERSION"
+          echo "Target: $TARGET_REPO:$VERSION"
+
+          # Copy image with version tag
           docker buildx imagetools create \
             --tag $TARGET_REPO:$VERSION \
-            oci-layout://oci-layout
+            $SOURCE_IMAGE:$VERSION
 
           echo "🏷️ Creating additional tags..."
           # Create alias tags for latest, major, and major.minor versions
@@ -388,6 +345,7 @@ jobs:
           docker buildx imagetools create --tag $TARGET_REPO:$MAJOR.$MINOR $TARGET_REPO:$VERSION
 
           echo "✅ Docker image published successfully to Docker Hub"
+          echo "📋 Published tags: $VERSION, latest, $MAJOR, $MAJOR.$MINOR"
 
   # =============================================================================
   # NOTIFICATION
diff --git a/.github/workflows/reusable-docker.yml b/.github/workflows/reusable-docker.yml
@@ -88,6 +88,16 @@ jobs:
         # Advanced Docker builder with cache support
         uses: docker/setup-buildx-action@v3
 
+      - name: Login to GitHub Container Registry
+        # Login to GHCR for multi-platform builds that need to be pushed to registry
+        # Single-platform builds for PRs don't need registry push
+        if: inputs.save-artifact && contains(inputs.platforms, ',')
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       # =============================================================================
       # DOCKER BUILD
       # Build image with layer caching for efficiency
@@ -97,7 +107,9 @@ jobs:
         id: meta
         uses: docker/metadata-action@v5
         with:
-          images: ${{ inputs.image-name }}
+          # Use GHCR for multi-platform artifact builds, local name otherwise
+          images: |
+            ${{ (inputs.save-artifact && contains(inputs.platforms, ',')) && format('ghcr.io/{0}/{1}', github.repository_owner, inputs.image-name) || inputs.image-name }}
           tags: |
             type=raw,value=${{ inputs.version }},enable=${{ inputs.version != '' }}
             type=raw,value=latest,enable=${{ inputs.version != '' }}
@@ -109,37 +121,53 @@ jobs:
         id: build-config
         run: |
           # Determine if we're building for multiple platforms
+          IS_MULTI_PLATFORM="false"
           if echo "${{ inputs.platforms }}" | grep -q ','; then
-            echo "is_multi_platform=true" >> $GITHUB_OUTPUT
-          else
-            echo "is_multi_platform=false" >> $GITHUB_OUTPUT
+            IS_MULTI_PLATFORM="true"
           fi
 
-          # Determine if we can load the image (only for single-platform non-artifact builds)
+          # For multi-platform builds with save-artifact, push to GHCR
+          # For single-platform builds or PR builds, load locally or save to tar
           SAVE_ARTIFACT="${{ inputs.save-artifact }}"
-          if [ "$SAVE_ARTIFACT" != "true" ] && ! echo "${{ inputs.platforms }}" | grep -q ','; then
-            echo "can_load=true" >> $GITHUB_OUTPUT
-            echo "output_type=" >> $GITHUB_OUTPUT
+          SHOULD_PUSH="false"
+          CAN_LOAD="false"
+          OUTPUT_TYPE=""
+
+          if [ "$SAVE_ARTIFACT" = "true" ] && [ "$IS_MULTI_PLATFORM" = "true" ]; then
+            # Multi-platform artifact build: push to GHCR
+            SHOULD_PUSH="true"
+            CAN_LOAD="false"
+          elif [ "$SAVE_ARTIFACT" != "true" ] && [ "$IS_MULTI_PLATFORM" = "false" ]; then
+            # Single-platform PR build: load locally
+            CAN_LOAD="true"
           else
-            # Need to output to tar for artifact or multi-platform builds
-            echo "can_load=false" >> $GITHUB_OUTPUT
-            # Use tag SHA if provided, otherwise use github.sha
+            # Single-platform artifact build: save to tar
+            CAN_LOAD="false"
             SHA_TO_USE="${{ inputs.tag_sha || github.sha }}"
-            # Use OCI format for multi-platform builds (docker format doesn't support manifest lists)
-            if echo "${{ inputs.platforms }}" | grep -q ','; then
-              echo "output_type=type=oci,dest=${{ inputs.artifact-name }}-${SHA_TO_USE}.tar" >> $GITHUB_OUTPUT
-            else
-              echo "output_type=type=docker,dest=${{ inputs.artifact-name }}-${SHA_TO_USE}.tar" >> $GITHUB_OUTPUT
-            fi
+            OUTPUT_TYPE="type=docker,dest=${{ inputs.artifact-name }}-${SHA_TO_USE}.tar"
           fi
 
+          {
+            echo "is_multi_platform=$IS_MULTI_PLATFORM"
+            echo "should_push=$SHOULD_PUSH"
+            echo "can_load=$CAN_LOAD"
+            echo "output_type=$OUTPUT_TYPE"
+          } >> $GITHUB_OUTPUT
+
+          echo "📋 Build configuration:"
+          echo "  Multi-platform: $IS_MULTI_PLATFORM"
+          echo "  Save artifact: $SAVE_ARTIFACT"
+          echo "  Should push: $SHOULD_PUSH"
+          echo "  Can load: $CAN_LOAD"
+          echo "  Output type: $OUTPUT_TYPE"
+
       - name: Build Docker image
         id: build
         uses: docker/build-push-action@v6
         with:
           context: .
           platforms: ${{ inputs.platforms }}
-          push: false # Never push from this reusable workflow
+          push: ${{ steps.build-config.outputs.should_push == 'true' }}
           load: ${{ steps.build-config.outputs.can_load == 'true' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
@@ -163,14 +191,18 @@ jobs:
           if [ "$CAN_LOAD" = "true" ]; then
             # For loaded single-platform images, scan by image reference
             FIRST_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n1)
-            echo "scan_input=" >> $GITHUB_OUTPUT
-            echo "scan_image_ref=$FIRST_TAG" >> $GITHUB_OUTPUT
+            {
+              echo "scan_input="
+              echo "scan_image_ref=$FIRST_TAG"
+            } >> $GITHUB_OUTPUT
             echo "Using image reference for scanning: $FIRST_TAG"
           else
             # For multi-platform or artifact builds, scan the tar file
             SHA_TO_USE="${{ inputs.tag_sha || github.sha }}"
-            echo "scan_input=${{ inputs.artifact-name }}-${SHA_TO_USE}.tar" >> $GITHUB_OUTPUT
-            echo "scan_image_ref=" >> $GITHUB_OUTPUT
+            {
+              echo "scan_input=${{ inputs.artifact-name }}-${SHA_TO_USE}.tar"
+              echo "scan_image_ref="
+            } >> $GITHUB_OUTPUT
             echo "Using tar file for scanning: ${{ inputs.artifact-name }}-${SHA_TO_USE}.tar"
           fi
 
@@ -231,21 +263,24 @@ jobs:
 
       # =============================================================================
       # ARTIFACT STORAGE
-      # Save Docker image for reuse in publish workflow
+      # Save Docker image tar files for single-platform builds
+      # Multi-platform builds are pushed to GHCR instead
       # =============================================================================
 
       - name: Compress Docker image artifact
         # Compress the tar file to reduce storage costs
-        if: inputs.save-artifact
+        # Only for single-platform builds (multi-platform builds pushed to GHCR)
+        if: inputs.save-artifact && !contains(inputs.platforms, ',')
         run: |
           SHA_TO_USE="${{ inputs.tag_sha || github.sha }}"
           echo "Compressing Docker image artifact..."
           gzip -9 ${{ inputs.artifact-name }}-${SHA_TO_USE}.tar
           ls -lh ${{ inputs.artifact-name }}-${SHA_TO_USE}.tar.gz
 
       - name: Upload Docker image artifact
-        # Store image for deterministic publishing
-        if: inputs.save-artifact
+        # Store single-platform image tar for deterministic publishing
+        # Multi-platform images are stored in GHCR registry
+        if: inputs.save-artifact && !contains(inputs.platforms, ',')
         uses: actions/upload-artifact@v4
         with:
           name: ${{ inputs.artifact-name }}-${{ inputs.tag_sha || github.sha }}
@@ -258,10 +293,19 @@ jobs:
       # Generate attestations for build provenance (main builds only)
       # =============================================================================
 
-      - name: Generate attestations
-        # Creates cryptographic proof of build provenance (SLSA Level 3)
-        # Only runs when id-token permission is available (required for attestations)
-        if: inputs.save-artifact && inputs.version != '' && env.ACTIONS_ID_TOKEN_REQUEST_URL != ''
+      - name: Generate attestations for GHCR images
+        # Creates cryptographic proof of build provenance for multi-platform images
+        # Multi-platform images are stored in GHCR registry
+        if: inputs.save-artifact && contains(inputs.platforms, ',') && inputs.version != '' && env.ACTIONS_ID_TOKEN_REQUEST_URL != ''
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ghcr.io/${{ github.repository_owner }}/${{ inputs.image-name }}
+          subject-digest: ${{ steps.build.outputs.digest }}
+          push-to-registry: true
+
+      - name: Generate attestations for tar artifacts
+        # Creates cryptographic proof of build provenance for single-platform tar files
+        if: inputs.save-artifact && !contains(inputs.platforms, ',') && inputs.version != '' && env.ACTIONS_ID_TOKEN_REQUEST_URL != ''
         uses: actions/attest-build-provenance@v2
         with:
           subject-path: ${{ inputs.artifact-name }}-${{ inputs.tag_sha || github.sha }}.tar.gz
