Skip to content
Latchkey

Publish Docker Image workflow (amchii/tg-signer)

The Publish Docker Image workflow from amchii/tg-signer, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get run de-duplication, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: amchii/tg-signer.github/workflows/docker-publish.ymlLicense BSD-3-ClauseView source

What it does

This is the Publish Docker Image workflow from the amchii/tg-signer repository, a real project running GitHub Actions. It is shown here with attribution under its BSD-3-Clause license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Publish Docker Image

on:
  push:
    tags:
      - '*'
  workflow_dispatch:
    inputs:
      ref:
        description: Git ref to build
        required: true
        default: main
      image_tag:
        description: Docker image tag to publish for this manual run
        required: true
        default: manual-test

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}

jobs:
  publish:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    strategy:
      matrix:
        include:
          - target: cli
            tag_suffix: ''
            latest_tag: latest
          - target: webui
            tag_suffix: -webui
            latest_tag: latest-webui

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          ref: ${{ inputs.ref || github.ref }}

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Prepare image tags
        id: prep
        shell: bash
        env:
          EVENT_NAME: ${{ github.event_name }}
          PUSH_TAG_NAME: ${{ github.ref_name }}
          MANUAL_IMAGE_TAG: ${{ inputs.image_tag }}
        run: |
          if [[ "${EVENT_NAME}" == "workflow_dispatch" ]]; then
            ref_name="${MANUAL_IMAGE_TAG}"
          else
            ref_name="${PUSH_TAG_NAME}"
          fi

          image="${REGISTRY}/${IMAGE_NAME}"

          if [[ ! "${ref_name}" =~ ^[A-Za-z0-9_][A-Za-z0-9_.-]{0,127}$ ]]; then
            echo "Unsupported Docker tag format: ${ref_name}" >&2
            exit 1
          fi

          {
            echo "version_tag=${ref_name}${{ matrix.tag_suffix }}"
            echo "tags<<EOF"
            echo "${image}:${ref_name}${{ matrix.tag_suffix }}"
            if [[ "${EVENT_NAME}" == "push" ]]; then
              echo "${image}:${{ matrix.latest_tag }}"
            fi
            echo "EOF"
          } >> "${GITHUB_OUTPUT}"

      - name: Build and push ${{ matrix.target }} image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./docker/GHCR.Dockerfile
          target: ${{ matrix.target }}
          platforms: linux/amd64,linux/arm64
          provenance: false
          push: true
          tags: ${{ steps.prep.outputs.tags }}
          labels: |
            org.opencontainers.image.title=tg-signer
            org.opencontainers.image.description=Automated Telegram tasks with check-ins, monitoring, forwarding, and auto replies.
            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
            org.opencontainers.image.revision=${{ github.sha }}
            org.opencontainers.image.version=${{ steps.prep.outputs.version_tag }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: Publish Docker Image
 
on:
  push:
    tags:
      - '*'
  workflow_dispatch:
    inputs:
      ref:
        description: Git ref to build
        required: true
        default: main
      image_tag:
        description: Docker image tag to publish for this manual run
        required: true
        default: manual-test
 
env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}
 
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
  publish:
    timeout-minutes: 30
    runs-on: latchkey-small
    permissions:
      contents: read
      packages: write
    strategy:
      matrix:
        include:
          - target: cli
            tag_suffix: ''
            latest_tag: latest
          - target: webui
            tag_suffix: -webui
            latest_tag: latest-webui
 
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          ref: ${{ inputs.ref || github.ref }}
 
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
 
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
 
      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
 
      - name: Prepare image tags
        id: prep
        shell: bash
        env:
          EVENT_NAME: ${{ github.event_name }}
          PUSH_TAG_NAME: ${{ github.ref_name }}
          MANUAL_IMAGE_TAG: ${{ inputs.image_tag }}
        run: |
          if [[ "${EVENT_NAME}" == "workflow_dispatch" ]]; then
            ref_name="${MANUAL_IMAGE_TAG}"
          else
            ref_name="${PUSH_TAG_NAME}"
          fi
 
          image="${REGISTRY}/${IMAGE_NAME}"
 
          if [[ ! "${ref_name}" =~ ^[A-Za-z0-9_][A-Za-z0-9_.-]{0,127}$ ]]; then
            echo "Unsupported Docker tag format: ${ref_name}" >&2
            exit 1
          fi
 
          {
            echo "version_tag=${ref_name}${{ matrix.tag_suffix }}"
            echo "tags<<EOF"
            echo "${image}:${ref_name}${{ matrix.tag_suffix }}"
            if [[ "${EVENT_NAME}" == "push" ]]; then
              echo "${image}:${{ matrix.latest_tag }}"
            fi
            echo "EOF"
          } >> "${GITHUB_OUTPUT}"
 
      - name: Build and push ${{ matrix.target }} image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./docker/GHCR.Dockerfile
          target: ${{ matrix.target }}
          platforms: linux/amd64,linux/arm64
          provenance: false
          push: true
          tags: ${{ steps.prep.outputs.tags }}
          labels: |
            org.opencontainers.image.title=tg-signer
            org.opencontainers.image.description=Automated Telegram tasks with check-ins, monitoring, forwarding, and auto replies.
            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
            org.opencontainers.image.revision=${{ github.sha }}
            org.opencontainers.image.version=${{ steps.prep.outputs.version_tag }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
 

What changed

4 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

What Latchkey heals here

This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:

This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow