Skip to content

Container Build and Publish

The common workflow builds the final linux/amd64 runtime image once. It records source revision and build metadata as OCI labels, scans the loaded image with Trivy, generates an SBOM, and makes the same image available to parallel registry jobs.

Initial approach: docker save followed by a one-day GitHub artifact. This is simple and proves that push jobs use the same image, but large images may create transfer and storage overhead.

Preferred scale approach: push once to an internal staging registry by digest, then copy registry-to-registry with crane or skopeo. This avoids uploading the image tar for every job. Adoption requires authentication and retention design.

Each target push records the source SHA, target repository, tags, and digest. Where registry behavior changes the manifest digest, retain the platform-specific digest and confirm equivalent config/layers. No push job runs docker build.

  • Immutable: <branch>-<short-sha> and release semantic tag.
  • Mutable convenience aliases: develop, release, latest only when required by Image Updater strategy.
  • Deployment audit records always retain immutable SHA/digest.