wu-sheng opened a new pull request, #12:
URL: https://github.com/apache/skywalking-horizon-ui/pull/12
## What
Move the Docker Hub release push from the manual `release-finalize.sh` Step
5 onto the existing `publish-image` CI workflow, modeled on what
`apache/skywalking-graalvm-distro` does. Same per-arch native builds that
already publish to GHCR — on a `v*` tag push, the manifest job adds one more
step that mirrors the multi-arch manifest to `apache/skywalking-ui` via `docker
buildx imagetools create`.
The motivation: finalizing 0.5.0 hit a wall at Step 5 — local multi-arch
builds via Docker Desktop on Apple Silicon crashed esbuild under QEMU, and even
after switching to a GHCR→Docker Hub manifest copy approach, the local push was
blocked by Docker Hub permissions on the personal account. Moving it to CI
eliminates the local push step entirely, uses an ASF service account with
org-level push rights, and runs on the same canonical bytes CI already tested.
## Changes
### `.github/workflows/publish-image.yaml`
- New `Log in to Docker Hub (release only)` step in the manifest job, gated
`if: github.ref_type == 'tag'`.
- New `Mirror multi-arch manifest to Docker Hub (release only)` step that
runs `docker buildx imagetools create` to copy the GHCR canonical SHA-tagged
multi-arch manifest into:
- `apache/skywalking-ui:horizon-<v>` (immutable, this release)
- `apache/skywalking-ui:latest` (moving — Horizon owns `latest` on this
shared-with-booster-ui repo)
- Header comment updated to describe the GHCR-on-every-push +
Docker-Hub-on-tag publishing model.
### `scripts/release-finalize.sh`
- Step 5 is no longer the source of truth. It now **verifies** the two
Docker Hub tags landed (they should have, since CI runs on tag-push). If they
didn't, it falls back to running the same `imagetools create` locally — same
mirror, just from a workstation with Docker Hub push rights. Useful for
back-filling pre-CI releases (like 0.5.0) and as a recovery path if CI fails on
a future tag.
- Header comment updated; Step 3 description rewritten.
### `.gitignore`
- Added `scripts/.finalize-work` (sibling of the already-ignored
`scripts/.release-work`). Release-script working trees aren't artifacts to
track.
## Secrets required (one-time, set by repo admin)
The new CI step needs two repository / org secrets:
| Secret | Value |
|---|---|
| `DOCKERHUB_USER` | Docker Hub account with push rights on
`apache/skywalking-ui` |
| `DOCKERHUB_TOKEN` | PAT for that account |
Without these, the new CI step's `Log in to Docker Hub` will fail and the
workflow will error on the tag — the GHCR push will still succeed (it runs in
earlier steps), so non-tag pushes are unaffected. Once the secrets exist, the
next `v*` tag will mirror automatically.
## Back-filling 0.5.0
This PR's CI change won't retroactively mirror v0.5.0 (the workflow on the
v0.5.0 tag has already completed). To get 0.5.0 on Docker Hub today, run the
script's Step 5 fallback path (or the equivalent `imagetools create` command
directly) from a host with Docker Hub push rights. From 0.6.0 onward, the
mirror is automatic.
## Validation
- `bash -n scripts/release-finalize.sh` ✓
- YAML parses (yq + python) ✓
- `license-eye header check` ✓ 0 invalid
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]