wu-sheng opened a new pull request, #12:
URL: https://github.com/apache/skywalking-horizon-ui/pull/12

   ## What
   
   Move the Docker Hub release push from the manual `release-finalize.sh` Step 
5 onto the existing `publish-image` CI workflow, modeled on what 
`apache/skywalking-graalvm-distro` does. Same per-arch native builds that 
already publish to GHCR — on a `v*` tag push, the manifest job adds one more 
step that mirrors the multi-arch manifest to `apache/skywalking-ui` via `docker 
buildx imagetools create`.
   
   The motivation: finalizing 0.5.0 hit a wall at Step 5 — local multi-arch 
builds via Docker Desktop on Apple Silicon crashed esbuild under QEMU, and even 
after switching to a GHCR→Docker Hub manifest copy approach, the local push was 
blocked by Docker Hub permissions on the personal account. Moving it to CI 
eliminates the local push step entirely, uses an ASF service account with 
org-level push rights, and runs on the same canonical bytes CI already tested.
   
   ## Changes
   
   ### `.github/workflows/publish-image.yaml`
   - New `Log in to Docker Hub (release only)` step in the manifest job, gated 
`if: github.ref_type == 'tag'`.
   - New `Mirror multi-arch manifest to Docker Hub (release only)` step that 
runs `docker buildx imagetools create` to copy the GHCR canonical SHA-tagged 
multi-arch manifest into:
     - `apache/skywalking-ui:horizon-<v>` (immutable, this release)
     - `apache/skywalking-ui:latest` (moving — Horizon owns `latest` on this 
shared-with-booster-ui repo)
   - Header comment updated to describe the GHCR-on-every-push + 
Docker-Hub-on-tag publishing model.
   
   ### `scripts/release-finalize.sh`
   - Step 5 is no longer the source of truth. It now **verifies** the two 
Docker Hub tags landed (they should have, since CI runs on tag-push). If they 
didn't, it falls back to running the same `imagetools create` locally — same 
mirror, just from a workstation with Docker Hub push rights. Useful for 
back-filling pre-CI releases (like 0.5.0) and as a recovery path if CI fails on 
a future tag.
   - Header comment updated; Step 3 description rewritten.
   
   ### `.gitignore`
   - Added `scripts/.finalize-work` (sibling of the already-ignored 
`scripts/.release-work`). Release-script working trees aren't artifacts to 
track.
   
   ## Secrets required (one-time, set by repo admin)
   
   The new CI step needs two repository / org secrets:
   
   | Secret | Value |
   |---|---|
   | `DOCKERHUB_USER` | Docker Hub account with push rights on 
`apache/skywalking-ui` |
   | `DOCKERHUB_TOKEN` | PAT for that account |
   
   Without these, the new CI step's `Log in to Docker Hub` will fail and the 
workflow will error on the tag — the GHCR push will still succeed (it runs in 
earlier steps), so non-tag pushes are unaffected. Once the secrets exist, the 
next `v*` tag will mirror automatically.
   
   ## Back-filling 0.5.0
   
   This PR's CI change won't retroactively mirror v0.5.0 (the workflow on the 
v0.5.0 tag has already completed). To get 0.5.0 on Docker Hub today, run the 
script's Step 5 fallback path (or the equivalent `imagetools create` command 
directly) from a host with Docker Hub push rights. From 0.6.0 onward, the 
mirror is automatic.
   
   ## Validation
   - `bash -n scripts/release-finalize.sh` ✓
   - YAML parses (yq + python) ✓
   - `license-eye header check` ✓ 0 invalid


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to