Create release with image digest on new tag
This is a follow-up of this MR thread.
When a new tag for the cloud-deploy
image is created, the Release stage
job will run:
release-tag:
<<: *docker
stage: release
script:
- 'echo ${CI_JOB_TOKEN} | docker login --password-stdin -u $CI_REGISTRY_USER $CI_REGISTRY'
- echo "Using tag $CI_COMMIT_TAG for image"
- docker pull "$BUILD_IMAGE_NAME"
- docker tag "$BUILD_IMAGE_NAME" "$CI_REGISTRY_IMAGE:latest"
- docker tag "$BUILD_IMAGE_NAME" "$CI_REGISTRY_IMAGE:$CI_COMMIT_TAG"
- docker push "$CI_REGISTRY_IMAGE:latest"
- docker push "$CI_REGISTRY_IMAGE:$CI_COMMIT_TAG"
only:
- tags
When this new image is tagged, we should also retrieve its digest. Based on the discussion in the thread posted above, using the digest of an image is the most secure way to pull it.
We should then:
- retrieve programmatically the image digest upon its build.
- create a Release note (via the Release API(?)) to communicate this digest to users effectively.
The release note should look like:
cc @ogolowinski
Edited by Etienne Baqué