ci: Fix the Publish to Docker Hub workflow for good (#3689)

alco · web-flow · commit d969d16d017b · 2026-01-14T16:06:19.000+01:00
I didn't have the time to fully test the changes made #3650 before I decided to merge it to (hopefully) fix a problem with our cloud deployments. The lack of testing has left us with a series of issues in the new workflow. In this branch, I'm testing the workflow by letting it run all the way through. Only once it's proven to do what it has been designed to do will it be merged.  ## Summary by CodeRabbit * **New Features** * Sync-service Docker images are automatically published to Docker Hub when a sync-service release is published. * Cloud infrastructure update is triggered automatically when a new Electric release is published. * **Improvements** * Release workflow now coordinates package publishing and Docker image publishing, with explicit release vs canary tagging. * Docker repository names are configurable via environment and the workflow uses the built-in release token. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub>
diff --git a/.github/workflows/changesets_release.yml b/.github/workflows/changesets_release.yml
@@ -18,10 +18,10 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       published: ${{ steps.changesets.outputs.published }}
+      sync_service_release_tag: ${{ steps.sync_service_release_tag.outputs.tag }}
     steps:
       - uses: actions/checkout@v4
         with:
-          ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
       - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
@@ -43,8 +43,17 @@ jobs:
           publish: pnpm ci:publish
           title: 'chore: publish new package versions'
         env:
-          GITHUB_TOKEN: ${{ secrets.OLEKSII_PAT_TOKEN_FOR_DOCKERHUB_RELEASE_WORKFLOW }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           HEX_API_KEY: ${{ secrets.HEX_API_KEY }}
+      - name: Capture the new sync-service release as an output (if any)
+        id: sync_service_release_tag
+        if: steps.changesets.outputs.published == 'true'
+        run: |
+          # Assign publishedPackages to a variable first to avoid any interpretation of JSON special chars by the shell
+          PUBLISHED_PACKAGES='${{ steps.changesets.outputs.publishedPackages }}'
+          # Use jq to pick the relevant package from the JSON array and format it into a <package>@<version> output
+          TAGS=$(echo "$PUBLISHED_PACKAGES" | jq -r '.[] | select(.name == "@core/sync-service") | .name + "@" + .version')
+          echo "tag=$TAGS" >> "$GITHUB_OUTPUT"
       - name: Add latest tag to published packages
         if: steps.changesets.outputs.published == 'true'
         run: node scripts/tag-latest.mjs
@@ -54,14 +63,22 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PUBLISHED_PACKAGES: ${{ steps.changesets.outputs.publishedPackages }}
+
+  publish-to-dockerhub:
+    needs: changesets
+    if: ${{ needs.changesets.outputs.published == 'true' && needs.changesets.outputs.sync_service_release_tag  != '' }}
+    uses: ./.github/workflows/sync_service_dockerhub_image.yml
+    secrets: inherit
+    with:
+      release_tag: ${{ needs.changesets.outputs.sync_service_release_tag }}
+
   update-cloud:
     name: Update Electric version used by Cloud
     runs-on: ubuntu-latest
     needs: changesets
     steps:
       - uses: actions/checkout@v4
         with:
-          ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
       # Get the Electric version of the Docker image
       - name: Get Electric version
diff --git a/.github/workflows/sync_service_dockerhub_image.yml b/.github/workflows/sync_service_dockerhub_image.yml
@@ -1,28 +1,65 @@
 name: Publish Electric images to Docker Hub
 
 # If you decide to modify the list of triggers for this action, don't forget to also update the
-# conditional logic in the derive_build_vars and publish_tagged_image jobs.
+# conditional logic based on ${{ github.event_name }} in the derive_build_vars job.
 on:
   push:
     branches: ['main']
   release:
     types: [released]
+  # Allows the workflow to be called by the Changesets workflow
+  workflow_call:
+    inputs:
+      release_tag:
+        description: 'The @core/sync-service@... tag passed from caller'
+        required: true
+        type: string
+  # Allows the workflow to be triggered manually from the UI
   workflow_dispatch:
     inputs:
       release_tag:
-        description: 'The @core/sync-service@... tag to run for (e.g. @core/sync-service@v1.2.10)'
+        description: 'The @core/sync-service@... tag to run the workflow for (e.g. @core/sync-service@1.2.10)'
         required: true
         type: string
 
+env:
+  DOCKERHUB_REPO: electricsql/electric
+  DOCKERHUB_CANARY_REPO: electricsql/electric-canary
+
 jobs:
   derive_build_vars:
     name: Derive build variables from the source code
     runs-on: blacksmith-2vcpu-ubuntu-2404
     outputs:
+      git_ref: ${{ steps.git_ref.outputs.git_ref }}
+      is_release: ${{ steps.git_ref.outputs.is_release }}
       short_commit_sha: ${{ steps.vars.outputs.short_commit_sha }}
       electric_version: ${{ steps.vars.outputs.electric_version }}
 
     steps:
+      - name: Determine the ref to check out
+        id: git_ref
+        run: |
+          case ${{ github.event_name }} in
+            push)
+              ref="${{ github.sha }}"
+              is_release=false
+              ;;
+
+            release)
+              ref="refs/tags/${{ github.event.release.tag_name }}"
+              is_release=true
+              ;;
+
+            workflow_dispatch | workflow_call)
+              ref="refs/tags/${{ inputs.release_tag }}"
+              is_release=true
+              ;;
+          esac
+
+          echo "git_ref=$ref" >> $GITHUB_OUTPUT
+          echo "is_release=$is_release" >> $GITHUB_OUTPUT
+
       - uses: actions/checkout@v4
         with:
           # The checked out commit influences the value of the ELECTRIC_VERSION variable
@@ -35,10 +72,7 @@ jobs:
           #
           # For manual triggers via workflow_dispatch, we check out the tag specified manually
           # by the actor.
-          ref: ${{
-            github.event_name == 'release' && format('refs/tags/{0}', github.event.release.tag_name) ||
-            github.event_name == 'workflow_dispatch' && format('refs/tags/{0}', inputs.release_tag) ||
-            github.sha }}
+          ref: ${{ steps.git_ref.outputs.git_ref }}
           # Also important to fetch the whole history since otherwise we won't get that tags
           # that are required to determine the correct ELECTRIC_VERSION.
           fetch-depth: 0
@@ -69,6 +103,8 @@ jobs:
     needs: [derive_build_vars]
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.derive_build_vars.outputs.git_ref }}
 
       - uses: useblacksmith/setup-docker-builder@v1
 
@@ -93,8 +129,8 @@ jobs:
           # the subsequent merge job will assemble the manifest list and apply tags
           outputs: type=image,push-by-digest=true,name-canonical=true,push=true
           tags: |
-            electricsql/electric
-            electricsql/electric-canary
+            ${{ env.DOCKERHUB_REPO }}
+            ${{ env.DOCKERHUB_CANARY_REPO }}
 
       # Save the digest so the merge job can find both platform images
       - name: Export digest
@@ -126,39 +162,38 @@ jobs:
 
       - name: Derive image tags from the GitHub Actions event
         run: |
-          case ${{ github.event_name }} in
-            push)
-              # A regular push to the main branch triggers canary image publishing
-              echo "ELECTRIC_TAGS=-t electricsql/electric:canary" >> $GITHUB_ENV
-              echo "ELECTRIC_CANARY_TAGS=-t electricsql/electric-canary:latest -t electricsql/electric-canary:${{ needs.derive_build_vars.outputs.short_commit_sha }}" >> $GITHUB_ENV
-              ;;
-            release | workflow_dispatch)
-              # A release triggers official release image publishing
-              echo "ELECTRIC_TAGS=-t electricsql/electric:latest -t electricsql/electric:${{ needs.derive_build_vars.outputs.electric_version }}" >> $GITHUB_ENV
-          esac
+          if [ "${{ needs.derive_build_vars.outputs.is_release }}" = "true" ]; then
+            # A release triggers official release image publishing
+            echo "ELECTRIC_TAGS=-t $DOCKERHUB_REPO:latest -t $DOCKERHUB_REPO:${{ needs.derive_build_vars.outputs.electric_version }}" >> $GITHUB_ENV
+            echo "ELECTRIC_CANARY_TAGS=" >> $GITHUB_ENV
+          else
+            # A regular push to the main branch triggers canary image publishing
+            echo "ELECTRIC_TAGS=-t $DOCKERHUB_REPO:canary" >> $GITHUB_ENV
+            echo "ELECTRIC_CANARY_TAGS=-t $DOCKERHUB_CANARY_REPO:latest -t $DOCKERHUB_CANARY_REPO:${{ needs.derive_build_vars.outputs.short_commit_sha }}" >> $GITHUB_ENV
+          fi
 
       - name: Create multi-arch manifest list
         run: |
           set -euo pipefail
 
-          # Build a list of electricsql/electric@sha256:... source images
+          # Build a list of $DOCKERHUB_REPO@sha256:... source images
           ELECTRIC_IMAGES=$(
             for f in /tmp/digests/*.digest; do
-              echo electricsql/electric@$(cat $f)
+              echo $DOCKERHUB_REPO@$(cat $f)
             done
           )
 
-          # Create a manifest list for electricsql/electric:canary that includes both platforms
+          # Create a manifest list for $DOCKERHUB_REPO:canary that includes both platforms
           docker buildx imagetools create $ELECTRIC_TAGS $ELECTRIC_IMAGES
 
           if [ -n "$ELECTRIC_CANARY_TAGS" ]; then
-            # Build a list of electricsql/electric-canary@sha256:... source images
+            # Build a list of $DOCKERHUB_CANARY_REPO@sha256:... source images
             ELECTRIC_CANARY_IMAGES=$(
               for f in /tmp/digests/*.digest; do
-                echo electricsql/electric-canary@$(cat $f)
+                echo $DOCKERHUB_CANARY_REPO@$(cat $f)
               done
             )
 
-            # Create a manifest list for electricsql/electric-canary:... that includes both platforms
+            # Create a manifest list for $DOCKERHUB_CANARY_REPO:... that includes both platforms
             docker buildx imagetools create $ELECTRIC_CANARY_TAGS $ELECTRIC_CANARY_IMAGES
           fi
