linuxserver-labs · thespad · Apr 4, 2026 · Apr 4, 2026 · Apr 4, 2026 · Apr 4, 2026
diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
@@ -21,6 +21,14 @@ on:
       release_name:
         required: false
         type: string
+      sign_image:
+        required: false
+        type: boolean
+        default: true
+      branch_name:
+        required: false
+        type: string
+        default: "main"
     secrets:
       OP_SERVICE_ACCOUNT_TOKEN:
         required: true
@@ -32,7 +40,9 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v6.0.2
+        with:
+          ref: ${{ github.head_ref || inputs.branch_name }}
       -
         name: Docker meta
         id: docker_meta
@@ -44,24 +54,28 @@ jobs:
             org.opencontainers.image.title=${{ inputs.app_name }}
             org.opencontainers.image.description=${{ inputs.app_name }}
             org.opencontainers.image.vendor=${{ inputs.repo_owner }}
+            org.opencontainers.image.documentation=https://github.com/linuxserver-labs/${{ inputs.app_name }}
+          flavor: |
+            latest=false
           tags: |
-            type=schedule
             type=ref,event=branch
             type=ref,event=tag
             type=ref,event=pr
-            type=raw,value=latest,enable={{is_default_branch}}
+            type=raw,value=${{ github.head_ref || inputs.branch_name }},enable=true
+            type=raw,value=${{ github.head_ref || inputs.branch_name }},enable=true
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@v4.0.0
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3.12.0
+        uses: docker/setup-buildx-action@v4.0.0
       -
         name: Install Cosign
-        uses: sigstore/cosign-installer@v3.10.0
+        if: ${{ inputs.sign_image == 'true' }}
+        uses: sigstore/cosign-installer@v4.1.1
       -
         name: Login to GitHub Container Registry
-        uses: docker/login-action@v3.6.0
+        uses: docker/login-action@v4.1.0
         with:
           registry: ghcr.io
           username: ${{ inputs.repo_owner }}
@@ -78,18 +92,18 @@ jobs:
         id: gen_release
         run: |
           if [ -z ${{ github.event.release.tag_name }} ]; then
-          IMAGE_VERSION=$(curl -s "https://api.github.com/repos/${{ inputs.repo_owner }}/docker-${{ inputs.app_name }}/releases" | jq -r '(sort_by(.published_at) | .[-1].tag_name)?')
+            IMAGE_VERSION=$(curl -s "https://api.github.com/repos/${{ inputs.repo_owner }}/docker-${{ inputs.app_name }}/releases" | jq -r 'last((sort_by(.published_at) | .[] | select(.target_commitish == "${{ inputs.branch_name }}") | .tag_name)?)')
             if [ -z $IMAGE_VERSION ] || [ $IMAGE_VERSION == null ]; then
               case ${{ inputs.release_type }} in
                 github)
                   IMAGE_VERSION=$(curl -sX GET "${{ inputs.release_url }}/releases/latest" | awk '/tag_name/{print $4;exit}' FS='[""]');
                   ;;
-                github_tag)
-                  IMAGE_VERSION=$(curl -sX GET "${{ inputs.release_url }}/tags" | jq -r 'first(.[] | select(.name | contains("${{ inputs.release_name }}") )) | .name');
-                  ;;
                 github_commit)
                   IMAGE_VERSION=$(curl -sL "${{ inputs.release_url }}" | jq -r 'first(.[])' | cut -c1-8);
                   ;;
+                github_tag)
+                  IMAGE_VERSION=$(curl -sX GET "${{ inputs.release_url }}/tags" | jq -r 'first(.[] | select(.name | contains("${{ inputs.release_name }}") )) | .name');
+                  ;;
                 alpine)
                   IMAGE_VERSION=$(curl -sL "http://dl-cdn.alpinelinux.org/alpine/${{ inputs.release_url }}/x86_64/APKINDEX.tar.gz" | tar -xz -C /tmp && awk '/^P:'"${{ inputs.release_name }}"'$/,/V:/' /tmp/APKINDEX | sed -n 2p | sed 's/^V://');
                   ;;
@@ -110,7 +124,7 @@ jobs:
       -
         name: Build and push
         id: build_push
-        uses: docker/bake-action@v6.10.0
+        uses: docker/bake-action@v7.0.0
         with:
           files: |
             ./docker-bake.hcl
@@ -123,9 +137,55 @@ jobs:
           push: true
           provenance: false
           sbom: true
+      -
+        name: Create manifest for release
+        if: ${{ github.event_name != 'pull_request' }}
+        id: manifest
+        run: |
+          TAG=$(jq -r '.tags[0]' <<< $TAGS | cut -f 2- -d ':')
+          for registry in ghcr.io; do
+            if [[ ${{ github.event.repository.default_branch }} == ${{ inputs.branch_name }} ]]; then
+              docker buildx imagetools create -t ${registry}/${MANIFESTIMAGE}:latest ${registry}/${MANIFESTIMAGE}:${TAG}
+            fi
+          done
+        env:
+          MANIFESTIMAGE: ${{ inputs.repo_owner }}/${{ inputs.app_name }}
+          TAGS: ${{ steps.docker_meta.outputs.json }}
+      -
+        name: Commit release version
+        if: ${{ github.event_name != 'pull_request' }}
+        id: commit_release
+        env:
+          CI_COMMIT_MESSAGE: CI Build Workflow Updates
+        run: |
+          FILE_BASE64=$(base64 <<< "${{ steps.gen_release.outputs.app_version }}")
+          FILE_BLOB=$(curl -L \
+            -H "Accept: application/vnd.github.object" \
+            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            https://api.github.com/repos/${{ inputs.repo_owner }}/docker-${{ inputs.app_name }}/contents/version.txt?ref=${{ inputs.branch_name }})
+          if jq -re .sha <<< ${FILE_BLOB} 2> /dev/null; then
+            FILE_SHA=$(jq -r .sha <<< ${FILE_BLOB})
+            curl -L \
+              -X PUT \
+              -H "Accept: application/vnd.github+json" \
+              -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+              -H "X-GitHub-Api-Version: 2022-11-28" \
+              https://api.github.com/repos/${{ inputs.repo_owner }}/docker-${{ inputs.app_name }}/contents/version.txt \
+              -d "{\"branch\":\"${{ inputs.branch_name }}\",\"sha\":\"${FILE_SHA}\",\"message\":\"${{ env.CI_COMMIT_MESSAGE }}\",\"content\":\"${FILE_BASE64}\"}"
+          else
+            curl -L \
+              -X PUT \
+              -H "Accept: application/vnd.github+json" \
+              -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+              -H "X-GitHub-Api-Version: 2022-11-28" \
+              https://api.github.com/repos/${{ inputs.repo_owner }}/docker-${{ inputs.app_name }}/contents/version.txt \
+              -d "{\"branch\":\"${{ inputs.branch_name }}\",\"message\":\"${{ env.CI_COMMIT_MESSAGE }}\",\"content\":\"${FILE_BASE64}\"}"
+          fi
       -
         name: Get Digest
         id: get_digest
+        if: ${{ inputs.sign_image == 'true' }}
         env:
           BAKE_METADATA: ${{ steps.build_push.outputs.metadata }}
         run: |
@@ -135,7 +195,8 @@ jobs:
       -
         name: Load Key
         id: op-load-key
-        uses: 1password/load-secrets-action@v3
+        if: ${{ inputs.sign_image == 'true' }}
+        uses: 1password/load-secrets-action@v4.0.0
         with:
           export-env: true
         env:
@@ -144,6 +205,7 @@ jobs:
           COSIGN_PASSWORD: op://Labs/labs-sigstore-pass/password
       -
         name: Sign image with a key
+        if: ${{ inputs.sign_image == 'true' }}
         run: |
           images=""
           for tag in ${TAGS}; do