From 59b59386ac0e61503552a27784bfd1793cba05f6 Mon Sep 17 00:00:00 2001
From: alpha nerd <alpha-nerd@nomyo.ai>
Date: Mon, 18 May 2026 15:59:52 +0200
Subject: [PATCH] fix: futureproof docker builds related to #84

---
 .../workflows/docker-publish-semantic.yml     | 32 +++++++++++++++----
 .forgejo/workflows/docker-publish.yml         | 30 ++++++++++++++---
 2 files changed, 50 insertions(+), 12 deletions(-)

diff --git a/.forgejo/workflows/docker-publish-semantic.yml b/.forgejo/workflows/docker-publish-semantic.yml
index 2fa59d5..d4e1213 100644
--- a/.forgejo/workflows/docker-publish-semantic.yml
+++ b/.forgejo/workflows/docker-publish-semantic.yml
@@ -76,19 +76,30 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.REGISTRY_TOKEN }}
 
-      - name: Build and push platform image
+      - name: Build and push image by digest
         id: build
         uses: https://github.com/docker/build-push-action@v6
         with:
           context: .
           platforms: ${{ matrix.platform }}
-          push: true
           provenance: false
           build-args: |
             SEMANTIC_CACHE=true
-          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:semantic-platform-${{ matrix.arch }}
-          cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache-semantic-${{ matrix.arch }}
-          cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache-semantic-${{ matrix.arch }},mode=max
+          outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true
+
+      - name: Export digest
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: https://github.com/actions/upload-artifact@v4
+        with:
+          name: digests-semantic-${{ matrix.arch }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
 
   merge:
     runs-on: docker-amd64
@@ -117,6 +128,13 @@ jobs:
           cat /tmp/dockerd.log
           exit 1
 
+      - name: Download digests
+        uses: https://github.com/actions/download-artifact@v4
+        with:
+          path: /tmp/digests
+          pattern: digests-semantic-*
+          merge-multiple: true
+
       - name: Set up Docker Buildx
         uses: https://github.com/docker/setup-buildx-action@v3
 
@@ -141,9 +159,9 @@ jobs:
             type=sha,prefix=sha-,suffix=-semantic
 
       - name: Create and push multi-arch manifest
+        working-directory: /tmp/digests
         run: |
           docker buildx imagetools create \
             $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:semantic-platform-amd64 \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:semantic-platform-arm64
+            $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)
 
diff --git a/.forgejo/workflows/docker-publish.yml b/.forgejo/workflows/docker-publish.yml
index 27cd879..3b69030 100644
--- a/.forgejo/workflows/docker-publish.yml
+++ b/.forgejo/workflows/docker-publish.yml
@@ -69,15 +69,28 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.REGISTRY_TOKEN }}
 
-      - name: Build and push platform image
+      - name: Build and push image by digest
         id: build
         uses: https://github.com/docker/build-push-action@v6
         with:
           context: .
           platforms: ${{ matrix.platform }}
-          push: true
           provenance: false
-          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:platform-${{ matrix.arch }}
+          outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=true
+
+      - name: Export digest
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: https://github.com/actions/upload-artifact@v4
+        with:
+          name: digests-${{ matrix.arch }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
 
   merge:
     runs-on: docker-amd64
@@ -106,6 +119,13 @@ jobs:
           cat /tmp/dockerd.log
           exit 1
 
+      - name: Download digests
+        uses: https://github.com/actions/download-artifact@v4
+        with:
+          path: /tmp/digests
+          pattern: digests-*
+          merge-multiple: true
+
       - name: Set up Docker Buildx
         uses: https://github.com/docker/setup-buildx-action@v3
 
@@ -130,9 +150,9 @@ jobs:
             type=sha,prefix=sha-
 
       - name: Create and push multi-arch manifest
+        working-directory: /tmp/digests
         run: |
           docker buildx imagetools create \
             $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:platform-amd64 \
-            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:platform-arm64
+            $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)