From e438a6e6b256576cca9c1001d46eb259031d6e0f Mon Sep 17 00:00:00 2001
From: Aline Abler <aline.abler@vshn.ch>
Date: Wed, 18 Feb 2026 14:28:05 +0100
Subject: [PATCH 1/2] Update release pipeline and build multiarch images

---
 .github/workflows/cleanup-pr-tag.yml | 21 +++++++++
 .github/workflows/push.yml           | 68 ++++++++++++++++++++++------
 .github/workflows/test.yml           | 14 ------
 3 files changed, 76 insertions(+), 27 deletions(-)
 create mode 100644 .github/workflows/cleanup-pr-tag.yml

diff --git a/.github/workflows/cleanup-pr-tag.yml b/.github/workflows/cleanup-pr-tag.yml
new file mode 100644
index 000000000..8625a3f42
--- /dev/null
+++ b/.github/workflows/cleanup-pr-tag.yml
@@ -0,0 +1,21 @@
+---
+name: Delete closed PR container image tag
+
+"on":
+  pull_request:
+    types:
+      - closed
+
+jobs:
+  cleanup-pr-tag:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set image version for PR to branch name
+        run: echo "VERSION=${GITHUB_HEAD_REF//\//-}" >> ${GITHUB_ENV}
+
+      - name: Delete PR container image tag
+        uses: dataaxiom/ghcr-cleanup-action@v1
+        with:
+          tags: ${{ env.VERSION }}
+          package: ${{ github.event.repository.name }}
+          token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index 41f820ff9..9c5dad064 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -5,33 +5,64 @@ on:
     - master
     tags:
     - v*
+  pull_request: {}
 
 jobs:
   build:
     runs-on: ubuntu-latest
     env:
-      IMAGE: docker.io/${{ github.repository }}
+      IMAGE: "${{ github.event_name == 'pull_request' && 'ghcr.io' || 'docker.io' }}/${{ github.repository }}"
     steps:
     - uses: actions/checkout@v6
       with:
-        fetch-depth: "0"
+        fetch-depth: 0 # NOTE(aa): Required in order to have tag information available
+    - name: Get version information
+      id: get-version-info
+      run: |
+        GITVERSION="$(git describe --tags --always --match=v* --dirty=+dirty || (echo "command failed $?"; exit 1))"
+        PYVERSION="$(git describe --tags --always --match=v* | cut -d- -f1,2 || (echo "command failed $?"; exit 1))"
+        echo "git version: $GITVERSION, pyversion: $PYVERSION"
+        echo "gitversion=${GITVERSION}" >> ${GITHUB_OUTPUT}
+        echo "pyversion=${PYVERSION}" >> ${GITHUB_OUTPUT}
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
     - name: Set image version latest
       if: github.ref == 'refs/heads/master'
       run: echo "VERSION=latest" >> ${GITHUB_ENV}
+    - name: Set image version for PRs to branch name
+      if: github.event_name == 'pull_request'
+      run: echo "VERSION=${GITHUB_HEAD_REF//\//-}" >> ${GITHUB_ENV}
     - name: Set image version from tag
       if: startsWith(github.ref, 'refs/tags/v')
       run: echo "VERSION=$(echo ${GITHUB_REF#refs/tags/})" >> ${GITHUB_ENV}
-    - name: Build Image
-      run: make docker
-      env:
-        IMAGE_NAME: "${IMAGE}:${VERSION}"
-    - name: Push Image
-      env:
-        DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-        DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
-      run: |
-        docker login docker.io --username "${DOCKER_USERNAME}" --password "${DOCKER_PASSWORD}"
-        docker push "${IMAGE}:${VERSION}"
+    - name: Login to docker.io
+      if: github.event_name != 'pull_request'
+      uses: docker/login-action@v3
+      with:
+        registry: docker.io
+        username: ${{ secrets.DOCKER_USERNAME }}
+        password: ${{ secrets.DOCKER_PASSWORD }}
+    - name: Login to ghcr.io
+      if: github.event_name == 'pull_request'
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.repository_owner }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    - name: Build and push
+      id: docker_build
+      uses: docker/build-push-action@v6
+      with:
+        platforms: linux/amd64,linux/arm64
+        push: true
+        tags: "${{ env.IMAGE }}:${{ env.VERSION }}"
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+        build-args: |
+          GITVERSION=${{ steps.get-version-info.outputs.gitversion }}
+          PYVERSION=${{ steps.get-version-info.outputs.pyversion }}
     - name: Build changelog from PRs with labels
       if: startsWith(github.ref, 'refs/tags/v')
       id: build_changelog
@@ -74,3 +105,14 @@ jobs:
         # Ensure target branch for release is "master"
         commit: master
         token: ${{ secrets.GITHUB_TOKEN }}
+    - name: Delete untagged container images
+      # We always delete all untagged container images after building an
+      # image. This way, there should never be stale untagged images laying
+      # around in the registry. In combination with the workflow that
+      # deletes PR tags after the PR is closed we should be able to keep the
+      # container image registry size in check.
+      uses: dataaxiom/ghcr-cleanup-action@v1
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        package: ${{ github.event.repository.name }}
+        validate: true
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index e6e48e4ee..7f545edea 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -150,17 +150,3 @@ jobs:
     - uses: actions/checkout@v6
     - name: Check Docs
       run: make docs-vale
-  build:
-    needs:
-    - lints
-    - tests
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v6
-      with:
-        fetch-depth: "0"
-    - name: Build image
-      run: make docker
-    - name: Run image
-      run: |
-        docker run docker.io/projectsyn/commodore:test version

From fa2379dbe4548d21d133bb31a7c2f9bfc5364c10 Mon Sep 17 00:00:00 2001
From: Aline Abler <aline.abler@vshn.ch>
Date: Thu, 19 Feb 2026 10:48:45 +0100
Subject: [PATCH 2/2] Code review: Always push image to ghcr.io

Also, run container image on PR builds to check that it isn't obviously
broken.
---
 .github/workflows/push.yml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index 9c5dad064..50d8a092c 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -10,8 +10,6 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
-    env:
-      IMAGE: "${{ github.event_name == 'pull_request' && 'ghcr.io' || 'docker.io' }}/${{ github.repository }}"
     steps:
     - uses: actions/checkout@v6
       with:
@@ -45,7 +43,6 @@ jobs:
         username: ${{ secrets.DOCKER_USERNAME }}
         password: ${{ secrets.DOCKER_PASSWORD }}
     - name: Login to ghcr.io
-      if: github.event_name == 'pull_request'
       uses: docker/login-action@v3
       with:
         registry: ghcr.io
@@ -57,7 +54,9 @@ jobs:
       with:
         platforms: linux/amd64,linux/arm64
         push: true
-        tags: "${{ env.IMAGE }}:${{ env.VERSION }}"
+        tags: |
+          ghcr.io/${{ github.repository }}:${{ env.VERSION }}
+          ${{ github.event_name != 'pull_request' && format('{{docker.io/{0}:{1}}}', github.repository, env.VERSION) || '' }}
         cache-from: type=gha
         cache-to: type=gha,mode=max
         build-args: |
@@ -116,3 +115,7 @@ jobs:
         token: ${{ secrets.GITHUB_TOKEN }}
         package: ${{ github.event.repository.name }}
         validate: true
+    - name: Run image
+      if: github.event_name == 'pull_request'
+      run: |
+        docker run ghcr.io/projectsyn/commodore:"${VERSION}" version