Split workflows for reusability

- Separates workflow into distinct stages:
  - meta: determines the base (sha) and permatags (branch, git-tag) to apply to the image
  - build: builds the multi-platform dockerfile with a build-specific tag
  - test: a repo-specific workflow that runs the tests
  - tag: applies permatags to the tested image
- This is a proof-of-concept on the path towards centralizing and versioning the reusable parts of our workflows. The common elements (meta, build, and tag) would be centralized, with individual repos only having to write a test workflow to run their tests and a ci workflow to weave the different reusable workflows together.

Author: danschmidt5189

.github/workflows/build.yml

@@ -1,21 +1,19 @@
-name: Build / Test / Push
+name: Build image
 
 on:
-  push:
-    branches:
-      - '**'
-  workflow_dispatch:
-
-env:
-  BUILD_SUFFIX: -build-${{ github.run_id }}_${{ github.run_attempt }}
-  DOCKER_METADATA_SET_OUTPUT_ENV: 'true'
+  workflow_call:
+    outputs:
+      image:
+        description: ID of the image created by the workflow run
+        value: ${{ jobs.merge.outputs.image }}
 
 jobs:
   build:
     runs-on: ${{ matrix.runner }}
     outputs:
-      build-image-arm: ${{ steps.gen-output.outputs.image-arm64 }}
-      build-image-x64: ${{ steps.gen-output.outputs.image-x64 }}
+      image-digest-arm: ${{ steps.gen-output.outputs.image-digest-arm64 }}
+      image-digest-x64: ${{ steps.gen-output.outputs.image-digest-x64 }}
+      build-tag: ${{ steps.build-meta.outputs.tags }}
     strategy:
       fail-fast: false
       matrix:
@@ -41,7 +39,7 @@ jobs:
         uses: docker/metadata-action@v5
         with:
           images: ghcr.io/${{ github.repository }}
-          tags: type=sha,suffix=${{ env.BUILD_SUFFIX }}
+          tags: type=sha,suffix=-build-${{ github.run_id }}_${{ github.run_attempt }}
 
       # Build cache is shared among all builds of the same architecture
       - id: cache-meta
@@ -71,17 +69,18 @@ jobs:
       - id: gen-output
         name: Write arch-specific image digest to outputs
         run: |
-          echo "image-${RUNNER_ARCH,,}=${{ steps.get-registry.outputs.registry }}@${{ steps.build.outputs.digest }}" | tee -a "$GITHUB_OUTPUT"
+          echo "image-digest-${RUNNER_ARCH,,}=${{ steps.get-registry.outputs.registry }}@${{ steps.build.outputs.digest }}" | tee -a "$GITHUB_OUTPUT"
 
   merge:
+    name: create multi-platform image
+    needs: build
     runs-on: ubuntu-24.04
-    needs:
-      - build
     env:
-      DOCKER_APP_IMAGE_ARM64: ${{ needs.build.outputs.build-image-arm }}
-      DOCKER_APP_IMAGE_X64: ${{ needs.build.outputs.build-image-x64 }}
+      DOCKER_APP_IMAGE: ${{ needs.build.outputs.build-tag }}
+      DOCKER_APP_IMAGE_DIGEST_ARM64: ${{ needs.build.outputs.image-digest-arm }}
+      DOCKER_APP_IMAGE_DIGEST_X64: ${{ needs.build.outputs.image-digest-x64 }}
     outputs:
-      build-image: ${{ steps.meta.outputs.tags }}
+      image: ${{ needs.build.outputs.build-tag }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -96,77 +95,8 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/${{ github.repository }}
-          tags: |
-            type=sha,suffix=-build-${{ github.run_id }}_${{ github.run_attempt }}
-
       - name: Push the multi-platform image
         run: |
           docker buildx imagetools create \
-            --tag "$DOCKER_METADATA_OUTPUT_TAGS" \
-            "$DOCKER_APP_IMAGE_ARM64" "$DOCKER_APP_IMAGE_X64"
-
-  test:
-    runs-on: ubuntu-24.04
-    needs:
-      - merge
-    env:
-      COMPOSE_FILE: docker-compose.yml:docker-compose.ci.yml
-      DOCKER_APP_IMAGE: ${{ needs.merge.outputs.build-image }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Set up Docker Compose
-        uses: docker/setup-compose-action@v1
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Run the test script
-        run: |
-          docker compose run --rm --user root app chown -R avplayer:avplayer artifacts
-          docker compose up --detach --wait
-          docker compose exec app bin/test
-
-  push:
-    runs-on: ubuntu-24.04
-    needs:
-      - merge
-      - test
-    env:
-      DOCKER_APP_IMAGE: ${{ needs.merge.outputs.build-image }}
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Produce permanent image tags
-        id: branch-meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ghcr.io/${{ github.repository }}
-          tags: |
-            type=sha
-            type=ref,event=branch
-            type=raw,value=latest,enable={{is_default_branch}}
-
-      - name: Retag and push the image
-        run: |
-          docker pull "$DOCKER_APP_IMAGE"
-          echo "$DOCKER_METADATA_OUTPUT_TAGS" | tr ' ' '\n' | xargs -n1 docker tag "$DOCKER_APP_IMAGE"
-          docker push --all-tags "$(echo "$DOCKER_APP_IMAGE" | cut -f1 -d:)"
+            --tag "$DOCKER_APP_IMAGE" \
+            "$DOCKER_APP_IMAGE_DIGEST_ARM64" "$DOCKER_APP_IMAGE_DIGEST_X64"

.github/workflows/ci.yml

@@ -0,0 +1,34 @@
+name: Build / Test / Tag
+
+on:
+  push:
+    branches:
+      - '**'
+    tags:
+      - '**'
+
+jobs:
+  meta:
+    name: Determine image permatags
+    uses: ./.github/workflows/meta.yml
+
+  build:
+    name: Build the image
+    if: ${{ !startsWith(github.ref, 'refs/tags/') }}
+    uses: ./.github/workflows/build.yml
+
+  test:
+    name: Test built image
+    if: ${{ !startsWith(github.ref, 'refs/tags/') }}
+    needs: build
+    uses: ./.github/workflows/test.yml
+    with:
+      image: ${{ needs.build.outputs.image }}
+
+  tag:
+    name: Tag/push tested image
+    needs: [build, test, meta]
+    uses: ./.github/workflows/tag.yml
+    with:
+      image: ${{ needs.build.outputs.image || needs.meta.outputs.base-tag }}
+      tags: ${{ needs.meta.outputs.permatags }}

.github/workflows/meta.yml

@@ -0,0 +1,42 @@
+name: Extract image metadata
+
+on:
+  workflow_call:
+    outputs:
+      base-tag:
+        description: SHA-based tag for the built ref (org/repo:sha-1234567)
+        value: ${{ jobs.meta.outputs.base-tag }}
+      permatags:
+        description: Space-separated list of all tags to apply to the ref
+        value: ${{ jobs.meta.outputs.permatags }}
+
+jobs:
+  meta:
+    runs-on: ubuntu-24.04
+    outputs:
+      base-tag: ${{ steps.base-tag.outputs.tags }}
+      permatags: ${{ steps.permatags.outputs.tags }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - id: base-tag
+        name: Determine base tag (for git-tag builds)
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: type=sha
+
+      - id: permatags
+        name: Determine permatags
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=sha
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=ref,event=branch
+            type=ref,event=tag
+            type=semver,event=tag,pattern={{major}}
+            type=semver,event=tag,pattern={{major}}.{{minor}}
+            type=semver,event=tag,pattern={{version}}

.github/workflows/release.yml

@@ -0,0 +1,34 @@
+name: Tag Docker image
+
+on:
+  workflow_call:
+    inputs:
+      # Image to be retagged. This must exist in the registry.
+      image:
+        type: string
+
+      # Space-separated list of fully qualified image tags (including registry address)
+      # Format matches the output of `docker/metadata-action`.
+      tags:
+        type: string
+
+env:
+  DOCKER_APP_IMAGE: ${{ inputs.image }}
+  DOCKER_METADATA_OUTPUT_TAGS: ${{ inputs.tags }}
+
+jobs:
+  tag:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Apply tags to the image
+        run: |
+          docker pull "$DOCKER_APP_IMAGE"
+          echo "$DOCKER_METADATA_OUTPUT_TAGS" | tr ' ' '\n' | xargs -n1 docker tag "$DOCKER_APP_IMAGE"
+          docker push --all-tags "$(echo "$DOCKER_APP_IMAGE" | cut -f1 -d:)"

.github/workflows/tag.yml

@@ -0,0 +1,34 @@
+name: Test Docker image
+
+on:
+  workflow_call:
+    inputs:
+      image:
+        type: string
+
+env:
+  COMPOSE_FILE: docker-compose.yml:docker-compose.ci.yml
+  DOCKER_APP_IMAGE: ${{ inputs.image }}
+
+jobs:
+  test:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Compose
+        uses: docker/setup-compose-action@v1
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run the test script
+        run: |
+          docker compose run --rm --user root app chown -R avplayer:avplayer artifacts
+          docker compose up --detach --wait
+          docker compose exec app bin/test