From 33c77bc2fbef27ffa2b6f32e03912eee2daa9d65 Mon Sep 17 00:00:00 2001
From: Jiangzhou He <hejiangzhou@gmail.com>
Date: Tue, 14 Apr 2026 13:39:43 -0700
Subject: [PATCH] fix(ci): build Docker image from local source and add
 test-dispatch
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Install cocoindex-code from the checked-out source tree (same build-arg
  used by local E2E tests) instead of pulling from PyPI. Avoids a race
  where the just-published wheel hadn't propagated to PyPI's CDN when
  publish-docker started, and ensures the image matches the tagged
  commit byte-for-byte.
- Add a `test_docker` workflow_dispatch input so registry credentials
  (Docker Hub + GHCR) can be verified before the next release without
  having to cut one. Dispatch pushes `:test` only; release pushes
  `:latest` + `:<version>`.
- Drop the needs: publish-to-pypi dependency — with local-source install
  we no longer need PyPI to be up-to-date first.
---
 .github/workflows/release.yml | 46 +++++++++++++++++++++++++++++------
 1 file changed, 38 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 90c9d28..cbf95ee 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,6 +10,11 @@ on:
         required: false
         type: boolean
         default: false
+      test_docker:
+        description: 'Build & push the Docker image (tagged :test) without running PyPI publish — use to verify Docker Hub / GHCR credentials'
+        required: false
+        type: boolean
+        default: false
 
 permissions:
   contents: read
@@ -108,9 +113,9 @@ jobs:
 
   publish-docker:
     name: Build & push Docker image to Docker Hub and GHCR
-    if: github.event_name == 'release'
-    needs:
-      - publish-to-pypi
+    # Runs on real releases, and on manual dispatch with `test_docker=true`
+    # for verifying registry credentials before the first release.
+    if: github.event_name == 'release' || (github.event_name == 'workflow_dispatch' && inputs.test_docker)
     runs-on: ubuntu-latest
     environment:
       name: docker-hub
@@ -138,14 +143,39 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Compute image tags
+        id: tags
+        # Real releases: push `:latest` and `:<version>` to both registries.
+        # Manual dispatches: push only `:test` so we don't clobber `:latest`.
+        run: |
+          if [ "${{ github.event_name }}" = "release" ]; then
+            {
+              echo "tags<<EOF"
+              echo "cocoindex/cocoindex-code:latest"
+              echo "cocoindex/cocoindex-code:${{ github.ref_name }}"
+              echo "ghcr.io/cocoindex-io/cocoindex-code:latest"
+              echo "ghcr.io/cocoindex-io/cocoindex-code:${{ github.ref_name }}"
+              echo "EOF"
+            } >> "$GITHUB_OUTPUT"
+          else
+            {
+              echo "tags<<EOF"
+              echo "cocoindex/cocoindex-code:test"
+              echo "ghcr.io/cocoindex-io/cocoindex-code:test"
+              echo "EOF"
+            } >> "$GITHUB_OUTPUT"
+          fi
+
       - name: Build and push to both registries
         uses: docker/build-push-action@v5
         with:
           context: .
           file: docker/Dockerfile
           push: true
-          tags: |
-            cocoindex/cocoindex-code:latest
-            cocoindex/cocoindex-code:${{ github.ref_name }}
-            ghcr.io/cocoindex-io/cocoindex-code:latest
-            ghcr.io/cocoindex-io/cocoindex-code:${{ github.ref_name }}
+          # Install cocoindex-code from the checked-out source tree, not PyPI.
+          # Avoids a race where a just-published version hasn't propagated to
+          # PyPI's CDN yet (which happened on v0.2.24 release), and ensures
+          # the image matches the tagged commit byte-for-byte.
+          build-args: |
+            CCC_INSTALL_SPEC=/ccc-src[default]
+          tags: ${{ steps.tags.outputs.tags }}