From 66a2591c96ef620fd6d29f2f9f4fc0c9278221cc Mon Sep 17 00:00:00 2001
From: ix5 <ix5@users.noreply.github.com>
Date: Mon, 22 Apr 2024 01:34:55 +0200
Subject: [PATCH 1/5] Dockerfile: Add LABELs

This helps connect the image with the package registry
metadata.
---
 Dockerfile | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 903f6950..def715c9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -71,6 +71,10 @@ FROM python:3.10-alpine AS isso
 WORKDIR /isso/
 COPY --from=isso-builder /isso/ .
 
+LABEL org.opencontainers.image.source=https://github.com/isso-comments/isso
+LABEL org.opencontainers.image.description="Isso – a commenting server similar to Disqus"
+LABEL org.opencontainers.image.licenses=MIT
+
 # Clean up
 RUN rm -rf /var/apk/cache/* /tmp/* /var/tmp/*
 

From 7c43a7788c47cf510e726bf82bd3ef2cb4c5ffff Mon Sep 17 00:00:00 2001
From: ix5 <ix5@users.noreply.github.com>
Date: Mon, 22 Apr 2024 01:35:46 +0200
Subject: [PATCH 2/5] .github/docker: Discard empty workflow meta labels

Instead use the Dockerfile LABELs
---
 .github/workflows/docker-build.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml
index 296c22c8..8910ea53 100644
--- a/.github/workflows/docker-build.yaml
+++ b/.github/workflows/docker-build.yaml
@@ -52,7 +52,6 @@ jobs:
         with:
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
           platforms: ${{ env.build_platforms }}
 
       - name: Image digest

From d4dc6e4f1a10cb2433cd1a80f7f7ef4f4e1d2ab3 Mon Sep 17 00:00:00 2001
From: ix5 <ix5@users.noreply.github.com>
Date: Mon, 22 Apr 2024 01:36:45 +0200
Subject: [PATCH 3/5] docs, README: Document changed docker image tagging

`:latest` is now used for auto-pushed images off of
`master`, while `:release` will follow the latest tagged
stable release.
---
 CHANGES.rst                          |  7 ++++++-
 README.md                            | 14 ++++++++++++--
 docs/docs/reference/installation.rst | 22 ++++++++++++++++++++--
 3 files changed, 38 insertions(+), 5 deletions(-)

diff --git a/CHANGES.rst b/CHANGES.rst
index 98f5ce20..af942c09 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -22,7 +22,12 @@ New Features
 Breaking Changes
 ^^^^^^^^^^^^^^^^
 
-- TBD
+- Rework the Docker image tagging scheme: ``isso:latest`` is now rebuilt on
+  every push to ``master``, while ``isso:release`` points to the latest stable
+  release (`#970`_, janw). Previously, ``:latest`` pointed to the latest stable
+  (tagged) version
+
+.. _#970: https://github.com/isso-comments/isso/pull/970
 
 Bugfixes & Improvements
 ^^^^^^^^^^^^^^^^^^^^^^^
diff --git a/README.md b/README.md
index bca092b8..2379cbd5 100644
--- a/README.md
+++ b/README.md
@@ -45,10 +45,20 @@ the [the full documentation](https://isso-comments.de/docs/).
 
 ## Docker
 
-A Docker image with the latest stable release is provided at
-`ghcr.io/isso-comments/isso:latest`. See
+> [!NOTE]  
+> The Docker image tagging scheme for stable releases was changed from `:latest`
+> to `:release` as of March 2024
+> ([#970](https://github.com/isso-comments/isso/pull/970), [#1012](https://github.com/isso-comments/isso/issues/1012))
+
+A [Docker image](https://github.com/isso-comments/isso/pkgs/container/isso) with
+the latest stable release is provided at `ghcr.io/isso-comments/isso:release`,
+while `isso:latest` is rebuilt on every push to the `master` branch. See
 [Using Docker](https://isso-comments.de/docs/reference/installation/#using-docker).
 
+The maintainers recommend pinning the image to a
+[release tag](https://github.com/isso-comments/isso/pkgs/container/isso), e.g.
+`isso:0.13.0`.
+
 ## Contributing
 
 - Pull requests are very much welcome! These might be
diff --git a/docs/docs/reference/installation.rst b/docs/docs/reference/installation.rst
index 302083c7..ea5cc377 100644
--- a/docs/docs/reference/installation.rst
+++ b/docs/docs/reference/installation.rst
@@ -149,12 +149,30 @@ two options for running a Docker container:
 a) Official Docker image
 ^^^^^^^^^^^^^^^^^^^^^^^^
 
+.. attention::
+
+   The Docker image tagging scheme for stable releases was changed from ``:latest``
+   to ``:release`` as of March 2024 (`#970`_, `#1012`_).
+
+.. _#970: https://github.com/isso-comments/isso/pull/970
+.. _#1012: https://github.com/isso-comments/isso/pull/1012
+
+A `Docker image`_ with the latest stable release is provided at
+``ghcr.io/isso-comments/isso:release``, while ``isso:latest`` is rebuilt on
+every push to the ``master`` branch.
+
+The maintainers recommend pinning the image to a `release tag`_, e.g.
+``isso:0.13.0``.
+
 .. code-block:: console
 
-    $ docker pull ghcr.io/isso-comments/isso:latest
+    $ docker pull ghcr.io/isso-comments/isso:release
     $ docker run -d --rm --name isso -p 127.0.0.1:8080:8080 \
         -v /var/lib/isso:/config -v /var/lib/isso:/db \
-        ghcr.io/isso-comments/isso:latest
+        ghcr.io/isso-comments/isso:release
+
+.. _Docker image: https://github.com/isso-comments/isso/pkgs/container/isso
+.. _release tag: https://github.com/isso-comments/isso/pkgs/container/isso
 
 b) Build a Docker image yourself
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

From ba7c6d534d9f55f1522d99231d498aa2fb08f2b4 Mon Sep 17 00:00:00 2001
From: ix5 <ix5@users.noreply.github.com>
Date: Mon, 22 Apr 2024 01:38:41 +0200
Subject: [PATCH 4/5] Makefile: Clarify, add docker-release targets

---
 Makefile | 33 +++++++++++++++++++++++++--------
 1 file changed, 25 insertions(+), 8 deletions(-)

diff --git a/Makefile b/Makefile
index f88fd199..faced3e2 100644
--- a/Makefile
+++ b/Makefile
@@ -38,6 +38,9 @@ APIDOC = npx --no-install apidoc
 
 SASS = sassc
 
+ISSO_IMAGE ?= isso:latest
+ISSO_RELEASE_IMAGE ?= isso:release
+ISSO_DOCKER_REGISTRY ?= ghcr.io/isso-comments
 TESTBED_IMAGE ?= isso-js-testbed:latest
 
 all: js site
@@ -93,21 +96,35 @@ test: $($ISSO_PY_SRC)
 	PYTHONPATH=. pytest --doctest-modules isso/
 
 docker:
-	DOCKER_BUILDKIT=1 docker build -t isso:latest .
+	DOCKER_BUILDKIT=1 docker build -t $(ISSO_IMAGE) .
+
+# For maintainers making releases only:
+docker-release:
+	DOCKER_BUILDKIT=1 docker build -t $(ISSO_IMAGE) .
 
 docker-run:
-	docker run -d --rm --name isso -p 127.0.0.1:8080:8080 --mount type=bind,source=$(PWD)/contrib/isso-dev.cfg,target=/config/isso.cfg,readonly isso:latest isso.run
+	docker run -d --rm --name isso -p 127.0.0.1:8080:8080 \
+		--mount type=bind,source=$(PWD)/contrib/isso-dev.cfg,target=/config/isso.cfg,readonly \
+		$(ISSO_IMAGE) isso.run
 
+# For maintainers only, discouraged in favor of the GitHub action running on
+# every git push
 docker-push:
-	docker tag isso:latest ghcr.io/isso-comments/isso:dev
-	docker push ghcr.io/isso-comments/isso:dev
+	docker tag $(ISSO_IMAGE) $(ISSO_DOCKER_REGISTRY)/$(ISSO_IMAGE)
+	docker push $(ISSO_DOCKER_REGISTRY)/$(ISSO_IMAGE)
+
+# For maintainers making releases only:
+docker-release-push:
+	docker tag $(ISSO_RELEASE_IMAGE) $(ISSO_DOCKER_REGISTRY)/$(ISSO_RELEASE_IMAGE)
+	docker push $(ISSO_DOCKER_REGISTRY)/$(ISSO_RELEASE_IMAGE)
 
 docker-testbed:
-	docker build -f docker/Dockerfile-js-testbed -t isso-js-testbed .
+	docker build -f docker/Dockerfile-js-testbed -t $(TESTBED_IMAGE) .
 
+# For maintainers only:
 docker-testbed-push:
-	docker tag isso-js-testbed:latest ghcr.io/isso-comments/isso-js-testbed:latest
-	docker push ghcr.io/isso-comments/isso-js-testbed:latest
+	docker tag $(TESTBED_IMAGE) $(ISSO_DOCKER_REGISTRY)/$(TESTBED_IMAGE)
+	docker push $(ISSO_DOCKER_REGISTRY)/$(TESTBED_IMAGE)
 
 docker-js-unit:
 	docker run \
@@ -150,4 +167,4 @@ clean:
 	rm -rf .pytest_cache/
 	rm -rf .coverage
 
-.PHONY: apidoc apidoc-init clean coverage docker docker-compare-screenshots docker-generate-screenshots docker-update-screenshots docker-js-unit docker-js-integration docker-push docker-testbed docker-testbed-push init test
+.PHONY: apidoc apidoc-init clean coverage docker docker-compare-screenshots docker-generate-screenshots docker-js-integration docker-js-unit docker-push docker-release docker-release-push docker-run docker-testbed docker-testbed-push docker-update-screenshots init test

From 1544b34691ecfc2b511123951641a6089014b529 Mon Sep 17 00:00:00 2001
From: ix5 <ix5@users.noreply.github.com>
Date: Sun, 28 Apr 2024 23:59:35 +0200
Subject: [PATCH 5/5] .github/docker-build: Tag ':release' on git tags

Caution: This tags the docker image `:release` on _every_
git push containing tags!
---
 .github/workflows/docker-build.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml
index 8910ea53..b9fa8eb7 100644
--- a/.github/workflows/docker-build.yaml
+++ b/.github/workflows/docker-build.yaml
@@ -34,6 +34,7 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{version}}
             type=raw,value=latest,enable={{is_default_branch}}
+            type=raw,value=release,enable=${{ github.ref_type == 'tag' }}
 
       - name: Login to Github Container Registry
         if: github.event_name != 'pull_request'