Add QEMU setup and build for linux/amd64 and linux/arm64 (armv8), publishing
a single multi-arch manifest. The nginx-unprivileged base image provides both
architectures.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
On each push to main, derive the next semantic version from the
conventional-commit messages since the last v* tag (feat -> minor,
fix/perf -> patch, \! or BREAKING CHANGE -> major) and, when a release is
warranted, build and publish the image tagged X.Y.Z, X.Y, X and latest,
then record an annotated vX.Y.Z tag for the next computation. Non-release
pushes publish a sha-<short> image only.
Configure Renovate to commit updates as fix(deps): so each merged Renovate
PR registers as a patch change and is released and tagged automatically.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Replace the raw latest-on-default-branch tag, which moved latest on every
main push, with metadata-action's latest=auto flavor so latest follows the
newest non-prerelease v* release. Add a {{major}} tag alongside the
existing version and major.minor semver tags; branch and SHA tags remain
for traceability of non-release builds.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The auto-provided GITEA_TOKEN does not carry container registry write
permission on most Gitea instances, causing docker login to fail with
"unauthorized". Use a Personal Access Token supplied via the
PACKAGES_TOKEN secret, with the package namespace owner as the username.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Emma Thorpe