Make latest a post-build multi-arch alias

Wuodan · Wuodan · commit 08d517582c3e · 2026-03-16T20:32:23.000Z
Stop tagging latest during the matrix build and create it afterwards from the already-pushed canonical default-distro image instead. The canonical tag is now derived from the same inputs as the legacy latest image: python:<DEFAULT_DISTRO> and Node.js dist/latest. The workflow fails if that computed tag was not part of the current build set, which makes drift explicit. Fixes nikolaik#263. Remove the root Dockerfile because it only existed for Docker Hub's separate automated latest build path. Keeping that file would preserve a second, divergent publishing path for latest while GitHub Actions now owns latest as an alias to an existing multi-arch build. After this change, any Docker Hub automated build or autobuild rule that still targets the deleted root Dockerfile must be disabled in Docker Hub settings. That configuration is external to this repository and is not removed automatically by this commit.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -102,10 +102,37 @@ jobs:
           if-no-files-found: error
           retention-days: 1
 
+  tag-latest:
+    name: Point latest at canonical build
+    runs-on: ubuntu-latest
+    needs: [deploy]
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: astral-sh/setup-uv@e06108dd0aef18192324c70427afc47652e63a82 # v7
+        with:
+          enable-cache: true
+      - name: Download metadata for builds
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
+        with:
+          path: builds
+          pattern: build-*
+          merge-multiple: true
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+      - name: Login to Docker Hub
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Point latest to canonical image
+        run: |
+          latest_tag="$(uv run dpn latest-key --builds-dir builds/)"
+          docker buildx imagetools create --tag "${IMAGE_NAME}:latest" "${IMAGE_NAME}:${latest_tag}"
+
   release:
     name: Update versions.json and README.md
     runs-on: ubuntu-latest
-    needs: [deploy]
+    needs: [deploy, tag-latest]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - uses: astral-sh/setup-uv@e06108dd0aef18192324c70427afc47652e63a82 # v7
diff --git a/Dockerfile b/Dockerfile
diff --git a/README.md b/README.md
@@ -139,8 +139,6 @@ Versions are kept up to date using official sources. For Python we scrape the _S
 ```bash
 # Pull from Docker Hub
 docker pull nikolaik/python-nodejs:latest
-# Build from GitHub
-docker build -t nikolaik/python-nodejs github.com/nikolaik/docker-python-nodejs
 # Run image
 docker run -it nikolaik/python-nodejs bash
 ```
diff --git a/src/docker_python_nodejs/cli.py b/src/docker_python_nodejs/cli.py
@@ -10,6 +10,7 @@
 from .versions import (
     decide_version_combinations,
     find_new_or_updated,
+    latest_tag_key,
     load_build_contexts,
     load_versions,
     persist_versions,
@@ -23,7 +24,7 @@ class CLIArgs(argparse.Namespace):
     dry_run: bool
     distros: list[str]
     verbose: bool
-    command: Literal["dockerfile", "build-matrix", "release"]
+    command: Literal["dockerfile", "build-matrix", "release", "latest-key"]
     force: bool  # build-matrix and release command arg
 
     context: str  # dockerfile command arg
@@ -69,6 +70,11 @@ def run_release(args: CLIArgs) -> None:
     update_dynamic_readme(versions, supported_python_versions, supported_nodejs_versions, args.dry_run)
 
 
+def run_latest_key(args: CLIArgs) -> None:
+    builds = load_build_contexts(args.builds_dir)
+    print(latest_tag_key(list(builds.values())))
+
+
 def main(args: CLIArgs) -> None:
     if args.dry_run:
         logger.debug("Dry run, outputting only.")
@@ -79,6 +85,8 @@ def main(args: CLIArgs) -> None:
         run_build_matrix(args)
     elif args.command == "release":
         run_release(args)
+    elif args.command == "latest-key":
+        run_latest_key(args)
 
 
 def parse_args() -> CLIArgs:
@@ -125,8 +133,19 @@ def parse_args() -> CLIArgs:
         help="Builds directory with build context JSON files",
     )
 
+    parser_latest_key = subparsers.add_parser(
+        "latest-key",
+        help="Print the built tag that should also be published as latest",
+    )
+    parser_latest_key.add_argument(
+        "--builds-dir",
+        type=Path,
+        required=True,
+        help="Builds directory with build context JSON files",
+    )
+
     cli_args = cast("CLIArgs", parser.parse_args())
-    if cli_args.command == "release":
+    if cli_args.command in {"release", "latest-key"}:
         if not cli_args.builds_dir.exists():
             parser.error(f"Builds directory {cli_args.builds_dir.as_posix()} does not exist")
 
diff --git a/src/docker_python_nodejs/nodejs_versions.py b/src/docker_python_nodejs/nodejs_versions.py
@@ -1,4 +1,5 @@
 import datetime
+import re
 from typing import TypedDict
 
 import requests
@@ -29,6 +30,17 @@ def fetch_node_unofficial_releases() -> list[NodeRelease]:
     return data
 
 
+def fetch_latest_nodejs_version() -> str:
+    url = "https://nodejs.org/dist/latest/SHASUMS256.txt"
+    res = requests.get(url, timeout=10.0)
+    res.raise_for_status()
+    match = re.search(r"node-(v\d+\.\d+\.\d+)-", res.text)
+    if not match:
+        msg = "Could not determine latest Node.js version from SHASUMS256.txt"
+        raise ValueError(msg)
+    return match.group(1)
+
+
 class ReleaseScheduleItem(TypedDict):
     start: str
     lts: str
diff --git a/src/docker_python_nodejs/versions.py b/src/docker_python_nodejs/versions.py
@@ -14,6 +14,7 @@
 
 from .docker_hub import DockerImageDict, DockerTagDict, fetch_tags
 from .nodejs_versions import (
+    fetch_latest_nodejs_version,
     fetch_node_releases,
     fetch_node_unofficial_releases,
     fetch_nodejs_release_schedule,
@@ -105,6 +106,17 @@ def _latest_patch(tags: list[DockerTagDict], ver: str, distro: str) -> str | Non
     return sorted(tags, key=lambda x: Version.parse(x["name"]), reverse=True)[0]["name"] if tags else None
 
 
+def _latest_python_minor(distro: str) -> str:
+    python_patch_re = re.compile(rf"^(\d+\.\d+\.\d+)-{distro}$")
+    tags = [tag["name"] for tag in fetch_tags("python") if python_patch_re.match(tag["name"])]
+    if not tags:
+        msg = f"Could not determine latest Python version for distro '{distro}'"
+        raise ValueError(msg)
+
+    latest_patch = sorted(tags, key=lambda x: Version.parse(x.removesuffix(f"-{distro}")), reverse=True)[0]
+    return ".".join(latest_patch.removesuffix(f"-{distro}").split(".")[:2])
+
+
 def scrape_supported_python_versions() -> list[SupportedVersion]:
     """Scrape supported python versions (risky)."""
     versions = []
@@ -256,6 +268,19 @@ def decide_version_combinations(
     return version_combinations(nodejs_versions, python_versions)
 
 
+def latest_tag_key(versions: list[BuildVersion]) -> str:
+    """Return the built tag that matches the legacy `latest` Dockerfile semantics."""
+    python_minor = _latest_python_minor(DEFAULT_DISTRO)
+    node_major = fetch_latest_nodejs_version().removeprefix("v").split(".")[0]
+    key = f"python{python_minor}-nodejs{node_major}"
+
+    if key not in {version.key for version in versions}:
+        msg = f"Computed latest tag '{key}' was not part of the current build set"
+        raise ValueError(msg)
+
+    return key
+
+
 def persist_versions(versions: list[BuildVersion], dry_run: bool = False) -> None:
     if dry_run:
         logger.debug(versions)
diff --git a/tests/test_all.py b/tests/test_all.py
@@ -18,6 +18,7 @@
     decide_version_combinations,
     fetch_supported_nodejs_versions,
     find_new_or_updated,
+    latest_tag_key,
     load_build_contexts,
     scrape_supported_python_versions,
 )
@@ -289,3 +290,101 @@ def test_find_new_or_updated_with_digest() -> None:
     res = find_new_or_updated([new], {existing.key: existing})
 
     assert len(res) == 0
+
+
+@responses.activate
+def test_latest_tag_key_matches_legacy_latest_sources() -> None:
+    responses.add(
+        method="GET",
+        url="https://registry.hub.docker.com/v2/namespaces/library/repositories/python/tags?page=1&page_size=100",
+        json={
+            "count": 3,
+            "next": None,
+            "previous": None,
+            "results": [
+                {
+                    "name": "3.13.12-trixie",
+                    "images": [{"os": "linux", "architecture": "amd64"}, {"os": "linux", "architecture": "arm64"}],
+                },
+                {
+                    "name": "3.14.3-trixie",
+                    "images": [{"os": "linux", "architecture": "amd64"}, {"os": "linux", "architecture": "arm64"}],
+                },
+                {
+                    "name": "3.14.3-alpine",
+                    "images": [{"os": "linux", "architecture": "amd64"}],
+                },
+            ],
+        },
+    )
+    responses.add(
+        method="GET",
+        url="https://nodejs.org/dist/latest/SHASUMS256.txt",
+        body="deadbeef  node-v25.8.1-linux-x64.tar.xz\n",
+    )
+    versions = [
+        BuildVersion(
+            key="python3.14-nodejs25",
+            python="3.14",
+            python_canonical="3.14.3",
+            python_image="3.14.3-trixie",
+            nodejs="25",
+            nodejs_canonical="25.8.1",
+            distro="trixie",
+            platforms=["linux/amd64", "linux/arm64"],
+        ),
+        BuildVersion(
+            key="python3.14-nodejs24-bookworm",
+            python="3.14",
+            python_canonical="3.14.3",
+            python_image="3.14.3-bookworm",
+            nodejs="24",
+            nodejs_canonical="24.14.0",
+            distro="bookworm",
+            platforms=["linux/amd64", "linux/arm64"],
+        ),
+    ]
+
+    assert latest_tag_key(versions) == "python3.14-nodejs25"
+
+
+@responses.activate
+def test_latest_tag_key_fails_if_canonical_build_is_missing() -> None:
+    responses.add(
+        method="GET",
+        url="https://registry.hub.docker.com/v2/namespaces/library/repositories/python/tags?page=1&page_size=100",
+        json={
+            "count": 1,
+            "next": None,
+            "previous": None,
+            "results": [
+                {
+                    "name": "3.14.3-trixie",
+                    "images": [{"os": "linux", "architecture": "amd64"}, {"os": "linux", "architecture": "arm64"}],
+                },
+            ],
+        },
+    )
+    responses.add(
+        method="GET",
+        url="https://nodejs.org/dist/latest/SHASUMS256.txt",
+        body="deadbeef  node-v25.8.1-linux-x64.tar.xz\n",
+    )
+    versions = [
+        BuildVersion(
+            key="python3.14-nodejs24",
+            python="3.14",
+            python_canonical="3.14.3",
+            python_image="3.14.3-trixie",
+            nodejs="24",
+            nodejs_canonical="24.14.0",
+            distro="trixie",
+            platforms=["linux/amd64", "linux/arm64"],
+        ),
+    ]
+
+    with pytest.raises(
+        ValueError,
+        match=r"Computed latest tag 'python3\.14-nodejs25' was not part of the current build set",
+    ):
+        latest_tag_key(versions)
