adding image-tag output for use in additional jobs (#26)

.github/linters/actionlint.yaml

@@ -0,0 +1,2 @@
+config-variables:
+  - SLACK_CHANNEL_ID

.github/workflows/call-local-docker-build-promotion.yaml

@@ -1,61 +0,0 @@
----
-# THIS IS NOT A TEMPLATE.
-# This is just for testing the repo itself.
-# This calls the reusable workflow from its local file path.
-name: Docker Build with Promotion
-
-on:
-  push:
-    branches:
-      - main
-    paths-ignore:
-      - 'README.md'
-      - '.github/linters/**'
-  pull_request:
-    paths-ignore:
-      - 'README.md'
-      - '.github/linters/**'
-
-# cancel any previously-started, yet still active runs of this workflow on the same branch
-concurrency:
-  group: ${{ github.ref }}-${{ github.workflow }}
-  cancel-in-progress: true
-
-permissions:
-  contents: read
-  packages: write
-  pull-requests: write
-
-jobs:
-
-  # run this job on every push to a PR
-  # it will push images to GHCR, but not DockerHub
-  docker-build-pr:
-    name: Call Build on PR
-    if: github.event_name == 'pull_request'
-    uses: ./.github/workflows/reusable-docker-build.yaml    
-    with:  
-      dockerhub-enable: false
-      ghcr-enable: true
-      push: true
-      image-names: |
-        ghcr.io/${{ github.repository }}
-
-  # run this job on every push to the default branch (including merges and tags)
-  # it will push images to GHCR and DockerHub
-  # tags will also include ones like `stable-<date>-<sha>` and `latest`
-  docker-build-merge:
-    name: Call Build on Push
-    # this if is filtered to only the main branch push event (see events at top)
-    if: github.event_name == 'push'
-    uses: ./.github/workflows/reusable-docker-build.yaml    
-    secrets:
-      dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}
-      dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
-    with:  
-      dockerhub-enable: true
-      ghcr-enable: true
-      push: true
-      image-names: |
-        docker.io/${{ github.repository }}
-        ghcr.io/${{ github.repository }}

.github/workflows/reusable-docker-build.yaml

@@ -92,7 +92,6 @@ on:
         description: Build stage to target
         required: false
         type: string
-      
    
     secrets:
       dockerhub-username:
@@ -103,10 +102,9 @@ on:
         required: false
 
     outputs:
-      ghcr-tag:
-        description: "single-use tag for ghcr.io"
-        value: ${{ jobs.build-image.outputs.ghcr-tag }}
-
+      image-tag:
+        description: "single-use image tag for GHA runs"
+        value: ${{ jobs.build-image.outputs.image-tag }}
 
 # permissions: GITHUB_TOKEN are better set by the **calling** workflow
 # but we'll set defaults here for reference
@@ -126,36 +124,36 @@ jobs:
 
     outputs:
       # only outputs the unique gha- image tag that's unique to each GHA run
-      ghcr-tag: ${{ steps.ghcr-tag.outputs.tag }}
+      image-tag: ${{ steps.image-tag.outputs.image-tag }}
 
     steps:
-      -
+
         # we need qemu and buildx so we can build multiple platforms later
-        name: Set up QEMU
+      - name: Set up QEMU
         id: qemu
         uses: docker/setup-qemu-action@v2.1.0
-      -
+
         # BuildKit (used with `docker buildx`) is the best way to build images
-        name: Set up Docker Buildx
+      - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v2.5.0
-      -
-        name: Login to DockerHub
+
+      - name: Login to DockerHub
         if: inputs.dockerhub-enable
         uses: docker/login-action@v2.1.0
         with:
           username: ${{ secrets.dockerhub-username }}
           password: ${{ secrets.dockerhub-token }}
-      -
-        name: Login to GHCR
+
+      - name: Login to GHCR
         if: inputs.ghcr-enable
         uses: docker/login-action@v2.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      -
-        name: Docker meta
+
+      - name: Docker meta
         id: docker_meta
         uses: docker/metadata-action@v4.3.0
         with:
@@ -163,12 +161,12 @@ jobs:
           images: ${{ inputs.image-names }}
           flavor: ${{ inputs.flavor-rules }}
           tags: ${{ inputs.tag-rules }}
-      -
+
         # this will build the images, once per platform,
         # then push to one or more registries (based on image list above in docker_meta)
         # NOTE: this will not push if a PR is from a fork, where secrets are not available
         # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
-        name: Docker Build and Push
+      - name: Docker Build and Push
         id: build_image
         uses: docker/build-push-action@v4.0.0
         with:
@@ -189,10 +187,10 @@ jobs:
           # https://docs.docker.com/build/attestations/attestation-storage/
           provenance: true
           sbom: true
-      -
+
         # If PR, put image tags in the PR comments
         # from https://github.com/marketplace/actions/create-or-update-comment
-        name: Find comment for image tags
+      - name: Find comment for image tags
         uses: peter-evans/find-comment@v2.3.0
         if: github.event_name == 'pull_request' && inputs.comment-enable
         id: fc
@@ -220,8 +218,13 @@ jobs:
             ```
           edit-mode: replace
 
-      - name: Find the gha-run-based image tag we just pushed to ghcr.io
-        id: ghcr-tag
+        # for dependent jobs, we need to output the unique tag for this GHA run
+        # based on the docker_meta tag priority rules, the highest priority tag
+        # will be sent to this output
+        # this step output is sent to job output, which is sent to workflow output
+        # use this tag in another job with needs.<job-name>.outputs.image-tag
+      - name: Find the primary image tag we just pushed, and output it
+        id: image-tag
         run: |
           # shellcheck disable=SC2086
-          echo "tag=gha-${{ github.run_id }}" >> $GITHUB_OUTPUT
+          echo "image-tag=${{ steps.docker_meta.outputs.version }}" >> $GITHUB_OUTPUT