mieweb · runleveldev · Jun 19, 2026 · Jun 14, 2026 · Jun 14, 2026 · Jun 14, 2026
diff --git a/.dockerignore b/.dockerignore
@@ -2,5 +2,17 @@
 /create-a-container/certs/*
 !/create-a-container/certs/.gitignore
 /create-a-container/.env
+/create-a-container/client/dist
 /mie-opensource-landing/build
+/mie-opensource-landing/site
+/mie-opensource-landing/.venv
+/mie-opensource-landing/.cache
 **/node_modules
+**/__pycache__
+
+# packaging build artifacts (rebuilt inside the builder image)
+**/.pkg
+/dist
+**/*.deb
+**/*.rpm
+**/*.apk
diff --git a/.github/workflows/build-images.yml b/.github/workflows/build-images.yml
@@ -1,25 +1,21 @@
 name: Build and Push Images
 
 on:
+  # Build on pushes to the default branch (merges) and on every pull request
+  # update. Feature-branch pushes are covered by their PR, avoiding duplicate
+  # builds and registry churn. No paths filter, so doc-only changes still
+  # rebuild the images.
   push:
     branches:
-      - '**'
-    tags:
-      - '**'
-    paths:
-      - 'images/**'
-      - 'mie-opensource-landing/**'
-      - 'Makefile'
+      - main
   pull_request:
     types: [opened, synchronize, reopened, closed]
-    paths:
-      - 'images/**'
-      - 'mie-opensource-landing/**'
-      - 'Makefile'
   schedule:
     # Run weekly on Sunday at 11:00 PM UTC (Sunday-Monday night depending on timezone)
     - cron: '0 23 * * 0'
   workflow_dispatch:
+  release:
+    types: [published]
 
 env:
   REGISTRY: ghcr.io
@@ -35,6 +31,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
+          fetch-depth: 0
           persist-credentials: false
 
       - name: Set up Docker Buildx
@@ -53,74 +50,80 @@ jobs:
         with:
           images: ${{ env.REGISTRY }}/${{ github.repository }}/base
           bake-target: base
+          flavor: latest=false
           tags: |
             type=sha
             type=ref,event=branch
             type=ref,event=pr
             type=ref,event=tag
-            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+            type=raw,value=latest,enable=${{ github.event_name == 'release' && !github.event.release.prerelease }}
 
       - name: Docker Meta (NodeJS)
         id: meta-nodejs
         uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ github.repository }}/nodejs
           bake-target: nodejs
+          flavor: latest=false
           tags: |
             type=sha
             type=ref,event=branch
             type=ref,event=pr
             type=ref,event=tag
-            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+            type=raw,value=latest,enable=${{ github.event_name == 'release' && !github.event.release.prerelease }}
 
       - name: Docker Meta (Docs)
         id: meta-docs
         uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ github.repository }}/docs
           bake-target: docs
+          flavor: latest=false
           tags: |
             type=sha
             type=ref,event=branch
             type=ref,event=pr
             type=ref,event=tag
-            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+            type=raw,value=latest,enable=${{ github.event_name == 'release' && !github.event.release.prerelease }}
 
       - name: Docker Meta (Agent)
         id: meta-agent
         uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ github.repository }}/agent
           bake-target: agent
+          flavor: latest=false
           tags: |
             type=sha
             type=ref,event=branch
             type=ref,event=tag
-            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+            type=raw,value=latest,enable=${{ github.event_name == 'release' && !github.event.release.prerelease }}
 
       - name: Docker Meta (Manager)
         id: meta-manager
         uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ github.repository }}/manager
           bake-target: manager
+          flavor: latest=false
           tags: |
             type=sha
             type=ref,event=branch
             type=ref,event=tag
-            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+            type=raw,value=latest,enable=${{ github.event_name == 'release' && !github.event.release.prerelease }}
 
       - name: Docker Meta (Proxmox VE)
         id: meta-proxmox-ve
         uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ github.repository }}/proxmox-ve
           bake-target: proxmox-ve
+          flavor: latest=false
           tags: |
             type=sha
             type=ref,event=branch
             type=ref,event=tag
-            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+            type=raw,value=latest,enable=${{ github.event_name == 'release' && !github.event.release.prerelease }}
 
       - name: Build and push
         uses: docker/bake-action@v5

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,70 @@
+name: Release Packages
+
+# Triggered by publishing a GitHub release (full or prerelease). Builds the
+# three Debian packages and uploads them to the release that triggered the
+# workflow, together with flat APT repository metadata (Packages, Packages.gz)
+# so the release can be used directly as an apt source:
+#
+#   deb [trusted=yes] https://github.com/mieweb/opensource-server/releases/latest/download/ ./
+#
+# The release URLs (releases/latest/download/<file>) serve the flat repo; the
+# images ship this source so `apt upgrade` tracks future releases. This
+# workflow never creates or modifies the release itself — create the release
+# (and choose full vs prerelease) in GitHub first, then this attaches assets.
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+jobs:
+  build-and-release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build packages
+        uses: docker/bake-action@v5
+        with:
+          workdir: ./images
+          targets: builder
+          files: |
+            ./docker-bake.hcl
+          set: |
+            builder.output=type=local,dest=../dist
+
+      - name: Generate flat APT repository metadata
+        run: |
+          cd dist/dist
+          # Scan only the versioned packages so the apt index has no duplicates.
+          dpkg-scanpackages --multiversion . > Packages
+          gzip -k9f Packages
+          # Stable-name aliases for one-off downloads (the _latest URLs resolve
+          # via releases/latest/download for the newest non-prerelease release).
+          for pkg in opensource-server opensource-docs opensource-agent; do
+            f=$(ls ${pkg}_*.deb | head -1)
+            [ -n "$f" ] && cp -f "$f" "${pkg}_latest.deb"
+          done
+          ls -l
+
+      - name: Upload assets to the release
+        if: github.event_name == 'release'
+        env:
+          GH_TOKEN: ${{ github.token }}
+          TAG: ${{ github.event.release.tag_name }}
+        run: |
+          gh release upload "$TAG" \
+            dist/dist/*.deb \
+            dist/dist/Packages \
+            dist/dist/Packages.gz \
+            --repo "${{ github.repository }}" \
+            --clobber
diff --git a/.gitignore b/.gitignore
@@ -2,3 +2,6 @@ node_modules
 .env
 .tmp-verify/
 .playwright-mcp/
+
+# packaging build artifacts
+/dist/