fix: pin Deno Docker image and pass release version via job outputs

stack72 · claude · stack72 · commit 16fa71ba5204 · 2026-03-26T19:25:21.000+01:00
Pin the Dockerfile base image to denoland/deno:2.7.5 instead of :latest for reproducible builds. Replace gh release view in the docker job with an explicit job output from the release job, eliminating the possibility of picking up a different release tag. Addresses review feedback from #882. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -17,6 +17,8 @@ jobs:
   release:
     name: Build and Release
     runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.version.outputs.version }}
     # Only run on merged PRs (not closed without merge) or manual trigger
     if: github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch'
 
@@ -180,18 +182,17 @@ jobs:
       - name: Download Linux binaries from release
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_VERSION: ${{ needs.release.outputs.version }}
         run: |
           mkdir -p docker-build/linux-amd64 docker-build/linux-arm64
-          # Find the release tag (use latest release since we just created it)
-          LATEST_TAG=$(gh release view --json tagName -q .tagName)
-          echo "Downloading binaries from release ${LATEST_TAG}"
-          gh release download "${LATEST_TAG}" --pattern "swamp-linux-x86_64" --dir docker-build/linux-amd64
-          gh release download "${LATEST_TAG}" --pattern "swamp-linux-aarch64" --dir docker-build/linux-arm64
+          RELEASE_TAG="v${RELEASE_VERSION}"
+          echo "Downloading binaries from release ${RELEASE_TAG}"
+          gh release download "${RELEASE_TAG}" --pattern "swamp-linux-x86_64" --dir docker-build/linux-amd64
+          gh release download "${RELEASE_TAG}" --pattern "swamp-linux-aarch64" --dir docker-build/linux-arm64
           mv docker-build/linux-amd64/swamp-linux-x86_64 docker-build/linux-amd64/swamp
           mv docker-build/linux-arm64/swamp-linux-aarch64 docker-build/linux-arm64/swamp
           chmod +x docker-build/linux-amd64/swamp docker-build/linux-arm64/swamp
-          # Extract version from tag for Docker tagging
-          echo "docker_tag=${LATEST_TAG#v}" >> "$GITHUB_ENV"
+          echo "docker_tag=${RELEASE_VERSION}" >> "$GITHUB_ENV"
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM denoland/deno:latest
+FROM denoland/deno:2.7.5
 COPY swamp /usr/local/bin/swamp
 RUN chmod +x /usr/local/bin/swamp
 WORKDIR /workspace

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM denoland/deno:latest`
	`1`	`+FROM denoland/deno:2.7.5`
`2`	`2`	`COPY swamp /usr/local/bin/swamp`
`3`	`3`	`RUN chmod +x /usr/local/bin/swamp`
`4`	`4`	`WORKDIR /workspace`