Make latest a multi-arch tag in the normal deploy flow

Determine the canonical latest image from the current build set and publish `latest` during the normal deploy flow alongside the corresponding versioned tag.

This replaces the separate `latest` build path, so `latest` is published for all supported architectures without relying on a separate Docker Hub build.

Remove the root Dockerfile because it only existed for the separate Docker Hub Automated Build path. Any Docker Hub automated build still configured to use that file must be disabled in Docker Hub.

Fixes nikolaik#263.

Author: Wuodan

.github/workflows/build.yaml

@@ -29,6 +29,7 @@ jobs:
     outputs:
       version_matrix: ${{ steps.set-matrix.outputs.matrix }}
       arch_matrix: ${{ steps.set-matrix.outputs.arch_matrix }}
+      latest_key: ${{ steps.set-matrix.outputs.latest_key }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
@@ -104,6 +105,9 @@ jobs:
             refs+=("${IMAGE_NAME}:${{ matrix.key }}-arm64")
           fi
           docker manifest create "${IMAGE_NAME}:${{ matrix.key }}" "${refs[@]}"
+          if [[ "${{ needs.generate-matrix.outputs.latest_key }}" == "${{ matrix.key }}" ]]; then
+            docker manifest create "${IMAGE_NAME}:latest" "${refs[@]}"
+          fi
 
       - name: Login to Docker Hub
         uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
@@ -112,15 +116,22 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Push multi-arch manifest
-        run: docker manifest push "${IMAGE_NAME}:${{ matrix.key }}"
+        id: push-manifest
+        run: |
+          digest="$(docker manifest push "${IMAGE_NAME}:${{ matrix.key }}" | tail -n1)"
+          echo "digest=${digest}" >> "$GITHUB_OUTPUT"
+
+      - name: Push latest manifest
+        if: needs.generate-matrix.outputs.latest_key == matrix.key
+        run: docker manifest push "${IMAGE_NAME}:latest"
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
 
       - name: Add digest to build context
         run: |
           mkdir builds/
-          digest="$(docker buildx imagetools inspect "${IMAGE_NAME}:${{ matrix.key }}" | awk '/^Digest:/ {print $2}')"
+          digest="${{ steps.push-manifest.outputs.digest }}"
           echo '${{ toJSON(matrix) }}' | jq --arg digest "$digest" '. +={"digest": $digest}' >> "builds/${{ matrix.key }}.json"
 
       - name: Upload build context

Dockerfile

@@ -139,8 +139,6 @@ Versions are kept up to date using official sources. For Python we scrape the _S
 ```bash
 # Pull from Docker Hub
 docker pull nikolaik/python-nodejs:latest
-# Build from GitHub
-docker build -t nikolaik/python-nodejs github.com/nikolaik/docker-python-nodejs
 # Run image
 docker run -it nikolaik/python-nodejs bash
 ```

README.md

@@ -9,6 +9,8 @@
 if TYPE_CHECKING:
     from .versions import BuildVersion
 
+from .versions import latest_tag_key
+
 CI_EVENT_SCHEDULED = "scheduled"
 
 logger = logging.getLogger("dpn")
@@ -60,7 +62,9 @@ def build_matrix(new_or_updated: list[BuildVersion], ci_event: str) -> None:
 
     matrix = _build_matrix_json(new_or_updated)
     arch_matrix = _build_arch_matrix_json(new_or_updated)
+    latest_key = latest_tag_key(new_or_updated) if new_or_updated else ""
     _github_action_set_output("matrix", matrix)
     _github_action_set_output("arch_matrix", arch_matrix)
+    _github_action_set_output("latest_key", latest_key)
     logger.info("\n# New or updated versions:")
     logger.info("Nothing" if not new_or_updated else "\n".join(version.key for version in new_or_updated))

src/docker_python_nodejs/build_matrix.py

@@ -1,4 +1,5 @@
 import datetime
+import re
 from typing import TypedDict
 
 import requests
@@ -29,6 +30,17 @@ def fetch_node_unofficial_releases() -> list[NodeRelease]:
     return data
 
 
+def fetch_latest_nodejs_version() -> str:
+    url = "https://nodejs.org/dist/latest/SHASUMS256.txt"
+    res = requests.get(url, timeout=10.0)
+    res.raise_for_status()
+    match = re.search(r"node-(v\d+\.\d+\.\d+)-", res.text)
+    if not match:
+        msg = "Could not determine latest Node.js version from SHASUMS256.txt"
+        raise ValueError(msg)
+    return match.group(1)
+
+
 class ReleaseScheduleItem(TypedDict):
     start: str
     lts: str

src/docker_python_nodejs/nodejs_versions.py

@@ -14,6 +14,7 @@
 
 from .docker_hub import DockerImageDict, DockerTagDict, fetch_tags
 from .nodejs_versions import (
+    fetch_latest_nodejs_version,
     fetch_node_releases,
     fetch_node_unofficial_releases,
     fetch_nodejs_release_schedule,
@@ -105,6 +106,17 @@ def _latest_patch(tags: list[DockerTagDict], ver: str, distro: str) -> str | Non
     return sorted(tags, key=lambda x: Version.parse(x["name"]), reverse=True)[0]["name"] if tags else None
 
 
+def _latest_python_minor(distro: str) -> str:
+    python_patch_re = re.compile(rf"^(\d+\.\d+\.\d+)-{distro}$")
+    tags = [tag["name"] for tag in fetch_tags("python") if python_patch_re.match(tag["name"])]
+    if not tags:
+        msg = f"Could not determine latest Python version for distro '{distro}'"
+        raise ValueError(msg)
+
+    latest_patch = sorted(tags, key=lambda x: Version.parse(x.removesuffix(f"-{distro}")), reverse=True)[0]
+    return ".".join(latest_patch.removesuffix(f"-{distro}").split(".")[:2])
+
+
 def scrape_supported_python_versions() -> list[SupportedVersion]:
     """Scrape supported python versions (risky)."""
     versions = []
@@ -256,6 +268,18 @@ def decide_version_combinations(
     return version_combinations(nodejs_versions, python_versions)
 
 
+def latest_tag_key(versions: list[BuildVersion]) -> str:
+    python_minor = _latest_python_minor(DEFAULT_DISTRO)
+    node_major = fetch_latest_nodejs_version().removeprefix("v").split(".")[0]
+    key = f"python{python_minor}-nodejs{node_major}"
+
+    if key not in {version.key for version in versions}:
+        msg = f"Computed latest tag '{key}' was not part of the current build set"
+        raise ValueError(msg)
+
+    return key
+
+
 def persist_versions(versions: list[BuildVersion], dry_run: bool = False) -> None:
     if dry_run:
         logger.debug(versions)

src/docker_python_nodejs/versions.py

@@ -8,7 +8,7 @@
 import pytest
 import responses
 
-from docker_python_nodejs.build_matrix import _build_arch_matrix_json
+from docker_python_nodejs.build_matrix import _build_arch_matrix_json, _build_matrix_json
 from docker_python_nodejs.dockerfiles import render_dockerfile_with_context
 from docker_python_nodejs.readme import update_dynamic_readme
 from docker_python_nodejs.settings import BASE_PATH, DOCKERFILES_PATH
@@ -19,6 +19,7 @@
     decide_version_combinations,
     fetch_supported_nodejs_versions,
     find_new_or_updated,
+    latest_tag_key,
     load_build_contexts,
     scrape_supported_python_versions,
 )
@@ -327,3 +328,113 @@ def test_build_arch_matrix_json(build_version: BuildVersion) -> None:
             },
         ],
     }
+
+
+def test_build_matrix_json() -> None:
+    versions = [
+        BuildVersion(
+            key="python3.14-nodejs25",
+            python="3.14",
+            python_canonical="3.14.3",
+            python_image="3.14.3-trixie",
+            nodejs="25",
+            nodejs_canonical="25.8.1",
+            distro="trixie",
+            platforms=["linux/amd64", "linux/arm64"],
+        ),
+        BuildVersion(
+            key="python3.14-nodejs24-bookworm",
+            python="3.14",
+            python_canonical="3.14.3",
+            python_image="3.14.3-bookworm",
+            nodejs="24",
+            nodejs_canonical="24.14.0",
+            distro="bookworm",
+            platforms=["linux/amd64", "linux/arm64"],
+        ),
+    ]
+
+    matrix = json.loads(_build_matrix_json(versions))
+
+    assert matrix == {
+        "include": [
+            {
+                "key": "python3.14-nodejs25",
+                "python": "3.14",
+                "python_canonical": "3.14.3",
+                "python_image": "3.14.3-trixie",
+                "nodejs": "25",
+                "nodejs_canonical": "25.8.1",
+                "distro": "trixie",
+                "platforms": ["linux/amd64", "linux/arm64"],
+                "digest": "",
+            },
+            {
+                "key": "python3.14-nodejs24-bookworm",
+                "python": "3.14",
+                "python_canonical": "3.14.3",
+                "python_image": "3.14.3-bookworm",
+                "nodejs": "24",
+                "nodejs_canonical": "24.14.0",
+                "distro": "bookworm",
+                "platforms": ["linux/amd64", "linux/arm64"],
+                "digest": "",
+            },
+        ],
+    }
+
+
+def test_latest_tag_key_matches_latest_sources() -> None:
+    versions = [
+        BuildVersion(
+            key="python3.14-nodejs25",
+            python="3.14",
+            python_canonical="3.14.3",
+            python_image="3.14.3-trixie",
+            nodejs="25",
+            nodejs_canonical="25.8.1",
+            distro="trixie",
+            platforms=["linux/amd64", "linux/arm64"],
+        ),
+        BuildVersion(
+            key="python3.14-nodejs24-bookworm",
+            python="3.14",
+            python_canonical="3.14.3",
+            python_image="3.14.3-bookworm",
+            nodejs="24",
+            nodejs_canonical="24.14.0",
+            distro="bookworm",
+            platforms=["linux/amd64", "linux/arm64"],
+        ),
+    ]
+
+    with (
+        mock.patch("docker_python_nodejs.versions._latest_python_minor", return_value="3.14"),
+        mock.patch("docker_python_nodejs.versions.fetch_latest_nodejs_version", return_value="v25.8.1"),
+    ):
+        assert latest_tag_key(versions) == "python3.14-nodejs25"
+
+
+def test_latest_tag_key_fails_if_canonical_build_is_missing() -> None:
+    versions = [
+        BuildVersion(
+            key="python3.14-nodejs24",
+            python="3.14",
+            python_canonical="3.14.3",
+            python_image="3.14.3-trixie",
+            nodejs="24",
+            nodejs_canonical="24.14.0",
+            distro="trixie",
+            platforms=["linux/amd64", "linux/arm64"],
+        ),
+    ]
+
+    with (
+        mock.patch("docker_python_nodejs.versions._latest_python_minor", return_value="3.14"),
+        mock.patch("docker_python_nodejs.versions.fetch_latest_nodejs_version", return_value="v25.8.1"),
+        pytest.raises(
+            ValueError,
+            match=r"Computed latest tag 'python3\.14-nodejs25' was not part of the current build set",
+        ),
+    ):
+        latest_tag_key(versions)