Hi Mathilde , thanks for your fast reply, much appreciated 🙂 .
Docker images must always be named as follow: <image name>:<tag>. Your last command would create an image named cryptpad/latest, but because you did not specify a tag, I believe it would use latest tag by default resulting in the image cryptpad/latest:latest being created. I don't think this is what you expect. Provided that version-X.y.z is the latest version, it should be instead:
docker buildx build \
--push \
--platform linux/arm64,linux/amd64 \
-t cryptpad/cryptpad:version-X.y.z \
-t cryptpad/cryptpad:latest \
.
Docker layers are identified by their SHA256 sum. A tag (e.g. version-X.y.z) is nothing more than a pointer to such hash. In this case, both version-X.y.z and latest tag will point to the same underlying layer. Note that if a tag with the same name already exists it will be overridden. Make sure you only specify the latest tag in the command if you are actually pushing the latest version.
FWIW, it's also pretty common to have a tag for each semver increment:
docker buildx build \
--push \
--platform linux/arm64,linux/amd64 \
-t cryptpad/cryptpad:version-X.y.z \
-t cryptpad/cryptpad:X.y.z \
-t cryptpad/cryptpad:X.y \
-t cryptpad/cryptpad:X \
-t cryptpad/cryptpad:latest \
.
That way, it's possible for users to pin a specific major version, so that they still get security patches fast, but must manually intervene for major upgrades, which may require manual migration processes.
It is also possible for you to push a latest tag right now on version-2025.6.0 without rebuilding anything if you want:
docker pull cryptpad/cryptpad:version-2025.6.0
docker image tag cryptpad/cryptpad:version-2025.6.0 cryptpad/cryptpad:latest
docker push cryptpad/cryptpad:latest
Let me know if you need any clarification or guidance, I'm glad to help 🙂 . Note that this could be implemented in your GitHub workflow if you're fine with the supply chain implications of that.
Thanks!
