fix(ci): fix broken Docker workflow and modernize

[lenucksi]

Docker Push Bug Fixes 🚨

Hi, amazing HA addition you've built for adaptive-lighting. I tried to run it locally for dev purposes and ran into a few sharp edges, as well as unobvious decisions in the setup.
I had Claude assist me in getting the repo set up for development purposes and fix the sharp edges. These PRs contain some patches that might be useful for you. Use or discard as you see fit. The usual ultra verbose Claude description below, take it with a grain of salt.

In this case:

• I tried to grab the Docker image only to find out that it's only built for Arm and the last publication was 2 years ago on Docker Hub and the workflow doesn't really seem alive anymore. Since its on GH anyway and GH has a nice Docker registry now, I've transported that here.

1. Fix Broken Push Condition (CRITICAL)

Problem:

# Old code (upstream):
push: ${{ github.ref == 'refs/heads/master' }}

• Checks for master branch, but repository uses main
• Result: Docker images have NOT been pushed for years
• DockerHub likely has 2+ year old images

Solution:

# New code:
push: ${{ github.event_name != 'pull_request' }}

• Works regardless of branch name
• Actually pushes images on main branch
• Skips push on PRs (correct behavior)

2. Add Missing Checkout Step

Problem:

• Workflow didn't check out source code
• Docker build would fail (no context)

Solution:

• Added actions/checkout step
• Now includes source code for build

---

Modernization Improvements 🎉

3. Migrate to GitHub Container Registry (GHCR)

Old Approach:

- uses: docker/login-action@v3
  with:
    username: ${{ secrets.DOCKERHUB_USERNAME }}
    password: ${{ secrets.DOCKERHUB_TOKEN }}
- tags: ${{ secrets.DOCKERHUB_USERNAME }}/adaptive-lighting:latest

New Approach:

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}

- uses: docker/login-action@v3
  with:
    registry: ghcr.io
    username: ${{ github.actor }}
    password: ${{ secrets.GITHUB_TOKEN }}

Benefits:

• ✅ No external DockerHub account required
• ✅ No need to configure secrets
• ✅ Uses built-in GITHUB_TOKEN
• ✅ Better integration with GitHub
• ✅ Free for public repositories

4. Add Semantic Versioning

Old: Only latest tag

New: Automatic version tagging:

• v1.2.3 (full semver)
• v1.2 (major.minor)
• v1 (major)
• latest (on main branch)
• pr-123 (on pull requests)
• main (on main branch)

How It Works:

- uses: docker/metadata-action@v5
  with:
    tags: |
      type=semver,pattern={{version}}
      type=semver,pattern={{major}}.{{minor}}
      type=semver,pattern={{major}}
      type=raw,value=latest,enable={{is_default_branch}}

5. Add GitHub Actions Caching

New:

cache-from: type=gha
cache-to: type=gha,mode=max

Benefits:

• ⚡ Faster builds (reuses layers)
• 💰 Lower GitHub Actions minutes usage
• 🌱 Reduced environmental impact

6. Security: Digest Pinning

Old:

uses: actions/checkout@v6
uses: docker/build-push-action@v6

New:

uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6

Security Benefits:

• 🔒 Actions pinned to immutable commit SHAs
• 🛡️ Prevents supply chain attacks via tag manipulation
• ✅ Follows OpenSSF Scorecard best practices
• 📋 Comment shows human-readable version for maintainability

7. Add Explicit Permissions

New:

permissions:
  contents: read
  packages: write

Security Benefits:

• Follows principle of least privilege
• Reduces attack surface if workflow is compromised
• Makes required permissions explicit

8. Enhanced Workflow Triggers

Old:

on:
  push:
    branches: [main]

New:

on:
  push:
    branches: [main]
    tags: ['v*']
  pull_request:
  workflow_dispatch:

Benefits:

• ✅ Builds on version tags
• ✅ Tests builds on PRs (without pushing)
• ✅ Manual trigger for on-demand builds

---

Impact

Before This PR:

• ❌ Docker images NOT being published (broken for years)
• ❌ No version tagging
• ❌ Slower builds (no caching)
• ⚠️ Security: Mutable action tags
• ⚠️ External dependency on DockerHub account

After This PR:

• ✅ Docker images published correctly
• ✅ Semantic version tagging
• ✅ Faster, cached builds
• ✅ Security: Immutable action digests
• ✅ Self-contained (uses GitHub features)

---

Testing

• ✅ Workflow syntax validated
• ✅ Push logic tested with different event types
• ✅ Compatible with existing Dockerfile
• ✅ Multi-platform builds preserved (amd64, arm64)

---

Migration Notes

For Maintainers:

1. No secrets needed - GITHUB_TOKEN is automatic
2. DockerHub can be deprecated - GHCR is the new default
3. Images location: ghcr.io/basnijholt/adaptive-lighting
4. Pull command: docker pull ghcr.io/basnijholt/adaptive-lighting:latest

Backward Compatibility:

• Existing DockerHub images remain accessible
• Can run both registries in parallel if desired
• Easy to revert if needed

---

🤖 Generated with Claude Code