Do not sign temporary images and cleanup tags

.github/workflows/publish.yml

@@ -54,20 +54,12 @@ jobs:
                   IMAGE_TAG: "docker.io/botsudo/nut-upsd:${{ matrix.platform-tag }}-latest"
                   ACTION: push
 
-            - name: Sign the docker image
-              uses: sudo-bot/action-docker-sign@latest
-              with:
-                  image-ref: "docker.io/botsudo/nut-upsd:${{ matrix.platform-tag }}-latest"
-                  private-key-id: "${{ vars.DOCKER_PRIVATE_KEY_ID }}"
-                  private-key: ${{ secrets.DOCKER_PRIVATE_KEY }}
-                  private-key-passphrase: ${{ secrets.DOCKER_PRIVATE_KEY_PASSPHRASE }}
-
     sign-manifest:
         name: Sign the docker hub manifest
         runs-on: ubuntu-latest
         needs: push-to-registry
         environment:
-            name: Sign Docker manifest
+            name: Build Docker images
         steps:
             - name: Login to DockerHub
               uses: docker/login-action@v3
@@ -99,3 +91,44 @@ jobs:
                   private-key-name: "${{ vars.DOCKER_PRIVATE_KEY_NAME }}"
                   sign-manifest: true
                   notary-auth: "${{ secrets.DOCKER_REPOSITORY_LOGIN }}:${{ secrets.DOCKER_REPOSITORY_PASSWORD }}"
+    tags-cleanup:
+        runs-on: ubuntu-latest
+        needs: sign-manifest
+        name: Cleanup build tags
+        environment:
+            name: Build Docker images
+        steps:
+            - name: Install Docker hub-tool
+              run: |
+                  curl -sL https://github.com/docker/hub-tool/releases/download/v0.4.6/hub-tool-linux-amd64.tar.gz -o hub-tool-linux.tar.gz
+                  tar --strip-components=1 -xzf ./hub-tool-linux.tar.gz
+                  ./hub-tool --version
+            - name: Login hub-tool
+              run: |
+                  # Fool the login command (https://github.com/docker/hub-tool/pull/198)
+                  # ./hub-tool login
+                  # Token commands thank to https://stackoverflow.com/a/59334315/5155484
+                  HUB_TOKEN=$(curl -s -H "Content-Type: application/json" -X POST -d "{\"username\": \"$DOCKER_USERNAME\", \"password\": \"$DOCKER_PASSWORD\"}" https://hub.docker.com/v2/users/login/ | jq -r .token)
+                  USERNAME="$(printf '%s:' "$DOCKER_USERNAME" | base64 -w0)"
+                  USER_PASS="$(printf '%s:%s' "$DOCKER_USERNAME" "$DOCKER_PASSWORD" | base64 -w0)"
+                  mkdir -p ~/.docker/
+                  printf '{"auths": {"hub-tool": {"auth": "%s"}, "hub-tool-refresh-token": {"auth": "%s"}, "hub-tool-token": { "auth": "%s", "identitytoken": "%s"}}}' \
+                    "$USER_PASS" "$USERNAME" \
+                    "$USERNAME" "$HUB_TOKEN" \
+                    > ~/.docker/config.json
+              env:
+                  DOCKER_USERNAME: ${{ secrets.DOCKER_REPOSITORY_LOGIN }}
+                  DOCKER_PASSWORD: ${{ secrets.DOCKER_REPOSITORY_PASSWORD }}
+            - name: Remove the temporary images via hub-tool
+              run: |
+                  ./hub-tool tag rm --verbose --force docker.io/botsudo/nut-upsd:arm64-latest || true
+                  ./hub-tool tag rm --verbose --force docker.io/botsudo/nut-upsd:amd64-latest || true
+                  ./hub-tool tag rm --verbose --force docker.io/botsudo/nut-upsd:armv7-latest || true
+                  ./hub-tool tag rm --verbose --force docker.io/botsudo/nut-upsd:armv6-latest || true
+                  ./hub-tool tag rm --verbose --force docker.io/botsudo/nut-upsd:ppc64le-latest || true
+                  ./hub-tool tag rm --verbose --force docker.io/botsudo/nut-upsd:s390x-latest || true
+                  ./hub-tool tag rm --verbose --force docker.io/botsudo/nut-upsd:386-latest || true
+                  ./hub-tool tag ls --verbose docker.io/botsudo/nut-upsd
+            - name: Logout hub-tool
+              if: always()
+              run: rm ~/.docker/config.json