diff --git a/.github/workflows/build-and-push-image-semver.yaml b/.github/workflows/build-and-push-image-semver.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..8fb6d35c28475629e4d258d19c81ea5187f2ab27
--- /dev/null
+++ b/.github/workflows/build-and-push-image-semver.yaml
@@ -0,0 +1,115 @@
+name: Publish AnythingLLM Docker image on Release (amd64 & arm64)
+
+concurrency:
+ group: build-${{ github.ref }}
+ cancel-in-progress: true
+
+on:
+ release:
+ types: [published]
+
+jobs:
+ push_multi_platform_to_registries:
+ name: Push Docker multi-platform image to multiple registries
+ runs-on: ubuntu-latest
+ permissions:
+ packages: write
+ contents: read
+ steps:
+ - name: Check out the repo
+ uses: actions/checkout@v4
+
+ - name: Check if DockerHub build needed
+ shell: bash
+ run: |
+ # Check if the secret for USERNAME is set (don't even check for the password)
+ if [[ -z "${{ secrets.DOCKER_USERNAME }}" ]]; then
+ echo "DockerHub build not needed"
+ echo "enabled=false" >> $GITHUB_OUTPUT
+ else
+ echo "DockerHub build needed"
+ echo "enabled=true" >> $GITHUB_OUTPUT
+ fi
+ id: dockerhub
+
+ - name: Set up QEMU
+ uses: docker/setup-qemu-action@v3
+
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@v3
+
+ - name: Log in to Docker Hub
+ uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
+ # Only login to the Docker Hub if the repo is mintplex/anythingllm, to allow for forks to build on GHCR
+ if: steps.dockerhub.outputs.enabled == 'true'
+ with:
+ username: ${{ secrets.DOCKER_USERNAME }}
+ password: ${{ secrets.DOCKER_PASSWORD }}
+
+ - name: Log in to the Container registry
+ uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+ with:
+ registry: ghcr.io
+ username: ${{ github.actor }}
+ password: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Extract metadata (tags, labels) for Docker
+ id: meta
+ uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+ with:
+ images: |
+ ${{ steps.dockerhub.outputs.enabled == 'true' && 'mintplexlabs/anythingllm' || '' }}
+ ghcr.io/${{ github.repository }}
+ tags: |
+ type=semver,pattern={{version}}
+ type=semver,pattern={{major}}.{{minor}}
+
+ - name: Build and push multi-platform Docker image
+ uses: docker/build-push-action@v6
+ with:
+ context: .
+ file: ./docker/Dockerfile
+ push: true
+ sbom: true
+ provenance: mode=max
+ platforms: linux/amd64,linux/arm64
+ tags: ${{ steps.meta.outputs.tags }}
+ labels: ${{ steps.meta.outputs.labels }}
+ cache-from: type=gha
+ cache-to: type=gha,mode=max
+
+ # For Docker scout there are some intermediary reported CVEs which exists outside
+ # of execution content or are unreachable by an attacker but exist in image.
+ # We create VEX files for these so they don't show in scout summary.
+ - name: Collect known and verified CVE exceptions
+ id: cve-list
+ run: |
+ # Collect CVEs from filenames in vex folder
+ CVE_NAMES=""
+ for file in ./docker/vex/*.vex.json; do
+ [ -e "$file" ] || continue
+ filename=$(basename "$file")
+ stripped_filename=${filename%.vex.json}
+ CVE_NAMES+=" $stripped_filename"
+ done
+ echo "CVE_EXCEPTIONS=$CVE_NAMES" >> $GITHUB_OUTPUT
+ shell: bash
+
+ # About VEX attestations https://docs.docker.com/scout/explore/exceptions/
+ # Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications
+ - name: Add VEX attestations
+ env:
+ CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }}
+ run: |
+ echo $CVE_EXCEPTIONS
+ curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
+ for cve in $CVE_EXCEPTIONS; do
+ for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do
+ echo "Attaching VEX exception $cve to $tag"
+ docker scout attestation add \
+ --file "./docker/vex/$cve.vex.json" \
+ --predicate-type https://openvex.dev/ns/v0.2.0 \
+ $tag
+ done
+ done
+ shell: bash