Docker image tagging strategies for CI and production

What Makes a Good Image Tag Strategy

Tags answer the question: "which version of this image is running in production?" A good strategy provides immutability, traceability, and ease of rollback.

Using docker/metadata-action

      - name: Extract metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository }}
          tags: |
            type=sha                        # sha-abc1234
            type=semver,pattern={{version}} # v1.4.2
            type=semver,pattern={{major}}.{{minor}} # v1.4
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}

      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          tags: ${{ steps.meta.outputs.tags }}

Tag Strategy Rules

Git SHA tags: immutable, always point to the same image. Use in deployment manifests. Semantic version tags: applied on release, human-readable. latest: only push from main/master, never from feature branches. Production deployments should never use latest — use the SHA or version tag so rollbacks are deterministic.