ddev · rfay · May 6, 2026 · May 6, 2026
diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
diff --git a/.github/workflows/push-image.yml b/.github/workflows/push-image.yml
@@ -0,0 +1,55 @@
+name: Push Image
+
+# Builds linux/amd64 on GitHub-hosted runners (native amd64) so arm64 dev
+# machines don't need cross-compilation. Triggered manually only.
+#
+# Required repository secrets:
+#   PUSH_SERVICE_ACCOUNT_TOKEN - 1Password service account token
+# Required repository variables:
+#   DOCKERHUB_USERNAME - Docker Hub username
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build image
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Read version
+        id: version
+        run: echo "version=$(cat VERSION)" >> "$GITHUB_OUTPUT"
+
+      - name: Load 1password secret(s)
+        uses: 1password/load-secrets-action@v4
+        with:
+          export-env: true
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: "${{ secrets.PUSH_SERVICE_ACCOUNT_TOKEN }}"
+          DOCKERHUB_TOKEN: "op://push-secrets/DOCKERHUB_TOKEN/credential"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v4
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ env.DOCKERHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v7
+        with:
+          context: image
+          platforms: linux/amd64
+          push: true
+          tags: |
+            ddev/coder-ddev:${{ steps.version.outputs.version }}
+            ddev/coder-ddev:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/docs/admin/operations-guide.md b/docs/admin/operations-guide.md
@@ -83,6 +83,29 @@ make info
 
 See `image/README.md` for details on customizing the Docker image.
 
+### Using GitHub Actions (push-image workflow)
+
+The repository has a manually triggered workflow (`.github/workflows/push-image.yml`) that builds and pushes the image to Docker Hub from GitHub's infrastructure. This is the preferred approach for official releases.
+
+**Prerequisites — configure once in GitHub repository settings:**
+
+- **Secret** `PUSH_SERVICE_ACCOUNT_TOKEN` — 1Password service account token (from the `push-secrets` vault)
+- **Variable** `DOCKERHUB_USERNAME` — Docker Hub username (e.g. `ddev`)
+
+The workflow reads `DOCKERHUB_TOKEN` from 1Password at `op://push-secrets/DOCKERHUB_TOKEN/credential` using the service account token.
+
+**To trigger a push:**
+
+1. Update `VERSION` and commit/merge to the branch you want to build from.
+2. Go to **Actions → Push Image → Run workflow** in the GitHub UI, select the branch, and click **Run workflow**.
+3. The workflow builds `linux/amd64`, tags the image as both `ddev/coder-ddev:<version>` and `ddev/coder-ddev:latest`, and pushes to Docker Hub.
+
+Alternatively, trigger via the CLI:
+
+```bash
+gh workflow run push-image.yml --ref <branch>
+```
+
 ## Deploying the Template
 
 ### Using the Makefile