--push-latest-tag by default

[consideRatio]

Proposed change

To publish a latest image tag by default and make it configurable by a flag.

Who would use this feature?

It would allow for example a GitHub action setup to do a security scan of the latest image be able to do it without having a lot of code to extract the latest tagged image using chartpress or similar. This is a discussion arising from jupyterhub/zero-to-jupyterhub-k8s#1712 (comment).

(Optional): Suggest a solution

We add a boolean flag which defaults to something that makes us also push latest image tags when we --push the images. I suggest --push-latest-tag=false as the override of this default or perhaps --no-push-latest-tag or something like that.

[manics]

A latest tag sounds fine if it's clear what it means- is it the latest tagged release, or the latest dev release? This probably should be indicated in the readme of the corresponding Docker Hub images.

[minrk]

Yeah, most of our charts explicitly and deliberately do not have a latest tag, to push toward always-pinned images. So there aren't any of our repos (jupyterhub, binderhub), where we would use this, unless I misunderstand.

If we are talking about adding latest just for security scans, I don't think that's the right approach. Instead, I think making it as easy as possible, e.g. a command like chartpress --list-images that outputs the list of tagged image, which could be consumed, e.g. by:

for image in $(chartpress --list-images); do
    echo $image
    trivy --exit-code 0 --severity HIGH ${image}
    trivy --exit-code 1 --severity CRITICAL ${image}
done