ci: fix container tag policy

- only move `latest` on tagged releases

.gitea/workflows/docker-build.yml

@@ -26,10 +26,14 @@ jobs:
       with:
         images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
         tags: |
+          # Keep a moving branch tag (e.g., main)
           type=ref,event=branch
+          # Version tag on releases (e.g., v1.2.3)
           type=ref,event=tag
-          type=raw,value=latest,enable={{is_default_branch}}
+          # Snapshot tag for commits on the default branch (e.g., snapshot-<hash>)
           type=raw,value=snapshot-{{sha}},enable={{is_default_branch}}
+          # Move "latest" only when building from a tag
+          type=raw,value=latest,enable={{is_tag}}
 
     - name: Log in to Container Registry
       uses: docker/login-action@v3

README.md

@@ -208,37 +208,58 @@ The project includes:
 
 ### 🐳 Docker Deployment (Recommended)
 
-Docker provides the easiest deployment method with all dependencies included.
+Docker provides the easiest deployment method with a pre-built container image including all dependencies.
 
 #### Quick Start
 
-1. **Clone and setup:**
+1. **Download the docker-compose file:**
    ```bash
-   git clone <repository-url>
-   cd components_elixir
-   cp docker-compose.yml.example docker-compose.yml
+   curl -O https://git.maxboeer.com/schuwi/component-system/raw/branch/main/docker-compose.yml.example
+   mv docker-compose.yml.example docker-compose.yml
    ```
 
-2. **Configure environment** (edit `docker-compose.yml`):
+2. **Generate a secure secret key:**
+   
+   **With Elixir/Phoenix installed:**
+   ```bash
+   mix phx.gen.secret
+   ```
+   
+   **Without Elixir/Phoenix (Linux/Unix):**
+   ```bash
+   dd if=/dev/random bs=1 count=64 status=none | base64 -w0 | cut -c1-64
+   ```
+   
+   > **Note**: The SECRET_KEY_BASE must be a cryptographically random string that's at least 64 characters long. Phoenix uses it to sign session cookies, CSRF tokens, and other security-sensitive data.
+
+3. **Configure environment** (edit `docker-compose.yml`):
    ```yaml
    environment:
-     SECRET_KEY_BASE: "your-64-character-secret-key"  # Generate with: mix phx.gen.secret
-     AUTH_PASSWORD: "your-secure-password"
+     SECRET_KEY_BASE: "your-generated-64-character-secret-key"
+     AUTH_PASSWORD: "your-secure-password" # Login password for the app
      PHX_HOST: "localhost"  # Change to your domain
    ```
 
-3. **Deploy:**
+4. **Deploy:**
    ```bash
-   docker compose up --build
+   docker compose up -d
    ```
 
-4. **Access:** [http://localhost:4000](http://localhost:4000)
+5. **Access:** [http://localhost:4000](http://localhost:4000)
+
+The container image is automatically built and published from the main branch at https://git.maxboeer.com/schuwi/component-system.
 
 #### Production Configuration
 
 For production environments:
 
-- **Generate secure keys**: Use `mix phx.gen.secret` for SECRET_KEY_BASE
+- **Use specific versions**: Pin to specific tags like `git.maxboeer.com/schuwi/components-elixir:v1.0.0` instead of `:latest`
+- **Available tags**: 
+  - `:latest` - Latest stable release from main branch
+  - `:main` - Latest build from main branch
+  - `:v*` - Specific version tags
+  - `:snapshot-<hash>` - Specific commit builds
+- **Generate secure keys**: Generate a 64+ character random string for SECRET_KEY_BASE (see Quick Start section for methods)
 - **Set strong passwords**: Use AUTH_PASSWORD environment variable
 - **Configure domain**: Set PHX_HOST to your actual domain
 - **Database security**: Use strong PostgreSQL credentials

docker-compose.yml.example

@@ -16,7 +16,7 @@ services:
       retries: 5
 
   app:
-    build: .
+    image: git.maxboeer.com/schuwi/components-elixir:latest
     ports:
       - "4000:4000"
     environment: