Add a first cut of the publish script

.github/workflows/server-publish.yml

@@ -0,0 +1,35 @@
+name: "Publish (server)"
+
+on:
+    # Run manually, providing it the commit.
+    #
+    # To obtain the commit from the currently deployed museum, do:
+    # curl -s https://api.ente.io/ping | jq -r '.id'
+    workflow_dispatch:
+        inputs:
+            commit:
+                description: "Commit to publish the image from"
+                type: string
+                required: true
+
+jobs:
+    build:
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout code @ ${{ inputs.commit }}
+              uses: actions/checkout@v4
+              with:
+                  ref: ${{ inputs.commit }}
+
+            - name: Build and push
+              uses: mr-smithers-excellent/docker-build-push@v6
+              with:
+                  dockerfile: server/Dockerfile
+                  directory: server
+                  image: ghcr.io/ente-io/server
+                  registry: ghcr.io
+                  enableBuildKit: true
+                  buildArgs: GIT_COMMIT=${GITHUB_SHA}
+                  tags: ${GITHUB_SHA}, latest
+                  username: ${{ github.actor }}
+                  password: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/server-release.yml

@@ -7,11 +7,11 @@ jobs:
     build:
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v4
-              name: Check out code
+            - name: Checkout code
+              uses: actions/checkout@v4
 
-            - uses: mr-smithers-excellent/docker-build-push@v6
-              name: Build & Push
+            - name: Build and push
+              uses: mr-smithers-excellent/docker-build-push@v6
               with:
                   dockerfile: server/Dockerfile
                   directory: server

server/docs/publish.md

@@ -0,0 +1,37 @@
+# Publishing images
+
+There are two different images we publish - internal and external.
+
+## Internal
+
+The internal images can be built and run by triggering the "Server (release)"
+workflow. You can trigger it either from GitHub's UI on the Actions tab, or use
+the following command:
+
+    gh workflow run server-release.yml
+
+This will take the latest main, package it into a Docker image, and publish it
+to our Scaleway registry. From there, we can update our production instances to
+use this new image (see [deploy/README](../scripts/deploy/README.md)).
+
+## External
+
+Periodically, we can republish a new image from an existing known-to-be-good
+commit to the GitHub Container Registry (GHCR) so that it can be used by folks
+without needing to clone our repository just for building an image. For more
+details about the use case, see [docker.md](docker.md).
+
+To publish such an external image, firstly find the commit of the currently
+running production instance.
+
+    curl -s https://api.ente.io/ping | jq -r '.id'
+
+> We can publish from any arbitrary commit really, but by using the commit
+> that's already seen production for a few days, we avoid externally publishing
+> images with issues.
+
+Then, trigger the "Publish (server)" workflow, providing it the commit. You can
+trigger it either from GitHub's UI or using the `gh cli`. With the CLI, we can
+combine both these steps too:
+
+Once the workflow completes, the resultant image will be available at