Tag release images with additional `stable` tag

[sarayourfriend]

Problem

In our ECS task definitions, we have to set something for the image tag to use. Currently, this doesn't matter too much because the template task definition is rarely directly used. However, if it ever is used for production (e.g., if creating a new iteration of the ECS service that will deploy from the template first), we have to manually set the image tag for that service to the latest production release tag. This is very easy to get wrong, because if we forget to update this in the future, we would accidentally deploy a potentially very old and no longer valid version of the service (imagine, for example, how this could go wrong with database migrations).

Description

To make things easy, we should introduce a new image tag, stable (just a proposed name, if someone can think of a better one, please go for it... maybe released? :shrug:) that we can always point production to "by default". This would also help with simple redeploys because we wouldn't ever need to copy specific release tags if we just want to redeploy production to the current version. We would just run the deployment workflow with the tag set to stable.

The extent of implementation for this issue would, I think, only require updating this specific release-app workflow task to add the new stable tag, in addition to the release tag:

https://github.com/WordPress/openverse/blob/41f1e5f96a22086d50d09c3a0ae7b5315b2a45ae/.github/workflows/release-app.yml#L91-L97

The --tag parameter takes a string array, so we might be able to do something like this?

diff --git a/.github/workflows/release-app.yml b/.github/workflows/release-app.yml
index 6d3b3ab2e..fdcdd91ca 100644
--- a/.github/workflows/release-app.yml
+++ b/.github/workflows/release-app.yml
@@ -90,10 +90,16 @@ jobs:

       - name: Add new tag to existing docker image
         run: |
-          docker buildx imagetools create ghcr.io/wordpress/openverse-${{ inputs.app }}:${{ inputs.image-sha }} --tag ghcr.io/wordpress/openverse-${{ inputs.app }}:${{ steps.tag.outputs.image-tag }}
+          docker buildx imagetools \
+            create ghcr.io/wordpress/openverse-${{ inputs.app }}:${{ inputs.image-sha }} \
+            --tag ghcr.io/wordpress/openverse-${{ inputs.app }}:${{ steps.tag.outputs.image-tag }} \
+            --tag ghcr.io/wordpress/openverse-${{ inputs.app }}:stable

           if [[ "${{ inputs.app }}" == "api" ]] || [[ "${{ inputs.app }}" == "frontend" ]]; then
-            docker buildx imagetools create ghcr.io/wordpress/openverse-${{ inputs.app }}_nginx:${{ inputs.image-sha }} --tag ghcr.io/wordpress/openverse-${{ inputs.app }}_nginx:${{ steps.tag.outputs.image-tag }}
+            docker buildx imagetools \
+              create ghcr.io/wordpress/openverse-${{ inputs.app }}_nginx:${{ inputs.image-sha }} \
+              --tag ghcr.io/wordpress/openverse-${{ inputs.app }}_nginx:${{ steps.tag.outputs.image-tag }} \
+              --tag ghcr.io/wordpress/openverse-${{ inputs.app }}_nginx:stable
           fi

       - name: Deploy production application

I don't know for sure if that's what --tag being a string array implies. Maybe it needs to be a comma separated list instead.

[sarayourfriend]

cc @stacimc tagging you here for visibility because you're assigned to the #2264 issue which will also make changes to this workflow.