From b8c831911e0c96ffaa9c95885618ca27cec5039f Mon Sep 17 00:00:00 2001
From: dennisvang <29799340+dennisvang@users.noreply.github.com>
Date: Fri, 7 Feb 2025 11:46:58 +0100
Subject: [PATCH 01/10] add reusable docker-publish workflow

---
 .github/workflows/docker-publish.yml | 76 ++++++++++++++++++++++++++++
 1 file changed, 76 insertions(+)
 create mode 100644 .github/workflows/docker-publish.yml

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
new file mode 100644
index 0000000..053e063
--- /dev/null
+++ b/.github/workflows/docker-publish.yml
@@ -0,0 +1,76 @@
+# This workflow builds a Docker image and uploads it to Docker hub.
+#
+# For pull requests, nothing is uploaded, but a test build is created.
+#
+# Based on most recent docker guide [1], with some adaptations based on
+# existing FDP and FDP-client workflows.
+#
+# [1]: https://docs.docker.com/guides/gha/
+
+name: Docker publish
+
+# calling workflow triggers (see [1])
+#
+#     on:
+#       push:
+#         branches:
+#           - <default-branch-name>
+#       pull_request:
+on: workflow_call
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - # https://github.com/actions/checkout
+        name: Clone git repo
+        uses: actions/checkout@v4
+
+      - # https://github.com/docker/metadata-action
+        name: Extract git metadata for Docker image
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          # e.g. fairdata/fairdatapoint
+          images: |
+            ${{ vars.DOCKER_HUB_USERNAME }}/${{ vars.DOCKER_IMAGE_NAME }}
+          # `latest` tag is generated by default
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
+
+      - # https://github.com/docker/login-action
+        name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+
+      - # https://github.com/docker/setup-qemu-action
+        # for multi-platform builds
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - # https://github.com/docker/setup-buildx-action
+        # recommended by build-push-action
+        # for multi-platform builds, provenance, sbom, and more
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - # https://github.com/docker/build-push-action
+        name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          # https://docs.docker.com/build/concepts/dockerfile/#filename
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          # https://docs.docker.com/build/metadata/annotations/
+          annotations: ${{ steps.meta.outputs.annotations }}
+          provenance: true
+          sbom: true

From f1bc7d4f3963b030a485ece887f0d79fb94169e0 Mon Sep 17 00:00:00 2001
From: dennisvang <29799340+dennisvang@users.noreply.github.com>
Date: Fri, 7 Feb 2025 14:49:38 +0100
Subject: [PATCH 02/10] improve docstring for docker-publish workflow

---
 .github/workflows/docker-publish.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 053e063..4e87659 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -5,6 +5,18 @@
 # Based on most recent docker guide [1], with some adaptations based on
 # existing FDP and FDP-client workflows.
 #
+# The following variables and secrets are used (conforming to existing names):
+#   - `vars.DOCKER_IMAGE_NAME`
+#   - `vars.DOCKER_HUB_USERNAME`
+#   - `secrets.DOCKER_HUB_PASSWORD`
+#
+# Secrets must be inherited from the caller, for example, in the caller workflow:
+#
+#   jobs:
+#     publish:
+#       uses: FAIRDataTeam/github-workflows/.github/workflows/docker-publish.yml@v1
+#       secrets: inherit
+#
 # [1]: https://docs.docker.com/guides/gha/
 
 name: Docker publish

From 3ed1c71cb6164b2f5392f5c727e230e6ba72acaf Mon Sep 17 00:00:00 2001
From: dennisvang <29799340+dennisvang@users.noreply.github.com>
Date: Fri, 7 Feb 2025 14:53:14 +0100
Subject: [PATCH 03/10] move trigger notes into docstring

---
 .github/workflows/docker-publish.yml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 4e87659..578934a 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -10,7 +10,14 @@
 #   - `vars.DOCKER_HUB_USERNAME`
 #   - `secrets.DOCKER_HUB_PASSWORD`
 #
-# Secrets must be inherited from the caller, for example, in the caller workflow:
+# The workflow should be triggered on `push` and `pull_request` (see [1]),
+# and secrets must be inherited from the caller. For example:
+#
+#   on:
+#     push:
+#       branches:
+#         - <default-branch-name>
+#     pull_request:
 #
 #   jobs:
 #     publish:
@@ -21,13 +28,6 @@
 
 name: Docker publish
 
-# calling workflow triggers (see [1])
-#
-#     on:
-#       push:
-#         branches:
-#           - <default-branch-name>
-#       pull_request:
 on: workflow_call
 
 jobs:

From 43111a2639dd82d256428ffaca76d16231c9c04b Mon Sep 17 00:00:00 2001
From: dennisvang <29799340+dennisvang@users.noreply.github.com>
Date: Fri, 7 Feb 2025 17:51:18 +0100
Subject: [PATCH 04/10] add workflow that tests docker-publish.yml

---
 .github/workflows/test-docker-publish.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 .github/workflows/test-docker-publish.yml

diff --git a/.github/workflows/test-docker-publish.yml b/.github/workflows/test-docker-publish.yml
new file mode 100644
index 0000000..0a8dafa
--- /dev/null
+++ b/.github/workflows/test-docker-publish.yml
@@ -0,0 +1,14 @@
+# This workflow tests the reusable docker-publish workflow
+
+name: test docker-publish
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  publish:
+    uses: FAIRDataTeam/github-workflows/.github/workflows/docker-publish.yml@main
+    secrets: inherit

From cbd9bc3ccda44b4a002d3bc4654d315f0659d144 Mon Sep 17 00:00:00 2001
From: dennisvang <29799340+dennisvang@users.noreply.github.com>
Date: Fri, 7 Feb 2025 17:53:41 +0100
Subject: [PATCH 05/10] enable manual trigger for test workflow

---
 .github/workflows/test-docker-publish.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/test-docker-publish.yml b/.github/workflows/test-docker-publish.yml
index 0a8dafa..332ae1a 100644
--- a/.github/workflows/test-docker-publish.yml
+++ b/.github/workflows/test-docker-publish.yml
@@ -7,6 +7,7 @@ on:
     branches:
       - main
   pull_request:
+  workflow_dispatch:
 
 jobs:
   publish:

From 13b31ba68b3191ef3322558344b445c49e712e12 Mon Sep 17 00:00:00 2001
From: dennisvang <29799340+dennisvang@users.noreply.github.com>
Date: Fri, 7 Feb 2025 17:57:23 +0100
Subject: [PATCH 06/10] use simple path for test workflow

---
 .github/workflows/test-docker-publish.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/test-docker-publish.yml b/.github/workflows/test-docker-publish.yml
index 332ae1a..096b33f 100644
--- a/.github/workflows/test-docker-publish.yml
+++ b/.github/workflows/test-docker-publish.yml
@@ -11,5 +11,6 @@ on:
 
 jobs:
   publish:
-    uses: FAIRDataTeam/github-workflows/.github/workflows/docker-publish.yml@main
+    # FAIRDataTeam/github-workflows/.github/workflows/docker-publish.yml@main
+    uses: ./.github/workflows/docker-publish.yml
     secrets: inherit

From 06c243a52263e070d0575c1fa80fceecd88ed294 Mon Sep 17 00:00:00 2001
From: dennisvang <29799340+dennisvang@users.noreply.github.com>
Date: Fri, 7 Feb 2025 21:47:49 +0100
Subject: [PATCH 07/10] add minimal Dockerfile and binary

copied from Docker's hello-world example
https://github.com/docker-library/hello-world
---
 Dockerfile |   5 +++++
 hello      | Bin 0 -> 10072 bytes
 2 files changed, 5 insertions(+)
 create mode 100644 Dockerfile
 create mode 100755 hello

diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..cd8182d
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,5 @@
+# this minimal dockerfile and the hello binary were copied from docker's hello-world example
+# https://github.com/docker-library/hello-world
+FROM scratch
+COPY hello /
+CMD ["/hello"]
diff --git a/hello b/hello
new file mode 100755
index 0000000000000000000000000000000000000000..3ffc66f4348005911fdfa00af929c727f7d4d842
GIT binary patch
literal 10072
zcmeHNZ)_CD72mU2yc`A}3Z|#FzycT56tFRY)+CtRg>#sz76q`aT5(ZW->rRD?vHb~
zi|vXkwiZ{Nu1-Q#rG9IpDpjc>^;0St6Tz7SpH06IlvZx21WH45<bVK1!3n9i@6GO-
z1EsW|`lUCL_szU{zxUq!=IvTDx;NUSm#bVZ&S_QLZVpEs9zRoAPmc5Y*wEIsa6ISd
zmT|SrcG06L==trDCA)0bj^sSnG^%;*+GEa+=g5bPEjvd#c8Fu~L~EWC{Z_}8@oH=6
z$Z{OI?B8I`_dn-n9Y+Q&HFvVg?$~)9xUNR*RP2eT3uie`x2num7^pB%VW7f5g@FnK
z6$UB{R2Zl*P+_3LK!t(-Ed%?z@{a{1`b{rA=Bq94hJ$qRd3ZGEirYXKs0_eSct6S3
zPu6kVsc*5#Gk79Di;rRxQ@old&9?~sm}GbS`qQ%}(LcIV#1O`JN%s3fsF0gm<>%U(
zr%7P~5BsE0*aqUp&*9)*x0WN>)^!^=5d7Cs?3`2UNg;=LGMZDDnAhso4&x|qOR&GY
z9_@F0f@0%5p?Ao{?H9?!Ts3h`lK1A-m1PbD^IC7+S~%=G_}RKOUktbY5wM)Lsgvlf
zKg2Gf*VS5LwEhGJ#lPM@YZfD>X-@K47`qMu_A&g80hr9Uhv-~$?v%vf_sGc2{Xh!I
z9`lK_Z$k#r?S4+8z-Gv(%@H$4MyIv=q3og@q5K=*mKa_#dIeUiKYVsz2{DL3sPs3H
z=s8d6@5DIndy_flH!<7eJ`ueGB{hII*C9UW+YkM2oFBccts=%Rd|s9UPgXD;sS93$
zOfJFI2arF5f_eyD@v|yoo;#jX7w>A)W=pqO&c&NmfHB_n;ocS3!U8deVa#D?&^M^9
z#^DJzJns7`NNp+6-}TKvk5gYC$19WO9C{MYKvh7X_oQslC(OQG2>Lvb6*pD`4~Z6F
z?1fNZaj}jc%?-KkkF#O6mBL-hnW|xq3w#!wSuCnc3B6Ru!<xZ{n0X+oTKi~{e*qTn
zA|vOK?(Teh@!S7|Tnl-;*dZei2SH>6^BJP&h0>?p`9No&BSgRKB=pbi`$>3`(7cq5
zpA(9CSR%bD(N74y9WdXgh2q^WO*7B|Hq1VI>>TXK1$;k<v5n9UpHN&f523RBNrc{(
zpyUnE68*gQP~ZpVwR}6IF^p;KT)kT4xQv_VC80TIK2y5Yoa??Z1jK;5E<)!dD)~s@
z6c_;ylCOniC7&qKpwGXLPK8|47;bAo&j}>k;X6#I>T4jzkU)&rJ^PFmI1BqI`5?0c
z-XOq)fIinWu(FL#w9#BZpAbT>sUR2#rR5UTiDzGy2pH27G(fq};3U^{K>xhyC{IA)
zk&GokG*HloMWCPWf~C-hguYn(9VqBIeaalYJa|y6ndDEe1@;SjT5!+CKEV95tz)nw
zbv)g(6}WjH<_XnLvKbu<1x8F5JYjR)kb1Y5&^;oM0{bInQ-ZZe?FWd#XVA!4tunFY
z5Q^;anied`2Up0tJQ=;EZX|SuY-(#D^lC`IAcSb!95FgQ#Lxt?>BkL4{5%mO!Idt9
z!)@RqL>Ku0Bhj$%YBy|F;86acWW3^So^HM@8G9QfI<*hpt%$KzpI@x;5}hus)aR=-
z_!dpV65s{<Ox;cBU9yRIN;~xV8g<LaJYE%QurK`$L8HE74Mf>_FXIi2bKEc|?fgrq
zZtp$1V;AU4)r6i4nNy^CuUPseysT;)F<uf$_4j~^W%s}W-s4#m#!C&Pz#oGytN^vw
zE$vq5eu&*He;NhlgKT2i1t$1EFj0RNg=>mDm?7D;N!H!L0p;IBHRXSgLjR&>U@62n
z0RsVJ81)qO+1B4M@s8&zi(Egu8m<2^N9c}g*d3Y27w+hq!1#JF2ti4}H@(>$TLPnT
zeC4eQ+KjIVRMKg9E7_adl_z0y>|<syz6%6<t4p7=3L7!GJEnPbS@9K^cyNV!iT)>m
z&vfVEC4pRp^vVYX{BWqXZxQpN)z|LB*M&^nsGcRi)jzCJ`M1oA+CxChpRIyV$k?w~
ztbBwRi=KrptRlBP|K$HYoT#)40~H1;3{)7XFi>Hj!odFn18$<k<0-K>ol1zoRQQOJ
zUgz$J#xi0;$z<d{Ma)D~0~t|`%Bnb&($ZoqnNj6<TvlVLq$v0ID{>m9Q(})I4y4jY
zV#z)+oJyyauo@p~bh|rJVxN*!(z2?6lSh6x+tC1;Is!9_*qeex1`wZ7mHy20Zn3#h
z?0^X?EioLADM=NaCsjGDDiH><=OVI_NF^KH;<m>imRjuB;&I!4eH53w1u~6C){C(O
zu8^%AGq9Zztp_|oYmgI>?`+@b7N7enui>-;i;9S{m{bO=v|_MO#~tuxxgUte!cj4;
zC6PsiIaUUhu%^mAapVLH`_rk27FL*nn9|gKjgc+NX+;ccKxPui6d_&&=z-j}e^ovi
z6$}z=o#4{;0vl7dGK<2^qLoqx>5Qo?Bd}w;t19V4EGfsWom108VkVVPVB=t05-CVW
zPV~fJ>$S{g1c+fdiAxhfboOXT6*Ra%jEI4l8iif-i4j&;%x+6e6*bGSN6tju?)E4y
zk}(A?Wlc>buvD;=dZ8RpmyB4U(I2qgn^qRKDinkOQB{R<X=;kXzFDCf!>L4*+x>DX
zZ6TFGInf^ne$iJfqR8O(Xe<*`%g}(#l*9WJbqiE_8nzf*aZM5BXj2jj$^Iy;w597u
z2RYZE$Mucc8sP*Sh*1Ac`1|0dY2v|%3oQ2>UXCX#tNB;>t&SsYJ>FA1t({z$hm&?=
zCJMU^1;jPRk};KQRFy$^_QHT`gj$kSnQK&{ul1&(AS|2L<aAmdvTU4wUkX6*XzY(e
z$3pdFGEYn6zn)tPmUw2xiy+n(e&1sa@q}33(6+p-fI&IlW8*#c4{VAHjxCg}UU2cX
zC-8Xbh;42a6Wo7_4@X=UAMZ6-6aBWd1YU`jH?e#GeLQJm{tmungC9m5*Rp{LZo4HG
zo{uWTQZ<2C4u4J<=XXlZ@0XsmcgBu<0kCjMyMTA<YtWAG*ntUa&e)NAL5ul2@$nuD
z+pvv)l5YpcjNpOSpyl`zHvWW-_d15QbnuSsd;;&(|4AEP`)}}$x*Iy^%gH}y$A8Dh
ccR3ql14LUoqC9s;htk0xE>}Vy?aSN00Hk>EMgRZ+

literal 0
HcmV?d00001


From a13ae0cb4efbb26e5300fd9ac5fa2928dcec777b Mon Sep 17 00:00:00 2001
From: dennisvang <29799340+dennisvang@users.noreply.github.com>
Date: Fri, 7 Feb 2025 22:14:25 +0100
Subject: [PATCH 08/10] note about release creation

---
 .github/workflows/docker-publish.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 578934a..4bc31d6 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -24,6 +24,8 @@
 #       uses: FAIRDataTeam/github-workflows/.github/workflows/docker-publish.yml@v1
 #       secrets: inherit
 #
+# TODO: Alternatively, we could push on release creation only.
+#
 # [1]: https://docs.docker.com/guides/gha/
 
 name: Docker publish
@@ -80,6 +82,7 @@ jobs:
           # https://docs.docker.com/build/concepts/dockerfile/#filename
           file: ./Dockerfile
           platforms: linux/amd64,linux/arm64
+          # alternative: push: ${{ github.event_name == 'release' && github.event.action == 'created' }}
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           # https://docs.docker.com/build/metadata/annotations/

From 16bd93b7aa53334bc5e790311e0fbb5afadb74db Mon Sep 17 00:00:00 2001
From: dennisvang <29799340+dennisvang@users.noreply.github.com>
Date: Tue, 11 Feb 2025 12:01:40 +0100
Subject: [PATCH 09/10] add push input for workflow call

enabling caller to decide whether docker image is pushed to docker hub
---
 .github/workflows/docker-publish.yml      | 47 ++++++++++++++++-------
 .github/workflows/test-docker-publish.yml |  2 +
 2 files changed, 36 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 4bc31d6..616752b 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -10,27 +10,48 @@
 #   - `vars.DOCKER_HUB_USERNAME`
 #   - `secrets.DOCKER_HUB_PASSWORD`
 #
-# The workflow should be triggered on `push` and `pull_request` (see [1]),
-# and secrets must be inherited from the caller. For example:
+# Secrets must be inherited from the caller.
+# The workflow could be triggered on `push` and `pull_request` (see [1]). For example:
 #
-#   on:
-#     push:
-#       branches:
-#         - <default-branch-name>
-#     pull_request:
+#    on:
+#      push:
+#        branches:
+#          - develop
+#      pull_request:
 #
-#   jobs:
-#     publish:
-#       uses: FAIRDataTeam/github-workflows/.github/workflows/docker-publish.yml@v1
-#       secrets: inherit
+#    jobs:
+#      publish:
+#        uses: FAIRDataTeam/github-workflows/.github/workflows/docker-publish.yml@v1
+#        secrets: inherit
+#        with:
+#          push: ${{ github.event_name != 'pull_request' }}
 #
-# TODO: Alternatively, we could push on release creation only.
+# Alternatively, we could push on release creation only, for example:
+#
+#    on:
+#      release:
+#        types: [created]
+#
+#    jobs:
+#      publish:
+#        uses: FAIRDataTeam/github-workflows/.github/workflows/docker-publish.yml@v1
+#        secrets: inherit
+#        with:
+#          push: ${{ github.event_name == 'release' && github.event.action == 'created' }}
 #
 # [1]: https://docs.docker.com/guides/gha/
 
 name: Docker publish
 
-on: workflow_call
+on:
+  workflow_call:
+    # https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#onworkflow_callinputs
+    inputs:
+      # the caller can specify whether to push the image to docker hub
+      push:
+        description: 'Determines if the resulting Docker image is pushed to Docker Hub'
+        required: true
+        type: boolean
 
 jobs:
   build:
diff --git a/.github/workflows/test-docker-publish.yml b/.github/workflows/test-docker-publish.yml
index 096b33f..6d2c036 100644
--- a/.github/workflows/test-docker-publish.yml
+++ b/.github/workflows/test-docker-publish.yml
@@ -14,3 +14,5 @@ jobs:
     # FAIRDataTeam/github-workflows/.github/workflows/docker-publish.yml@main
     uses: ./.github/workflows/docker-publish.yml
     secrets: inherit
+    with:
+      push: ${{ github.event_name != 'pull_request' }}

From 2ad2bba825ff2edb3269a0e4ad19180bd613b822 Mon Sep 17 00:00:00 2001
From: dennisvang <29799340+dennisvang@users.noreply.github.com>
Date: Tue, 11 Feb 2025 12:17:26 +0100
Subject: [PATCH 10/10] move docker-publish examples to readme

---
 .github/workflows/docker-publish.yml | 38 ++-------------------
 README.md                            | 49 +++++++++++++++++++++++++++-
 2 files changed, 51 insertions(+), 36 deletions(-)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 616752b..900b7d7 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -1,43 +1,11 @@
 # This workflow builds a Docker image and uploads it to Docker hub.
 #
-# For pull requests, nothing is uploaded, but a test build is created.
-#
-# Based on most recent docker guide [1], with some adaptations based on
-# existing FDP and FDP-client workflows.
-#
-# The following variables and secrets are used (conforming to existing names):
-#   - `vars.DOCKER_IMAGE_NAME`
-#   - `vars.DOCKER_HUB_USERNAME`
-#   - `secrets.DOCKER_HUB_PASSWORD`
+# If the push input id false, the image is built but not uploaded.
 #
 # Secrets must be inherited from the caller.
-# The workflow could be triggered on `push` and `pull_request` (see [1]). For example:
-#
-#    on:
-#      push:
-#        branches:
-#          - develop
-#      pull_request:
 #
-#    jobs:
-#      publish:
-#        uses: FAIRDataTeam/github-workflows/.github/workflows/docker-publish.yml@v1
-#        secrets: inherit
-#        with:
-#          push: ${{ github.event_name != 'pull_request' }}
-#
-# Alternatively, we could push on release creation only, for example:
-#
-#    on:
-#      release:
-#        types: [created]
-#
-#    jobs:
-#      publish:
-#        uses: FAIRDataTeam/github-workflows/.github/workflows/docker-publish.yml@v1
-#        secrets: inherit
-#        with:
-#          push: ${{ github.event_name == 'release' && github.event.action == 'created' }}
+# Based on most recent docker guide [1], with some adaptations based on
+# existing FDP and FDP-client workflows.
 #
 # [1]: https://docs.docker.com/guides/gha/
 
diff --git a/README.md b/README.md
index 91550d8..643602d 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,9 @@ The following [FAIRDataTeam] repositories depend on the reusable workflows from
 - [spring-rdf-migration]
 - [spring-security-acl-mongodb]
 
-## Example
+## Examples
+
+### maven-publish
 
 An example of a publication workflow that is triggered when a release is created, and re-uses two workflows:
 
@@ -45,6 +47,51 @@ jobs:
       mvn_options: tidy:check com.github.spotbugs:spotbugs-maven-plugin:check
 ```
 
+### docker-publish
+For pull requests, nothing is uploaded, but a test build is created.
+
+The following variables and secrets must be defined in the calling repo (conforming to existing names from the FDP repos):
+ 
+- `vars.DOCKER_IMAGE_NAME`
+- `vars.DOCKER_HUB_USERNAME`
+- `secrets.DOCKER_HUB_PASSWORD`
+
+Secrets must be inherited from the caller.
+
+The workflow could be triggered on `push` and `pull_request` (see [1]). For example:
+
+```yaml
+name: publish to docker hub on push
+on:
+  push:
+    branches:
+      - develop
+  pull_request:
+
+jobs:
+  publish:
+    uses: FAIRDataTeam/github-workflows/.github/workflows/docker-publish.yml@v1
+    secrets: inherit
+    with:
+      push: ${{ github.event_name != 'pull_request' }}
+```
+
+Alternatively, we could push on release creation only, for example:
+
+```yaml
+name: publish to docker hub on release
+on:
+  release:
+    types: [created]
+
+jobs:
+  publish:
+    uses: FAIRDataTeam/github-workflows/.github/workflows/docker-publish.yml@v1
+    secrets: inherit
+    with:
+      push: ${{ github.event_name == 'release' && github.event.action == 'created' }}
+```
+
 ## Releases
 
 Releases follow [semantic versioning].