Add :latest fallback to registry image pull in upgrade.sh

When --use-registry is set, the upgrade script tries to pull images
tagged with the current HEAD SHA. If images were built at an earlier
commit, that SHA tag won't exist. Now tries :latest before falling
back to a full source build. Also applies to nginx and code-server.

Bunker Admin

scripts/upgrade.sh

@@ -831,17 +831,50 @@ if [[ "$USE_REGISTRY" == "true" ]]; then
   info "Registry mode: ${REGISTRY} (tag: ${REGISTRY_TAG})"
   write_progress 4 "Container Rebuild" 55 "Pulling images from registry..."
 
-  # Pull core app containers; fall back to source build if registry unavailable
+  # Pull core app containers: try SHA tag → :latest fallback → source build
+  PULLED_TAG=""
   if docker compose pull api admin media-api 2>/dev/null; then
-    success "Core images pulled from registry"
+    success "Core images pulled from registry (tag: ${REGISTRY_TAG})"
+    PULLED_TAG="$REGISTRY_TAG"
+  elif [[ "$REGISTRY_TAG" != "latest" ]]; then
+    warn "Tag :${REGISTRY_TAG} not in registry — trying :latest"
+    export IMAGE_TAG="latest"
+    if docker compose pull api admin media-api 2>/dev/null; then
+      success "Core images pulled from registry (tag: latest)"
+      PULLED_TAG="latest"
+      # Retag :latest as :SHA so compose up uses consistent tags
+      for svc in api admin media-api; do
+        local_img="${REGISTRY}/changemaker-${svc}"
+        docker tag "${local_img}:latest" "${local_img}:${REGISTRY_TAG}" 2>/dev/null || true
+      done
+      export IMAGE_TAG="$REGISTRY_TAG"
+    else
+      warn "Registry pull failed for :latest too — falling back to source build"
+      export IMAGE_TAG="$REGISTRY_TAG"
+      docker compose build $SOURCE_CONTAINERS
+      success "Source containers rebuilt (registry fallback)"
+    fi
   else
     warn "Registry pull failed — falling back to source build"
     docker compose build $SOURCE_CONTAINERS
     success "Source containers rebuilt (registry fallback)"
   fi
 
-  # nginx: pull if available, else rebuild only if config changed
-  if ! docker compose pull nginx 2>/dev/null; then
+  # nginx: try SHA → :latest → rebuild if config changed
+  NGINX_PULLED=false
+  if docker compose pull nginx 2>/dev/null; then
+    success "nginx pulled from registry (tag: ${IMAGE_TAG})"
+    NGINX_PULLED=true
+  elif [[ "$REGISTRY_TAG" != "latest" ]]; then
+    export IMAGE_TAG="latest"
+    if docker compose pull nginx 2>/dev/null; then
+      docker tag "${REGISTRY}/changemaker-nginx:latest" "${REGISTRY}/changemaker-nginx:${REGISTRY_TAG}" 2>/dev/null || true
+      success "nginx pulled from registry (tag: latest)"
+      NGINX_PULLED=true
+    fi
+    export IMAGE_TAG="$REGISTRY_TAG"
+  fi
+  if [[ "$NGINX_PULLED" == "false" ]]; then
     if echo "$CHANGED_FILES" | grep -q "^nginx/"; then
       info "Rebuilding nginx (config changed, not in registry)..."
       docker compose build nginx
@@ -851,7 +884,7 @@ if [[ "$USE_REGISTRY" == "true" ]]; then
     fi
   fi
 
-  # code-server: pull from registry if Dockerfile changed; never build during upgrade
+  # code-server: pull from registry if available; never build during upgrade
   # (code-server is 9GB+ and takes 30+ min to build — run build-and-push.sh separately)
   CS_IMAGE="${REGISTRY}/changemaker-code-server"
   if docker image inspect "${CS_IMAGE}:${REGISTRY_TAG}" &>/dev/null 2>&1; then
@@ -859,11 +892,11 @@ if [[ "$USE_REGISTRY" == "true" ]]; then
   elif docker compose pull code-server 2>/dev/null; then
     success "code-server pulled from registry"
   else
-    # Retag any existing local code-server image so compose up doesn't try to build it
-    for fallback_tag in local latest; do
+    # Try :latest, then retag any existing local image so compose up doesn't build
+    for fallback_tag in latest local; do
       if docker image inspect "${CS_IMAGE}:${fallback_tag}" &>/dev/null 2>&1; then
         docker tag "${CS_IMAGE}:${fallback_tag}" "${CS_IMAGE}:${REGISTRY_TAG}" 2>/dev/null || true
-        info "Tagged code-server:${fallback_tag} → :${REGISTRY_TAG} (registry push pending)"
+        info "Tagged code-server:${fallback_tag} → :${REGISTRY_TAG}"
         break
       fi
     done