fix(ci): read release tag from event payload

[stablegenius49]

What

• read the release tag from github.event.release.tag_name instead of shell-expanding GITHUB_REF
• update all three release-only extraction steps in the Docker workflow so release image tags are populated consistently

Why

The v1.12.1 release Docker workflow failed with an empty RELEASE_VERSION, which produced invalid manifest/image tags and left the versioned Docker image unpublished. The failed run was docker-build.yaml run 20614523992.

Testing

• inspected the failed v1.12.1 release logs (gh run view 20614523992 --log-failed) to confirm RELEASE_VERSION was empty on the release path
• git diff --check
• verified the workflow now uses github.event.release.tag_name in all three release extraction steps and no longer references ${GITHUB_REF#refs/tags/}

Closes #1007

---

Summary by cubic

Fix Docker release workflow to read the tag from github.event.release.tag_name, so RELEASE_VERSION is set and images publish correctly. Addresses Linear #1007 where v1.12.1 produced empty tags.

• Bug Fixes
  • Replace ${GITHUB_REF#refs/tags/} with github.event.release.tag_name in all three release-only extraction steps to keep image tags consistent.

^{Written for commit 8b79806. Summary will update on new commits.}

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/docker-build.yaml">

<violation number="1" location=".github/workflows/docker-build.yaml:39">
P2: Directly embedding `github.event.release.tag_name` in an inline shell command allows shell-syntax injection during workflow execution.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: Directly embedding github.event.release.tag_name in an inline shell command allows shell-syntax injection during workflow execution.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/docker-build.yaml, line 39:

<comment>Directly embedding `github.event.release.tag_name` in an inline shell command allows shell-syntax injection during workflow execution.</comment>

<file context>
@@ -36,7 +36,7 @@ jobs:
         if: github.event_name == 'release'
         id: version
-        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
+        run: echo "RELEASE_VERSION=${{ github.event.release.tag_name }}" >> $GITHUB_ENV
 
       - name: Build and push AMD64 Docker image (master)
</file context>

Suggested change

	run: echo "RELEASE_VERSION=${{ github.event.release.tag_name }}" >> $GITHUB_ENV
	env:
	RELEASE_TAG: ${{ github.event.release.tag_name }}
	run: printf 'RELEASE_VERSION=%s\n' "$RELEASE_TAG" >> "$GITHUB_ENV"