From 3261f5d7a10e0f1833fc56e68e802253d263c5e3 Mon Sep 17 00:00:00 2001
From: GitHub Actions <actions@github.com>
Date: Mon, 2 Feb 2026 13:42:49 +0000
Subject: [PATCH] fix(ci): normalize branch name for Docker tag in security PR
 workflow

---
 .github/workflows/security-pr.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/security-pr.yml b/.github/workflows/security-pr.yml
index 97b8a75f..e2056cf6 100644
--- a/.github/workflows/security-pr.yml
+++ b/.github/workflows/security-pr.yml
@@ -176,7 +176,10 @@ jobs:
               echo "❌ ERROR: Branch name is empty for push build"
               exit 1
             fi
-            IMAGE_REF="ghcr.io/${IMAGE_NAME}:${BRANCH_NAME}"
+            # Normalize branch name for Docker tag (replace / and other special chars with -)
+            # This matches docker/metadata-action behavior: type=ref,event=branch
+            TAG_SAFE_BRANCH="${BRANCH_NAME//\//-}"
+            IMAGE_REF="ghcr.io/${IMAGE_NAME}:${TAG_SAFE_BRANCH}"
           elif [[ -n "${{ steps.pr-info.outputs.pr_number }}" ]]; then
             IMAGE_REF="ghcr.io/${IMAGE_NAME}:pr-${{ steps.pr-info.outputs.pr_number }}"
           else