fix(ci): sanitize branch names in Docker image tags

Fix "invalid reference format" error in GitHub Actions workflows when
branch names contain forward slashes (e.g., feature/beta-release).

Add sanitization step to playwright.yml converting / to -
Update supply-chain-verify.yml with dynamic branch sanitization
Add sanitization step to supply-chain-pr.yml for artifact names
Branch feature/beta-release → tag feature-beta-release
Fixes Playwright E2E and supply chain security scan workflow failures

.github/workflows/playwright.yml

@@ -84,6 +84,16 @@ jobs:
             echo "is_push=false" >> "$GITHUB_OUTPUT"
           fi
 
+      - name: Sanitize branch name
+        id: sanitize
+        run: |
+          # Sanitize branch name for use in Docker tags and artifact names
+          # Replace / with - to avoid invalid reference format errors
+          BRANCH="${{ github.event.workflow_run.head_branch || github.head_ref || github.ref_name }}"
+          SANITIZED=$(echo "$BRANCH" | tr '/' '-')
+          echo "branch=${SANITIZED}" >> "$GITHUB_OUTPUT"
+          echo "📋 Sanitized branch name: ${BRANCH} -> ${SANITIZED}"
+
       - name: Check for PR image artifact
         id: check-artifact
         if: steps.pr-info.outputs.pr_number != '' || steps.pr-info.outputs.is_push == 'true'
@@ -170,7 +180,8 @@ jobs:
           # Normalize image name (GitHub lowercases repository owner names in GHCR)
           IMAGE_NAME=$(echo "${{ github.repository_owner }}/charon" | tr '[:upper:]' '[:lower:]')
           if [[ "${{ steps.pr-info.outputs.is_push }}" == "true" ]]; then
-            IMAGE_REF="ghcr.io/${IMAGE_NAME}:${{ github.event.workflow_run.head_branch }}"
+            # Use sanitized branch name for Docker tag (/ is invalid in tags)
+            IMAGE_REF="ghcr.io/${IMAGE_NAME}:${{ steps.sanitize.outputs.branch }}"
           else
             IMAGE_REF="ghcr.io/${IMAGE_NAME}:pr-${{ steps.pr-info.outputs.pr_number }}"
           fi
@@ -237,7 +248,7 @@ jobs:
         # actions/upload-artifact v4.4.3
         uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         with:
-          name: ${{ steps.pr-info.outputs.is_push == 'true' && format('playwright-report-{0}', github.event.workflow_run.head_branch) || format('playwright-report-pr-{0}', steps.pr-info.outputs.pr_number) }}
+          name: ${{ steps.pr-info.outputs.is_push == 'true' && format('playwright-report-{0}', steps.sanitize.outputs.branch) || format('playwright-report-pr-{0}', steps.pr-info.outputs.pr_number) }}
           path: playwright-report/
           retention-days: 14
 

.github/workflows/supply-chain-pr.yml

@@ -105,6 +105,16 @@ jobs:
             echo "is_push=false" >> "$GITHUB_OUTPUT"
           fi
 
+      - name: Sanitize branch name
+        id: sanitize
+        run: |
+          # Sanitize branch name for use in artifact names
+          # Replace / with - to avoid invalid reference format errors
+          BRANCH="${{ github.event.workflow_run.head_branch || github.head_ref || github.ref_name }}"
+          SANITIZED=$(echo "$BRANCH" | tr '/' '-')
+          echo "branch=${SANITIZED}" >> "$GITHUB_OUTPUT"
+          echo "📋 Sanitized branch name: ${BRANCH} -> ${SANITIZED}"
+
       - name: Check for PR image artifact
         id: check-artifact
         if: steps.pr-number.outputs.pr_number != '' || steps.pr-number.outputs.is_push == 'true'
@@ -297,7 +307,7 @@ jobs:
         # actions/upload-artifact v4.6.0
         uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
         with:
-          name: ${{ steps.pr-number.outputs.is_push == 'true' && format('supply-chain-{0}', github.event.workflow_run.head_branch) || format('supply-chain-pr-{0}', steps.pr-number.outputs.pr_number) }}
+          name: ${{ steps.pr-number.outputs.is_push == 'true' && format('supply-chain-{0}', steps.sanitize.outputs.branch) || format('supply-chain-pr-{0}', steps.pr-number.outputs.pr_number) }}
           path: |
             sbom.cyclonedx.json
             grype-results.json

.github/workflows/supply-chain-verify.yml

@@ -71,15 +71,14 @@ jobs:
           if [[ "${{ github.event_name }}" == "release" ]]; then
             TAG="${{ github.event.release.tag_name }}"
           elif [[ "${{ github.event_name }}" == "workflow_run" ]]; then
+            BRANCH="${{ github.event.workflow_run.head_branch }}"
             # Extract tag from the workflow that triggered us
-            if [[ "${{ github.event.workflow_run.head_branch }}" == "main" ]]; then
+            if [[ "${BRANCH}" == "main" ]]; then
               TAG="latest"
-            elif [[ "${{ github.event.workflow_run.head_branch }}" == "development" ]]; then
+            elif [[ "${BRANCH}" == "development" ]]; then
               TAG="dev"
-            elif [[ "${{ github.event.workflow_run.head_branch }}" == "nightly" ]]; then
+            elif [[ "${BRANCH}" == "nightly" ]]; then
               TAG="nightly"
-            elif [[ "${{ github.event.workflow_run.head_branch }}" == "feature/beta-release" ]]; then
-              TAG="beta"
             elif [[ "${{ github.event.workflow_run.event }}" == "pull_request" ]]; then
               # Extract PR number from workflow_run context with null handling
               PR_NUMBER=$(jq -r '.pull_requests[0].number // empty' <<< '${{ toJson(github.event.workflow_run.pull_requests) }}')
@@ -90,7 +89,9 @@ jobs:
                 TAG="sha-$(echo ${{ github.event.workflow_run.head_sha }} | cut -c1-7)"
               fi
             else
-              TAG="sha-$(echo ${{ github.event.workflow_run.head_sha }} | cut -c1-7)"
+              # For feature branches and other pushes, sanitize branch name for Docker tag
+              # Replace / with - to avoid invalid reference format errors
+              TAG=$(echo "${BRANCH}" | tr '/' '-')
             fi
           else
             TAG="latest"