Merge pull request #647 from Wikid82/hotfix/ci

fix(ci): remove redundant image tag determination logic from multiple…
Merge branch 'main' into hotfix/ci
2026-02-04 09:28:35 -05:00 · 2026-02-04 09:24:51 -05:00 · 2026-02-04 14:24:11 +00:00 · 2026-02-04 09:17:09 -05:00 · 2026-02-04 09:16:53 -05:00 · 2026-02-04 14:16:02 +00:00
5 changed files with 35 additions and 375 deletions
--- a/.github/workflows/cerberus-integration.yml
+++ b/.github/workflows/cerberus-integration.yml
@@ -11,7 +11,7 @@ on:
  workflow_dispatch:
    inputs:
      image_tag:
-        description: 'Docker image tag to test (e.g., pr-123-abc1234)'
+        description: 'Docker image tag to test (e.g., pr-123-abc1234, latest)'
        required: false
        type: string

@@ -35,68 +35,7 @@ jobs:
      # Determine the correct image tag based on trigger context
      # For PRs: pr-{number}-{sha}, For branches: {sanitized-branch}-{sha}
      - name: Determine image tag
-        id: image
-        env:
-          EVENT: ${{ github.event_name == 'pull_request' && 'pull_request' || github.event.workflow_run.event }}
-          REF: ${{ github.event_name == 'pull_request' && github.head_ref || github.event.workflow_run.head_branch }}
-          SHA: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.event.workflow_run.head_sha }}
-          MANUAL_TAG: ${{ inputs.image_tag }}
-        run: |
-          # Manual trigger uses provided tag
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            if [[ -n "$MANUAL_TAG" ]]; then
-              echo "tag=${MANUAL_TAG}" >> $GITHUB_OUTPUT
-            else
-              # Default to latest if no tag provided
-              echo "tag=latest" >> $GITHUB_OUTPUT
-            fi
-            echo "source_type=manual" >> $GITHUB_OUTPUT
-            exit 0
-          fi
-
-          # Extract 7-character short SHA
-          SHORT_SHA=$(echo "$SHA" | cut -c1-7)
-
-          if [[ "$EVENT" == "pull_request" ]]; then
-            # Direct PR trigger uses github.event.pull_request.number
-            # workflow_run trigger uses pull_requests array
-            if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-              PR_NUM="${{ github.event.pull_request.number }}"
-            else
-              PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number')
-            fi
-
-            if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then
-              echo "❌ ERROR: Could not determine PR number"
-              echo "Event: $EVENT"
-              echo "Ref: $REF"
-              echo "SHA: $SHA"
-              echo "Pull Requests JSON: ${{ toJson(github.event.workflow_run.pull_requests) }}"
-              exit 1
-            fi
-
-            # Immutable tag with SHA suffix prevents race conditions
-            echo "tag=pr-${PR_NUM}-${SHORT_SHA}" >> $GITHUB_OUTPUT
-            echo "source_type=pr" >> $GITHUB_OUTPUT
-          else
-            # Branch push: sanitize branch name and append SHA
-            # Sanitization: lowercase, replace / with -, remove special chars
-            SANITIZED=$(echo "$REF" | \
-              tr '[:upper:]' '[:lower:]' | \
-              tr '/' '-' | \
-              sed 's/[^a-z0-9-._]/-/g' | \
-              sed 's/^-//; s/-$//' | \
-              sed 's/--*/-/g' | \
-              cut -c1-121)  # Leave room for -SHORT_SHA (7 chars)
-
-            echo "tag=${SANITIZED}-${SHORT_SHA}" >> $GITHUB_OUTPUT
-            echo "source_type=branch" >> $GITHUB_OUTPUT
-          fi
-
-      # Determine the correct image tag based on trigger context
-      # For PRs: pr-{number}-{sha}, For branches: {sanitized-branch}-{sha}
-      - name: Determine image tag
-        id: image
+        id: determine-tag
        env:
          EVENT: ${{ github.event.workflow_run.event }}
          REF: ${{ github.event.workflow_run.head_branch }}
@@ -162,7 +101,7 @@ jobs:
          max_attempts: 3
          retry_wait_seconds: 10
          command: |
-            IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.image.outputs.tag }}"
+            IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.determine-tag.outputs.tag }}"
            echo "Pulling image: $IMAGE_NAME"
            docker pull "$IMAGE_NAME"
            docker tag "$IMAGE_NAME" charon:local
@@ -174,12 +113,12 @@ jobs:
        if: steps.pull_image.outcome == 'failure'
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SHA: ${{ steps.image.outputs.sha }}
+          SHA: ${{ steps.determine-tag.outputs.sha }}
        run: |
          echo "⚠️ Registry pull failed, falling back to artifact..."

          # Determine artifact name based on source type
-          if [[ "${{ steps.image.outputs.source_type }}" == "pr" ]]; then
+          if [[ "${{ steps.determine-tag.outputs.source_type }}" == "pr" ]]; then
            PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number')
            ARTIFACT_NAME="pr-image-${PR_NUM}"
          else
@@ -203,7 +142,7 @@ jobs:
      # Validate image freshness by checking SHA label
      - name: Validate image SHA
        env:
-          SHA: ${{ steps.image.outputs.sha }}
+          SHA: ${{ steps.determine-tag.outputs.sha }}
        run: |
          LABEL_SHA=$(docker inspect charon:local --format '{{index .Config.Labels "org.opencontainers.image.revision"}}' | cut -c1-7)
          echo "Expected SHA: $SHA"
--- a/.github/workflows/crowdsec-integration.yml
+++ b/.github/workflows/crowdsec-integration.yml
@@ -11,7 +11,7 @@ on:
  workflow_dispatch:
    inputs:
      image_tag:
-        description: 'Docker image tag to test (e.g., pr-123-abc1234)'
+        description: 'Docker image tag to test (e.g., pr-123-abc1234, latest)'
        required: false
        type: string

@@ -35,105 +35,7 @@ jobs:
      # Determine the correct image tag based on trigger context
      # For PRs: pr-{number}-{sha}, For branches: {sanitized-branch}-{sha}
      - name: Determine image tag
-        id: image
-        env:
-          EVENT: ${{ github.event_name == 'pull_request' && 'pull_request' || github.event.workflow_run.event }}
-          REF: ${{ github.event_name == 'pull_request' && github.head_ref || github.event.workflow_run.head_branch }}
-          SHA: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.event.workflow_run.head_sha }}
-          MANUAL_TAG: ${{ inputs.image_tag }}
-        run: |
-          # Manual trigger uses provided tag
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            if [[ -n "$MANUAL_TAG" ]]; then
-              echo "tag=${MANUAL_TAG}" >> $GITHUB_OUTPUT
-            else
-              # Default to latest if no tag provided
-              echo "tag=latest" >> $GITHUB_OUTPUT
-            fi
-            echo "source_type=manual" >> $GITHUB_OUTPUT
-            exit 0
-          fi
-
-          # Extract 7-character short SHA
-          SHORT_SHA=$(echo "$SHA" | cut -c1-7)
-
-          if [[ "$EVENT" == "pull_request" ]]; then
-            # Direct PR trigger uses github.event.pull_request.number
-            # workflow_run trigger uses pull_requests array
-            if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-              PR_NUM="${{ github.event.pull_request.number }}"
-            else
-              PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number')
-            fi
-
-            if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then
-              echo "❌ ERROR: Could not determine PR number"
-              echo "Event: $EVENT"
-              echo "Ref: $REF"
-              echo "SHA: $SHA"
-              echo "Pull Requests JSON: ${{ toJson(github.event.workflow_run.pull_requests) }}"
-              exit 1
-            fi
-
-            # Immutable tag with SHA suffix prevents race conditions
-            echo "tag=pr-${PR_NUM}-${SHORT_SHA}" >> $GITHUB_OUTPUT
-            echo "source_type=pr" >> $GITHUB_OUTPUT
-          else
-            # Branch push: sanitize branch name and append SHA
-            # Sanitization: lowercase, replace / with -, remove special chars
-            SANITIZED=$(echo "$REF" | \
-              tr '[:upper:]' '[:lower:]' | \
-              tr '/' '-' | \
-              sed 's/[^a-z0-9-._]/-/g' | \
-              sed 's/^-//; s/-$//' | \
-              sed 's/--*/-/g' | \
-              cut -c1-121)  # Leave room for -SHORT_SHA (7 chars)
-
-            echo "tag=${SANITIZED}-${SHORT_SHA}" >> $GITHUB_OUTPUT
-            echo "source_type=branch" >> $GITHUB_OUTPUT
-          fi
-
-          echo "sha=${SHORT_SHA}" >> $GITHUB_OUTPUT
-          echo "Determined image tag: $(cat $GITHUB_OUTPUT | grep tag=)"
-
-      # Pull image from registry with retry logic (dual-source strategy)
-      # Try registry first (fast), fallback to artifact if registry fails
-      - name: Pull Docker image from registry
-        id: pull_image
-        uses: nick-fields/retry@v3
-        with:
-          timeout_minutes: 5
-          max_attempts: 3
-          retry_wait_seconds: 10
-          command: |
-            IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.image.outputs.tag }}"
-            echo "Pulling image: $IMAGE_NAME"
-            docker pull "$IMAGE_NAME"
-            docker tag "$IMAGE_NAME" charon:local
-            echo "✅ Successfully pulled from registry"
-        continue-on-error: true
-
-      # Fallback: Download artifact if registry pull failed
-      - name: Fallback to artifact download
-        if: steps.pull_image.outcome == 'failure'
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SHA: ${{ steps.image.outputs.sha }}
-        run: |
-          echo "⚠️ Registry pull failed, falling back to artifact..."
-
-          # Determine artifact name based on source type
-          if [[ "${{ steps.image.outputs.source_type }}" == "pr" ]]; then
-            PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number')
-            ARTIFACT_NAME="pr-image-${PR_NUM}"
-          else
-            ARTIFACT_NAME="push-image"
-          fi
-
-      # Determine the correct image tag based on trigger context
-      # For PRs: pr-{number}-{sha}, For branches: {sanitized-branch}-{sha}
-      - name: Determine image tag
-        id: image
+        id: determine-tag
        env:
          EVENT: ${{ github.event.workflow_run.event }}
          REF: ${{ github.event.workflow_run.head_branch }}
@@ -199,7 +101,7 @@ jobs:
          max_attempts: 3
          retry_wait_seconds: 10
          command: |
-            IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.image.outputs.tag }}"
+            IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.determine-tag.outputs.tag }}"
            echo "Pulling image: $IMAGE_NAME"
            docker pull "$IMAGE_NAME"
            docker tag "$IMAGE_NAME" charon:local
@@ -211,12 +113,12 @@ jobs:
        if: steps.pull_image.outcome == 'failure'
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SHA: ${{ steps.image.outputs.sha }}
+          SHA: ${{ steps.determine-tag.outputs.sha }}
        run: |
          echo "⚠️ Registry pull failed, falling back to artifact..."

          # Determine artifact name based on source type
-          if [[ "${{ steps.image.outputs.source_type }}" == "pr" ]]; then
+          if [[ "${{ steps.determine-tag.outputs.source_type }}" == "pr" ]]; then
            PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number')
            ARTIFACT_NAME="pr-image-${PR_NUM}"
          else
@@ -240,7 +142,7 @@ jobs:
      # Validate image freshness by checking SHA label
      - name: Validate image SHA
        env:
-          SHA: ${{ steps.image.outputs.sha }}
+          SHA: ${{ steps.determine-tag.outputs.sha }}
        run: |
          LABEL_SHA=$(docker inspect charon:local --format '{{index .Config.Labels "org.opencontainers.image.revision"}}' | cut -c1-7)
          echo "Expected SHA: $SHA"
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -40,10 +40,6 @@ on:

  workflow_dispatch:
    inputs:
-      image_tag:
-        description: 'Docker image tag to test (e.g., pr-123-abc1234)'
-        required: false
-        type: string
      browser:
        description: 'Browser to test'
        required: false
@@ -54,6 +50,10 @@ on:
          - firefox
          - webkit
          - all
+      image_tag:
+        description: 'Docker image tag to test (e.g., pr-123-abc1234, latest)'
+        required: false
+        type: string

 env:
  NODE_VERSION: '20'
@@ -70,7 +70,7 @@ env:
 # Prevent race conditions when PR is updated mid-test
 # Cancels old test runs when new build completes with different SHA
 concurrency:
-  group: e2e-${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.ref }}-${{ github.event.workflow_run.head_sha || github.sha }}
+  group: e2e-${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

 jobs:
@@ -107,7 +107,7 @@ jobs:
      # Determine the correct image tag based on trigger context
      # For PRs: pr-{number}-{sha}, For branches: {sanitized-branch}-{sha}
      - name: Determine image tag
-        id: image
+        id: determine-tag
        env:
          EVENT: ${{ github.event.workflow_run.event }}
          REF: ${{ github.event.workflow_run.head_branch }}
@@ -163,71 +163,12 @@ jobs:
          echo "sha=${SHORT_SHA}" >> $GITHUB_OUTPUT
          echo "Determined image tag: $(cat $GITHUB_OUTPUT | grep tag=)"

-      # Pull image from registry with retry logic (dual-source strategy)
-      # Try registry first (fast), fallback to artifact if registry fails
-      - name: Pull Docker image from registry
-        id: pull_image
-        uses: nick-fields/retry@v3
+      # Download Docker image artifact from build job
+      - name: Download Docker image
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
        with:
-          timeout_minutes: 5
-          max_attempts: 3
-          retry_wait_seconds: 10
-          command: |
-            IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.image.outputs.tag }}"
-            echo "Pulling image: $IMAGE_NAME"
-            docker pull "$IMAGE_NAME"
-            docker tag "$IMAGE_NAME" charon:e2e-test
-            echo "✅ Successfully pulled from registry"
-        continue-on-error: true
-
-      # Fallback: Download artifact if registry pull failed
-      - name: Fallback to artifact download
-        if: steps.pull_image.outcome == 'failure'
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SHA: ${{ steps.image.outputs.sha }}
-        run: |
-          echo "⚠️ Registry pull failed, falling back to artifact..."
-
-          # Determine artifact name based on source type
-          if [[ "${{ steps.image.outputs.source_type }}" == "pr" ]]; then
-            PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number')
-            ARTIFACT_NAME="pr-image-${PR_NUM}"
-          else
-            ARTIFACT_NAME="push-image"
-          fi
-
-          echo "Downloading artifact: $ARTIFACT_NAME"
-          gh run download ${{ github.event.workflow_run.id }} \
-            --name "$ARTIFACT_NAME" \
-            --dir /tmp/docker-image || {
-            echo "❌ ERROR: Artifact download failed!"
-            echo "Available artifacts:"
-            gh run view ${{ github.event.workflow_run.id }} --json artifacts --jq '.artifacts[].name'
-            exit 1
-          }
-
-          docker load < /tmp/docker-image/charon-image.tar
-          docker tag $(docker images --format "{{.Repository}}:{{.Tag}}" | head -1) charon:e2e-test
-          echo "✅ Successfully loaded from artifact"
-
-      # Validate image freshness by checking SHA label
-      - name: Validate image SHA
-        env:
-          SHA: ${{ steps.image.outputs.sha }}
-        run: |
-          LABEL_SHA=$(docker inspect charon:e2e-test --format '{{index .Config.Labels "org.opencontainers.image.revision"}}' | cut -c1-7 || echo "unknown")
-          echo "Expected SHA: $SHA"
-          echo "Image SHA:    $LABEL_SHA"
-
-          if [[ "$LABEL_SHA" != "$SHA" && "$LABEL_SHA" != "unknown" ]]; then
-            echo "⚠️ WARNING: Image SHA mismatch!"
-            echo "Image may be stale. Proceeding with caution..."
-          elif [[ "$LABEL_SHA" == "unknown" ]]; then
-            echo "ℹ️ INFO: Could not determine image SHA from labels (artifact source)"
-          else
-            echo "✅ Image SHA matches expected commit"
-          fi
+          name: docker-image
+          path: .

      - name: Validate Emergency Token Configuration
        run: |
--- a/.github/workflows/rate-limit-integration.yml
+++ b/.github/workflows/rate-limit-integration.yml
@@ -11,7 +11,7 @@ on:
  workflow_dispatch:
    inputs:
      image_tag:
-        description: 'Docker image tag to test (e.g., pr-123-abc1234)'
+        description: 'Docker image tag to test (e.g., pr-123-abc1234, latest)'
        required: false
        type: string

@@ -35,68 +35,7 @@ jobs:
      # Determine the correct image tag based on trigger context
      # For PRs: pr-{number}-{sha}, For branches: {sanitized-branch}-{sha}
      - name: Determine image tag
-        id: image
-        env:
-          EVENT: ${{ github.event_name == 'pull_request' && 'pull_request' || github.event.workflow_run.event }}
-          REF: ${{ github.event_name == 'pull_request' && github.head_ref || github.event.workflow_run.head_branch }}
-          SHA: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.event.workflow_run.head_sha }}
-          MANUAL_TAG: ${{ inputs.image_tag }}
-        run: |
-          # Manual trigger uses provided tag
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            if [[ -n "$MANUAL_TAG" ]]; then
-              echo "tag=${MANUAL_TAG}" >> $GITHUB_OUTPUT
-            else
-              # Default to latest if no tag provided
-              echo "tag=latest" >> $GITHUB_OUTPUT
-            fi
-            echo "source_type=manual" >> $GITHUB_OUTPUT
-            exit 0
-          fi
-
-          # Extract 7-character short SHA
-          SHORT_SHA=$(echo "$SHA" | cut -c1-7)
-
-          if [[ "$EVENT" == "pull_request" ]]; then
-            # Direct PR trigger uses github.event.pull_request.number
-            # workflow_run trigger uses pull_requests array
-            if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-              PR_NUM="${{ github.event.pull_request.number }}"
-            else
-              PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number')
-            fi
-
-            if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then
-              echo "❌ ERROR: Could not determine PR number"
-              echo "Event: $EVENT"
-              echo "Ref: $REF"
-              echo "SHA: $SHA"
-              echo "Pull Requests JSON: ${{ toJson(github.event.workflow_run.pull_requests) }}"
-              exit 1
-            fi
-
-            # Immutable tag with SHA suffix prevents race conditions
-            echo "tag=pr-${PR_NUM}-${SHORT_SHA}" >> $GITHUB_OUTPUT
-            echo "source_type=pr" >> $GITHUB_OUTPUT
-          else
-            # Branch push: sanitize branch name and append SHA
-            # Sanitization: lowercase, replace / with -, remove special chars
-            SANITIZED=$(echo "$REF" | \
-              tr '[:upper:]' '[:lower:]' | \
-              tr '/' '-' | \
-              sed 's/[^a-z0-9-._]/-/g' | \
-              sed 's/^-//; s/-$//' | \
-              sed 's/--*/-/g' | \
-              cut -c1-121)  # Leave room for -SHORT_SHA (7 chars)
-
-            echo "tag=${SANITIZED}-${SHORT_SHA}" >> $GITHUB_OUTPUT
-            echo "source_type=branch" >> $GITHUB_OUTPUT
-          fi
-
-      # Determine the correct image tag based on trigger context
-      # For PRs: pr-{number}-{sha}, For branches: {sanitized-branch}-{sha}
-      - name: Determine image tag
-        id: image
+        id: determine-tag
        env:
          EVENT: ${{ github.event.workflow_run.event }}
          REF: ${{ github.event.workflow_run.head_branch }}
@@ -162,7 +101,7 @@ jobs:
          max_attempts: 3
          retry_wait_seconds: 10
          command: |
-            IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.image.outputs.tag }}"
+            IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.determine-tag.outputs.tag }}"
            echo "Pulling image: $IMAGE_NAME"
            docker pull "$IMAGE_NAME"
            docker tag "$IMAGE_NAME" charon:local
@@ -174,12 +113,12 @@ jobs:
        if: steps.pull_image.outcome == 'failure'
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SHA: ${{ steps.image.outputs.sha }}
+          SHA: ${{ steps.determine-tag.outputs.sha }}
        run: |
          echo "⚠️ Registry pull failed, falling back to artifact..."

          # Determine artifact name based on source type
-          if [[ "${{ steps.image.outputs.source_type }}" == "pr" ]]; then
+          if [[ "${{ steps.determine-tag.outputs.source_type }}" == "pr" ]]; then
            PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number')
            ARTIFACT_NAME="pr-image-${PR_NUM}"
          else
@@ -203,7 +142,7 @@ jobs:
      # Validate image freshness by checking SHA label
      - name: Validate image SHA
        env:
-          SHA: ${{ steps.image.outputs.sha }}
+          SHA: ${{ steps.determine-tag.outputs.sha }}
        run: |
          LABEL_SHA=$(docker inspect charon:local --format '{{index .Config.Labels "org.opencontainers.image.revision"}}' | cut -c1-7)
          echo "Expected SHA: $SHA"
--- a/.github/workflows/waf-integration.yml
+++ b/.github/workflows/waf-integration.yml
@@ -11,7 +11,7 @@ on:
  workflow_dispatch:
    inputs:
      image_tag:
-        description: 'Docker image tag to test (e.g., pr-123-abc1234)'
+        description: 'Docker image tag to test (e.g., pr-123-abc1234, latest)'
        required: false
        type: string

@@ -35,68 +35,7 @@ jobs:
      # Determine the correct image tag based on trigger context
      # For PRs: pr-{number}-{sha}, For branches: {sanitized-branch}-{sha}
      - name: Determine image tag
-        id: image
-        env:
-          EVENT: ${{ github.event_name == 'pull_request' && 'pull_request' || github.event.workflow_run.event }}
-          REF: ${{ github.event_name == 'pull_request' && github.head_ref || github.event.workflow_run.head_branch }}
-          SHA: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.event.workflow_run.head_sha }}
-          MANUAL_TAG: ${{ inputs.image_tag }}
-        run: |
-          # Manual trigger uses provided tag
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
-            if [[ -n "$MANUAL_TAG" ]]; then
-              echo "tag=${MANUAL_TAG}" >> $GITHUB_OUTPUT
-            else
-              # Default to latest if no tag provided
-              echo "tag=latest" >> $GITHUB_OUTPUT
-            fi
-            echo "source_type=manual" >> $GITHUB_OUTPUT
-            exit 0
-          fi
-
-          # Extract 7-character short SHA
-          SHORT_SHA=$(echo "$SHA" | cut -c1-7)
-
-          if [[ "$EVENT" == "pull_request" ]]; then
-            # Direct PR trigger uses github.event.pull_request.number
-            # workflow_run trigger uses pull_requests array
-            if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-              PR_NUM="${{ github.event.pull_request.number }}"
-            else
-              PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number')
-            fi
-
-            if [[ -z "$PR_NUM" || "$PR_NUM" == "null" ]]; then
-              echo "❌ ERROR: Could not determine PR number"
-              echo "Event: $EVENT"
-              echo "Ref: $REF"
-              echo "SHA: $SHA"
-              echo "Pull Requests JSON: ${{ toJson(github.event.workflow_run.pull_requests) }}"
-              exit 1
-            fi
-
-            # Immutable tag with SHA suffix prevents race conditions
-            echo "tag=pr-${PR_NUM}-${SHORT_SHA}" >> $GITHUB_OUTPUT
-            echo "source_type=pr" >> $GITHUB_OUTPUT
-          else
-            # Branch push: sanitize branch name and append SHA
-            # Sanitization: lowercase, replace / with -, remove special chars
-            SANITIZED=$(echo "$REF" | \
-              tr '[:upper:]' '[:lower:]' | \
-              tr '/' '-' | \
-              sed 's/[^a-z0-9-._]/-/g' | \
-              sed 's/^-//; s/-$//' | \
-              sed 's/--*/-/g' | \
-              cut -c1-121)  # Leave room for -SHORT_SHA (7 chars)
-
-            echo "tag=${SANITIZED}-${SHORT_SHA}" >> $GITHUB_OUTPUT
-            echo "source_type=branch" >> $GITHUB_OUTPUT
-          fi
-
-      # Determine the correct image tag based on trigger context
-      # For PRs: pr-{number}-{sha}, For branches: {sanitized-branch}-{sha}
-      - name: Determine image tag
-        id: image
+        id: determine-tag
        env:
          EVENT: ${{ github.event.workflow_run.event }}
          REF: ${{ github.event.workflow_run.head_branch }}
@@ -162,7 +101,7 @@ jobs:
          max_attempts: 3
          retry_wait_seconds: 10
          command: |
-            IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.image.outputs.tag }}"
+            IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.determine-tag.outputs.tag }}"
            echo "Pulling image: $IMAGE_NAME"
            docker pull "$IMAGE_NAME"
            docker tag "$IMAGE_NAME" charon:local
@@ -174,12 +113,12 @@ jobs:
        if: steps.pull_image.outcome == 'failure'
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SHA: ${{ steps.image.outputs.sha }}
+          SHA: ${{ steps.determine-tag.outputs.sha }}
        run: |
          echo "⚠️ Registry pull failed, falling back to artifact..."

          # Determine artifact name based on source type
-          if [[ "${{ steps.image.outputs.source_type }}" == "pr" ]]; then
+          if [[ "${{ steps.determine-tag.outputs.source_type }}" == "pr" ]]; then
            PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number')
            ARTIFACT_NAME="pr-image-${PR_NUM}"
          else
@@ -203,7 +142,7 @@ jobs:
      # Validate image freshness by checking SHA label
      - name: Validate image SHA
        env:
-          SHA: ${{ steps.image.outputs.sha }}
+          SHA: ${{ steps.determine-tag.outputs.sha }}
        run: |
          LABEL_SHA=$(docker inspect charon:local --format '{{index .Config.Labels "org.opencontainers.image.revision"}}' | cut -c1-7)
          echo "Expected SHA: $SHA"
Author	SHA1	Message	Date
Jeremy	138fd2a669	Merge pull request #647 from Wikid82/hotfix/ci fix(ci): remove redundant image tag determination logic from multiple…	2026-02-04 09:28:35 -05:00
Jeremy	cc3a679094	Merge branch 'main' into hotfix/ci	2026-02-04 09:24:51 -05:00
GitHub Actions	73f6d3d691	fix(ci): remove redundant image tag determination logic from multiple workflows	2026-02-04 14:24:11 +00:00
Jeremy	8b3e28125c	Merge pull request #646 from Wikid82/hotfix/ci fix(ci): standardize image tag step ID across integration workflows	2026-02-04 09:17:09 -05:00
Jeremy	dacc61582b	Merge branch 'main' into hotfix/ci	2026-02-04 09:16:53 -05:00
GitHub Actions	80c033b812	fix(ci): standardize image tag step ID across integration workflows	2026-02-04 14:16:02 +00:00
Jeremy	e48884b8a6	Merge pull request #644 from Wikid82/hotfix/ci fix invalid CI files	2026-02-04 09:11:12 -05:00
Jeremy	0519b4baed	Merge branch 'main' into hotfix/ci	2026-02-04 09:10:32 -05:00
GitHub Actions	8edde88f95	fix(ci): add image_tag input for manual triggers in integration workflows	2026-02-04 14:08:36 +00:00
GitHub Actions	e1c7ed3a13	fix(ci): add manual trigger inputs for Cerberus integration workflow	2026-02-04 13:53:01 +00:00