ci: restrict CI trigger to semantic version tags

mingcheng · mingcheng · commit 0df981165c93 · 2025-10-18T02:14:33.000+08:00
- remove non-semantic version tag pattern from GitHub Actions workflow
- ensure builds only trigger on valid semantic versioning tags like v1.2.3

Signed-off-by: mingcheng &lt;mingcheng@apache.org&gt;
diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml
@@ -4,9 +4,8 @@ on:
   push:
     branches:
       - main
-      - develop
     tags:
-      - "v*.*.*"  # Semantic versioning tags (v1.0.0, v1.2.3, etc.)
+      - "v*.*.*" # Match version tags like v1.2.3
   pull_request:
     branches:
       - main
@@ -46,6 +45,11 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - uses: benjlevesque/short-sha@v3.0
+        id: short-sha
+        with:
+          length: 7
+
       - name: Extract metadata (tags, labels) for Docker
         id: meta
         uses: docker/metadata-action@v5
@@ -64,6 +68,7 @@ jobs:
             type=sha,format=short
             # Tag latest only on main branch
             type=raw,value=latest,enable={{is_default_branch}}
+            type=raw,value={{steps.short-sha.outputs.sha}},enable={{is_default_branch}}
           labels: |
             org.opencontainers.image.title=aigitcommit
             org.opencontainers.image.description=AI-powered Git commit message generator
@@ -76,7 +81,9 @@ jobs:
           context: .
           platforms: linux/amd64,linux/arm64
           push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.short-sha.outputs.sha }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
@@ -85,33 +92,26 @@ jobs:
             VCS_REF=${{ github.sha }}
             VERSION=${{ steps.meta.outputs.version }}
 
-      - name: Generate artifact attestation
-        if: github.event_name != 'pull_request'
-        uses: actions/attest-build-provenance@v2
-        with:
-          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+      # - name: Generate artifact attestation
+      #   if: github.event_name != 'pull_request'
+      #   uses: actions/attest-build-provenance@v3
+      #   with:
+      #     subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+      #     subject-digest: ${{ steps.push.outputs.digest }}
+      #     push-to-registry: false
 
-      - name: Generate SBOM
-        if: github.event_name != 'pull_request'
-        uses: anchore/sbom-action@v0
-        with:
-          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }}
-          format: spdx-json
-          output-file: sbom.spdx.json
-
-      - name: Upload SBOM as artifact
-        if: github.event_name != 'pull_request'
-        uses: actions/upload-artifact@v4
-        with:
-          name: sbom-${{ github.sha }}
-          path: sbom.spdx.json
-          retention-days: 90
+      # - name: Generate SBOM
+      #   if: github.event_name != 'pull_request'
+      #   uses: anchore/sbom-action@v0.20.8
+      #   with:
+      #     image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }}
+      #     format: spdx-json
+      #     output-file: sbom.spdx.json
 
-      - name: Image digest
-        if: github.event_name != 'pull_request'
-        run: |
-          echo "Image pushed successfully!"
-          echo "Digest: ${{ steps.push.outputs.digest }}"
-          echo "Tags: ${{ steps.meta.outputs.tags }}"
+      # - name: Upload SBOM as artifact
+      #   if: github.event_name != 'pull_request'
+      #   uses: actions/upload-artifact@v4
+      #   with:
+      #     name: ${{ steps.short-sha.outputs.sha }}-sbom
+      #     path: sbom.spdx.json
+      #     retention-days: 90
