Skip to content

fix(ci): standardize image tag step ID across integration workflows #646

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Wikid82 merged 2 commits into from
Feb 4, 2026
Merged

fix(ci): standardize image tag step ID across integration workflows #646

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
80c033b
fix(ci): standardize image tag step ID across integration workflows
actions-user Feb 4, 2026
dacc615
Merge branch 'main' into hotfix/ci
Wikid82 Feb 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions .github/workflows/cerberus-integration.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ jobs:
# Determine the correct image tag based on trigger context
# For PRs: pr-{number}-{sha}, For branches: {sanitized-branch}-{sha}
- name: Determine image tag
id: image
id: determine-tag
env:
EVENT: ${{ github.event.workflow_run.event }}
REF: ${{ github.event.workflow_run.head_branch }}
Expand Down Expand Up @@ -162,7 +162,7 @@ jobs:
max_attempts: 3
retry_wait_seconds: 10
command: |
IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.image.outputs.tag }}"
IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.determine-tag.outputs.tag }}"
echo "Pulling image: $IMAGE_NAME"
Comment on lines +165 to 166
Copy link

Copilot AI Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The step id determine-tag contains a hyphen but is referenced using dot notation (steps.determine-tag...). In GitHub Actions expressions, - is parsed as an operator, so this will not resolve the step outputs and can break the workflow. Rename the step id to use underscores (e.g., determine_tag) and update references, or use bracket notation when accessing the step outputs.

Copilot uses AI. Check for mistakes.
docker pull "$IMAGE_NAME"
docker tag "$IMAGE_NAME" charon:local
Expand All @@ -174,12 +174,12 @@ jobs:
if: steps.pull_image.outcome == 'failure'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SHA: ${{ steps.image.outputs.sha }}
SHA: ${{ steps.determine-tag.outputs.sha }}
run: |
echo "⚠️ Registry pull failed, falling back to artifact..."

# Determine artifact name based on source type
if [[ "${{ steps.image.outputs.source_type }}" == "pr" ]]; then
if [[ "${{ steps.determine-tag.outputs.source_type }}" == "pr" ]]; then
PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number')
ARTIFACT_NAME="pr-image-${PR_NUM}"
else
Expand All @@ -203,7 +203,7 @@ jobs:
# Validate image freshness by checking SHA label
- name: Validate image SHA
env:
SHA: ${{ steps.image.outputs.sha }}
SHA: ${{ steps.determine-tag.outputs.sha }}
run: |
LABEL_SHA=$(docker inspect charon:local --format '{{index .Config.Labels "org.opencontainers.image.revision"}}' | cut -c1-7)
echo "Expected SHA: $SHA"
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/crowdsec-integration.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ jobs:
# Determine the correct image tag based on trigger context
# For PRs: pr-{number}-{sha}, For branches: {sanitized-branch}-{sha}
- name: Determine image tag
id: image
id: determine-tag
env:
EVENT: ${{ github.event.workflow_run.event }}
REF: ${{ github.event.workflow_run.head_branch }}
Expand Down Expand Up @@ -199,7 +199,7 @@ jobs:
max_attempts: 3
retry_wait_seconds: 10
command: |
IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.image.outputs.tag }}"
IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.determine-tag.outputs.tag }}"
echo "Pulling image: $IMAGE_NAME"
Comment on lines +202 to 203
Copy link

Copilot AI Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The step id determine-tag contains a hyphen but is referenced using dot notation (steps.determine-tag...). In GitHub Actions expressions, - is parsed as an operator, so this will not resolve the step outputs and can break the workflow. Rename the step id to use underscores (e.g., determine_tag) and update references, or use bracket notation when accessing the step outputs.

Copilot uses AI. Check for mistakes.
docker pull "$IMAGE_NAME"
docker tag "$IMAGE_NAME" charon:local
Comment on lines 201 to 205
Copy link

Copilot AI Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow defines two separate steps with the same id pull_image (one earlier in the job and another later). Step ids must be unique; duplicates can make the workflow invalid or cause steps.pull_image.* to resolve unpredictably. Rename/remove the duplicate step id so each step has a unique identifier.

Copilot uses AI. Check for mistakes.
Expand All @@ -211,12 +211,12 @@ jobs:
if: steps.pull_image.outcome == 'failure'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SHA: ${{ steps.image.outputs.sha }}
SHA: ${{ steps.determine-tag.outputs.sha }}
run: |
echo "⚠️ Registry pull failed, falling back to artifact..."

# Determine artifact name based on source type
if [[ "${{ steps.image.outputs.source_type }}" == "pr" ]]; then
if [[ "${{ steps.determine-tag.outputs.source_type }}" == "pr" ]]; then
PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number')
ARTIFACT_NAME="pr-image-${PR_NUM}"
else
Expand All @@ -240,7 +240,7 @@ jobs:
# Validate image freshness by checking SHA label
- name: Validate image SHA
env:
SHA: ${{ steps.image.outputs.sha }}
SHA: ${{ steps.determine-tag.outputs.sha }}
run: |
LABEL_SHA=$(docker inspect charon:local --format '{{index .Config.Labels "org.opencontainers.image.revision"}}' | cut -c1-7)
echo "Expected SHA: $SHA"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/e2e-tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ jobs:
# Determine the correct image tag based on trigger context
# For PRs: pr-{number}-{sha}, For branches: {sanitized-branch}-{sha}
- name: Determine image tag
id: image
id: determine-tag
Copy link

Copilot AI Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

id: determine-tag is hard to reference safely with the usual dot notation in expressions because of the hyphen. The repo already uses underscore step ids that are compatible with dot notation (e.g., .github/workflows/auto-versioning.yml uses id: determine_tag). Consider renaming this to determine_tag for consistency and to avoid expression parsing issues if outputs are referenced later.

Copilot uses AI. Check for mistakes.
env:
EVENT: ${{ github.event.workflow_run.event }}
REF: ${{ github.event.workflow_run.head_branch }}
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/rate-limit-integration.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ jobs:
# Determine the correct image tag based on trigger context
# For PRs: pr-{number}-{sha}, For branches: {sanitized-branch}-{sha}
- name: Determine image tag
id: image
id: determine-tag
env:
EVENT: ${{ github.event.workflow_run.event }}
REF: ${{ github.event.workflow_run.head_branch }}
Expand Down Expand Up @@ -162,7 +162,7 @@ jobs:
max_attempts: 3
retry_wait_seconds: 10
command: |
IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.image.outputs.tag }}"
IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.determine-tag.outputs.tag }}"
echo "Pulling image: $IMAGE_NAME"
Comment on lines +165 to 166
Copy link

Copilot AI Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The step id determine-tag contains a hyphen but is referenced using dot notation (steps.determine-tag...). In GitHub Actions expressions, - is parsed as an operator, so this will not resolve the step outputs and can break the workflow. Rename the step id to use underscores (e.g., determine_tag) and update references, or use bracket notation when accessing the step outputs.

Copilot uses AI. Check for mistakes.
docker pull "$IMAGE_NAME"
docker tag "$IMAGE_NAME" charon:local
Expand All @@ -174,12 +174,12 @@ jobs:
if: steps.pull_image.outcome == 'failure'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SHA: ${{ steps.image.outputs.sha }}
SHA: ${{ steps.determine-tag.outputs.sha }}
run: |
echo "⚠️ Registry pull failed, falling back to artifact..."

# Determine artifact name based on source type
if [[ "${{ steps.image.outputs.source_type }}" == "pr" ]]; then
if [[ "${{ steps.determine-tag.outputs.source_type }}" == "pr" ]]; then
PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number')
ARTIFACT_NAME="pr-image-${PR_NUM}"
else
Expand All @@ -203,7 +203,7 @@ jobs:
# Validate image freshness by checking SHA label
- name: Validate image SHA
env:
SHA: ${{ steps.image.outputs.sha }}
SHA: ${{ steps.determine-tag.outputs.sha }}
run: |
LABEL_SHA=$(docker inspect charon:local --format '{{index .Config.Labels "org.opencontainers.image.revision"}}' | cut -c1-7)
echo "Expected SHA: $SHA"
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/waf-integration.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ jobs:
# Determine the correct image tag based on trigger context
# For PRs: pr-{number}-{sha}, For branches: {sanitized-branch}-{sha}
- name: Determine image tag
id: image
id: determine-tag
env:
EVENT: ${{ github.event.workflow_run.event }}
REF: ${{ github.event.workflow_run.head_branch }}
Expand Down Expand Up @@ -162,7 +162,7 @@ jobs:
max_attempts: 3
retry_wait_seconds: 10
command: |
IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.image.outputs.tag }}"
IMAGE_NAME="ghcr.io/${{ github.repository_owner }}/charon:${{ steps.determine-tag.outputs.tag }}"
echo "Pulling image: $IMAGE_NAME"
Comment on lines +165 to 166
Copy link

Copilot AI Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The step id determine-tag contains a hyphen but is referenced using dot notation (steps.determine-tag...). In GitHub Actions expressions, - is parsed as an operator, so this will not resolve the step outputs and can break the workflow. Rename the step id to use underscores (e.g., determine_tag) and update references, or use bracket notation when accessing the step outputs.

Copilot uses AI. Check for mistakes.
docker pull "$IMAGE_NAME"
docker tag "$IMAGE_NAME" charon:local
Expand All @@ -174,12 +174,12 @@ jobs:
if: steps.pull_image.outcome == 'failure'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SHA: ${{ steps.image.outputs.sha }}
SHA: ${{ steps.determine-tag.outputs.sha }}
run: |
echo "⚠️ Registry pull failed, falling back to artifact..."

# Determine artifact name based on source type
if [[ "${{ steps.image.outputs.source_type }}" == "pr" ]]; then
if [[ "${{ steps.determine-tag.outputs.source_type }}" == "pr" ]]; then
PR_NUM=$(echo '${{ toJson(github.event.workflow_run.pull_requests) }}' | jq -r '.[0].number')
ARTIFACT_NAME="pr-image-${PR_NUM}"
else
Expand All @@ -203,7 +203,7 @@ jobs:
# Validate image freshness by checking SHA label
- name: Validate image SHA
env:
SHA: ${{ steps.image.outputs.sha }}
SHA: ${{ steps.determine-tag.outputs.sha }}
run: |
LABEL_SHA=$(docker inspect charon:local --format '{{index .Config.Labels "org.opencontainers.image.revision"}}' | cut -c1-7)
echo "Expected SHA: $SHA"
Expand Down
Loading