Skip to content

fix: use git tag for dev release container image tags#749

Merged
Aureliolo merged 1 commit intomainfrom
fix/dev-release-image-tags
Mar 22, 2026
Merged

fix: use git tag for dev release container image tags#749
Aureliolo merged 1 commit intomainfrom
fix/dev-release-image-tags

Conversation

@Aureliolo
Copy link
Copy Markdown
Owner

@Aureliolo Aureliolo commented Mar 22, 2026

Summary

  • Fix: Dev release notes showed the stable version (e.g., :0.4.7) in container pull commands instead of the dev version (e.g., :0.4.8-dev.4)
  • Root cause: The VERSION env var in docker.yml's "Append container images to release" step used app_version from pyproject.toml, which always contains the stable version
  • Fix: Derive the image tag from the git tag (github.ref_name) with v prefix stripped. For stable releases the result is identical; for dev releases it now correctly shows the dev version

Note: The actual Docker images were always tagged correctly -- only the release notes pull commands were wrong.

Test plan

  • Verify stable release v0.4.7 still produces :0.4.7 in pull commands (tag v0.4.7 -> ${TAG#v} = 0.4.7)
  • Verify dev release v0.4.8-dev.4 now produces :0.4.8-dev.4 in pull commands (tag v0.4.8-dev.4 -> ${TAG#v} = 0.4.8-dev.4)
  • Next dev release on main confirms correct image tags in release notes

Review coverage

Quick mode (CI-only change, no agents needed).

🤖 Generated with Claude Code

@Aureliolo @claude
fix: use git tag for dev release container image tags in release notes
13afb6f 
The release notes template used app_version from pyproject.toml (the
stable version) for container pull commands. Dev releases like
v0.4.8-dev.4 incorrectly showed :0.4.7 tags instead of :0.4.8-dev.4.

Derive the image tag from the git tag (stripping the v prefix) so both
stable and dev releases show the correct version in pull commands.

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
@gemini-code-assist
Copy link
Copy Markdown
Contributor

gemini-code-assist bot commented Mar 22, 2026

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 22, 2026

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Mar 22, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a6411a7c-68d0-46ac-8991-589786586f51

📥 Commits

Reviewing files that changed from the base of the PR and between 8f871a4 and 13afb6f.

📒 Files selected for processing (1)
  • .github/workflows/docker.yml
📜 Recent review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
  • GitHub Check: Build Web
  • GitHub Check: Build Sandbox
  • GitHub Check: Build Backend
  • GitHub Check: Analyze (python)
🧰 Additional context used
🧠 Learnings (7)
📓 Common learnings 
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/*.yml : Dependabot: daily updates for uv + github-actions + npm + pre-commit + docker + gomod, grouped minor/patch, no auto-merge. Use `/review-dep-pr` to review Dependabot PRs before merging.

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/finalize-release.yml : Finalize Release workflow: publishes draft releases created by Release Please. Triggers on workflow_run completion of Docker and CLI workflows. Verifies both workflows succeeded for the associated tag before publishing. Extracts CLI checksums, cosign verification, and container verification data from HTML comments, assembles into combined Verification section. Guards against PR-triggered runs. Handles TOCTOU races. Immutable releases enabled—once published, release assets and body cannot be modified.

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T12:00:18.113Z
Learning: Applies to .github/workflows/docker.yml : CI Docker: build → scan → push to GHCR + cosign sign + SLSA L3 provenance via attest-build-provenance (images only pushed after Trivy/Grype scans pass).
📚 Learning: 2026-03-15T21:32:02.880Z 
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/*.yml : Dependabot: daily updates for uv + github-actions + npm + pre-commit + docker + gomod, grouped minor/patch, no auto-merge. Use `/review-dep-pr` to review Dependabot PRs before merging.

Applied to files:

  • .github/workflows/docker.yml
📚 Learning: 2026-03-15T21:32:02.880Z 
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/finalize-release.yml : Finalize Release workflow: publishes draft releases created by Release Please. Triggers on workflow_run completion of Docker and CLI workflows. Verifies both workflows succeeded for the associated tag before publishing. Extracts CLI checksums, cosign verification, and container verification data from HTML comments, assembles into combined Verification section. Guards against PR-triggered runs. Handles TOCTOU races. Immutable releases enabled—once published, release assets and body cannot be modified.

Applied to files:

  • .github/workflows/docker.yml
📚 Learning: 2026-03-15T18:17:43.675Z 
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T18:17:43.675Z
Learning: Dependabot: auto-updates Docker image digests and versions daily.

Applied to files:

  • .github/workflows/docker.yml
📚 Learning: 2026-03-15T12:00:18.113Z 
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T12:00:18.113Z
Learning: Applies to .github/workflows/docker.yml : CI Docker: build → scan → push to GHCR + cosign sign + SLSA L3 provenance via attest-build-provenance (images only pushed after Trivy/Grype scans pass).

Applied to files:

  • .github/workflows/docker.yml
📚 Learning: 2026-03-15T21:32:02.880Z 
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T21:32:02.880Z
Learning: Applies to .github/workflows/docker.yml : Docker workflow: builds backend + web + sandbox images, pushes to GHCR, signs with cosign. SLSA L3 provenance attestations via actions/attest-build-provenance. Scans: Trivy (CRITICAL = hard fail, HIGH = warn) + Grype (critical cutoff) + CIS Docker Benchmark v1.6.0 compliance (informational). CVE triage via .github/.trivyignore.yaml and .github/.grype.yaml. Images only pushed after scans pass. Triggers on push to main and version tags (v*).

Applied to files:

  • .github/workflows/docker.yml
📚 Learning: 2026-03-19T11:19:40.044Z 
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-19T11:19:40.044Z
Learning: CLI workflow (`.github/workflows/cli.yml`) runs Go lint (golangci-lint + go vet) + test (race, coverage) + build (cross-compile matrix) + vulnerability check (govulncheck) + fuzz testing. Cross-compiles for linux/darwin/windows × amd64/arm64. GoReleaser release on v* tags with cosign keyless signing and SLSA L3 attestations.

Applied to files:

  • .github/workflows/docker.yml
🔇 Additional comments (2)
.github/workflows/docker.yml (2)

645-646: Tag-based required-input validation is correct.

Good update to validate TAG (instead of VERSION) alongside digests before mutating release notes.

711-712: ${TAG#v} substitution correctly fixes release-note image tags.

Using the git tag (without leading v) is the right source for both stable and dev pull commands.

Walkthrough

This pull request modifies the Docker workflow to streamline the release process. The update-release job step removes the dependency on a VERSION environment variable sourced from a separate job output. Instead, the workflow now directly uses the TAG value from the git reference name (github.ref_name) for container image tagging. The required-input validation was updated accordingly, and the placeholder substitution logic changed to strip the leading v character from version tags (e.g., converting v1.2.3 to 1.2.3 for the image tag).

Suggested labels

autorelease: tagged

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: switching from using VERSION env var to using git tag for container image tags in dev releases.
Description check ✅ Passed The description clearly explains the problem (dev releases showing stable version in pull commands), root cause (VERSION env var using app_version), and the fix (deriving image tag from git tag).
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Comment @coderabbitai help to get the list of available commands and usage tips.

@Aureliolo Aureliolo merged commit f30d071 into main Mar 22, 2026
29 checks passed
@Aureliolo Aureliolo deleted the fix/dev-release-image-tags branch March 22, 2026 19:59
@Aureliolo Aureliolo mentioned this pull request Mar 22, 2026
Merged
Aureliolo added a commit that referenced this pull request Mar 22, 2026
@Aureliolo
chore(main): release 0.4.8 (#744)
77633c6 
🤖 I have created a release *beep* *boop*
---


##
[0.4.8](v0.4.7...v0.4.8)
(2026-03-22)


### Features

* add auto_cleanup config and improve update UX
([#741](#741))
([289638f](289638f))
* add reporting lines, escalation paths, and workflow handoffs to
templates ([#745](#745))
([c374cc9](c374cc9))
* differentiate template operational configs
([#742](#742))
([9b48345](9b48345))
* diversify personality preset assignments across templates
([#743](#743))
([15487a5](15487a5))
* improve template metadata -- skill taxonomy, descriptions, tags, and
display names ([#752](#752))
([f333f24](f333f24))


### Bug Fixes

* resolve log analysis findings (Ollama prefix, logging, init)
([#748](#748))
([8f871a4](8f871a4))
* use git tag for dev release container image tags
([#749](#749))
([f30d071](f30d071))
* use subordinate_id/supervisor_id in HierarchyResolver
([#751](#751))
([118235b](118235b))


### Performance

* add long-lived cache headers for content-hashed static assets
([#747](#747))
([4d350b5](4d350b5))
* use worksteal distribution for pytest-xdist
([#750](#750))
([b7dd7de](b7dd7de))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Aureliolo