Feat: Add semver validation for release tag input

fletcher.fan · claude · fletcher.fan · commit 8ae507c7229e · 2026-03-13T17:39:03.000+08:00
Validate that the tag matches vX.Y.Z format before building and
pushing Docker image, to prevent accidental publishes.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/docker_release.yml b/.github/workflows/docker_release.yml
@@ -43,7 +43,11 @@ jobs:
         id: meta
         run: |
           TAG="${{ inputs.tag || github.ref_name }}"
-          VERSION=$(echo "$TAG" | sed -e 's/^v//')
+          if ! [[ "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+([.-][0-9A-Za-z.-]+)?$ ]]; then
+            echo "Invalid release tag: $TAG (expected e.g. v0.5.0)"
+            exit 1
+          fi
+          VERSION="${TAG#v}"
           COMMIT=$(git rev-parse HEAD)
           echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
           echo "commit=${COMMIT}" >> "$GITHUB_OUTPUT"
