From 9d5f449b1c2d736e0fc61286390867c6c5afbca4 Mon Sep 17 00:00:00 2001
From: Bill <bill@bballou.com>
Date: Thu, 30 Oct 2025 20:31:55 -0400
Subject: [PATCH] fix: validate GITHUB_REF is a tag in docker-release workflow

Add validation to ensure workflow only processes tag pushes.
Prevents invalid Docker tags when workflow runs on non-tag refs.
---
 .github/workflows/docker-release.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml
index bcc5102..0026853 100644
--- a/.github/workflows/docker-release.yml
+++ b/.github/workflows/docker-release.yml
@@ -30,6 +30,12 @@ jobs:
       - name: Extract version from tag
         id: meta
         run: |
+          # Ensure we're building from a tag
+          if [[ "$GITHUB_REF" != refs/tags/* ]]; then
+            echo "Error: This workflow should only run on tag pushes"
+            echo "GITHUB_REF: $GITHUB_REF"
+            exit 1
+          fi
           VERSION=${GITHUB_REF#refs/tags/v}
           echo "version=$VERSION" >> $GITHUB_OUTPUT
           echo "Building version: $VERSION"