From 6e741552e7cb67a5f26520a61acdaa7572e8f524 Mon Sep 17 00:00:00 2001 From: Huy Nguyen Date: Thu, 13 Nov 2025 19:22:59 +1030 Subject: [PATCH] Sanitize github.ref to be safely used as docker tag --- .gitea/workflows/ci.yaml | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml index 24fb195..46c11f1 100644 --- a/.gitea/workflows/ci.yaml +++ b/.gitea/workflows/ci.yaml @@ -23,7 +23,30 @@ jobs: # echo "MY_LOWER=$lower_value" >> $GITHUB_ENV # If you want to use it as an output of this step: echo "lowercase=$lower_value" >> $GITHUB_OUTPUT - + - name: Convert ref to buildx safe value + id: docker_tag_from_ref + shell: bash + run: | + # Grab the raw ref + REF="${{ github.ref }}" + + # Strip the "refs/*/" prefix (refs/heads/, refs/tags/…) + TAG=${REF#refs/*/} + + # Replace characters that Docker tags disallow + # * "/" → "-" + # * ":" → "-" + # * Any other non‑alphanumeric / . / _ / - → "-" + TAG=${TAG//\//-} + TAG=${TAG//:/-} + TAG=${TAG//[^a-zA-Z0-9._-]/-} + + # (Optional) force lower‑case – Docker tags are case‑sensitive, + # but many people prefer lower‑case + TAG=${TAG,,} + + # Export to the action's output + echo "docker-tag=${TAG}" >> $GITHUB_OUTPUT - name: Cache Docker layers uses: actions/cache@v3 with: @@ -42,7 +65,7 @@ jobs: push: false tags: | ${{ vars.REGISTRY_HOST }}/${{ steps.github_repository_to_lowercase.outputs.lowercase }}:${{ github.sha }} - ${{ vars.REGISTRY_HOST }}/${{ steps.github_repository_to_lowercase.outputs.lowercase }}:${{ github.ref_name }} + ${{ vars.REGISTRY_HOST }}/${{ steps.github_repository_to_lowercase.outputs.lowercase }}:${{ steps.docker_tag_from_ref.outputs.docker-tag }} ${{ vars.REGISTRY_HOST }}/${{ steps.github_repository_to_lowercase.outputs.lowercase }}:latest build-args: | # Add any build args here