From 399ed004d17828c3868b23b0079821bf80678d83 Mon Sep 17 00:00:00 2001
From: o-az <omaraziz.dev@proton.me>
Date: Tue, 24 Mar 2026 11:37:58 -0700
Subject: [PATCH 1/2] feat(ci): publish docker image on tag release

---
 .github/workflows/binary.yml  | 2 +-
 .github/workflows/docker.yml  | 9 +++++++--
 .github/workflows/release.yml | 2 +-
 .github/workflows/verify.yml  | 2 +-
 4 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/binary.yml b/.github/workflows/binary.yml
index 133b52f8..c59f61c6 100644
--- a/.github/workflows/binary.yml
+++ b/.github/workflows/binary.yml
@@ -40,7 +40,7 @@ jobs:
             target: aarch64-apple-darwin
             asset: tidx-darwin-arm64
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           ref: ${{ inputs.tag || github.ref }}
       - uses: dtolnay/rust-toolchain@stable
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index a160f6b5..7550e438 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -8,6 +8,9 @@ on:
         description: 'Release tag'
         required: true
         type: string
+  release:
+    types:
+      - published
   push:
     tags:
       - 'tidx@*'
@@ -18,6 +21,7 @@ env:
 jobs:
   docker:
     name: Build Docker
+    if: github.event_name != 'release' || startsWith(github.event.release.tag_name, 'tidx@')
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -26,7 +30,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          ref: ${{ inputs.tag || github.ref }}
+          ref: ${{ inputs.tag || github.event.release.tag_name || github.ref }}
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -45,8 +49,9 @@ jobs:
           images: ghcr.io/${{ github.repository }}
           tags: |
             type=sha,prefix=
-            type=raw,value=latest,enable={{is_default_branch}}
+            type=raw,value=latest,enable=${{ inputs.tag != '' || github.event_name == 'release' || startsWith(github.ref, 'refs/tags/tidx@') || github.ref_name == github.event.repository.default_branch }}
             type=ref,event=tag
+            type=raw,value=${{ github.event.release.tag_name }},enable=${{ github.event_name == 'release' }}
             type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }}
 
       - name: Build and push
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b77d6cf2..19e37d2e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,7 +14,7 @@ jobs:
       published: ${{ steps.changelogs.outputs.published }}
       tag: ${{ steps.get-tag.outputs.tag }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
       - id: changelogs
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
index 7ef7677b..0a870c19 100644
--- a/.github/workflows/verify.yml
+++ b/.github/workflows/verify.yml
@@ -18,7 +18,7 @@ jobs:
     name: Check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Install Rust
         uses: dtolnay/rust-toolchain@stable

From 7edb27aa0ff2554c0ef5cda5d51cbd440d267b0b Mon Sep 17 00:00:00 2001
From: o-az <omaraziz.dev@proton.me>
Date: Tue, 24 Mar 2026 12:14:15 -0700
Subject: [PATCH 2/2] fix(ci): harden docker release tag handling

---
 .github/workflows/docker.yml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 7550e438..69953035 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -30,7 +30,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          ref: ${{ inputs.tag || github.event.release.tag_name || github.ref }}
+          ref: ${{ inputs.tag || github.ref }}
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -49,10 +49,9 @@ jobs:
           images: ghcr.io/${{ github.repository }}
           tags: |
             type=sha,prefix=
-            type=raw,value=latest,enable=${{ inputs.tag != '' || github.event_name == 'release' || startsWith(github.ref, 'refs/tags/tidx@') || github.ref_name == github.event.repository.default_branch }}
+            type=raw,value=latest,enable=${{ github.event_name == 'release' && github.event.release.prerelease == false && github.event.release.target_commitish == github.event.repository.default_branch }}
             type=ref,event=tag
-            type=raw,value=${{ github.event.release.tag_name }},enable=${{ github.event_name == 'release' }}
-            type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' }}
+            type=raw,value=${{ inputs.tag }},enable=${{ inputs.tag != '' && startsWith(inputs.tag, 'tidx@') && !contains(inputs.tag, ',') }}
 
       - name: Build and push
         uses: docker/build-push-action@v6