From 351740b26667034626d240f35b95632035177ffa Mon Sep 17 00:00:00 2001
From: Gergo Magyar <gergomagyar@icloud.com>
Date: Fri, 24 Apr 2026 16:40:57 +0100
Subject: [PATCH] fix(ci): skip docker.yml tag-input validation on direct tag
 pushes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The early Validate step ran on both workflow_call and push events, but
push events never populate inputs.tag (the tag comes from github.ref).
This regressed every real tag-push release — v1.6.3's Docker Build &
Push failed at that gate. The downstream Verify step already falls back
to GITHUB_REF, so the upfront guard only needs to cover workflow_call.
---
 .github/workflows/docker.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index e1e2f3fdc3..9e5750210d 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -69,8 +69,14 @@ jobs:
             slug: gitnexus
 
     steps:
+      # Only the workflow_call path requires a non-empty `inputs.tag` — callers
+      # (e.g. release-candidate.yml) must pass the RC tag explicitly. On direct
+      # tag pushes the tag comes from `github.ref`, so `inputs.tag` is always
+      # empty and validating it here would break every real release (#1064).
+      # The downstream "Verify tag matches gitnexus/package.json version" step
+      # handles both event types by falling back to GITHUB_REF.
       - name: Validate tag input
-        if: github.event_name == 'workflow_call' || github.event_name == 'push'
+        if: github.event_name == 'workflow_call'
         shell: bash
         env:
           TAG_INPUT: ${{ inputs.tag }}