fix(docker): build and push Docker images for Release Candidates

[Copilot]

docker.yml only fires on direct v* tag pushes. RC tags are pushed via GITHUB_TOKEN inside release-candidate.yml, and GitHub Actions does not re-trigger workflows from GITHUB_TOKEN pushes — so RC Docker images were never built.

Changes

docker.yml — add workflow_call support

• New workflow_call trigger with required tag input (e.g. v1.2.3-rc.1)
• concurrency group migrated to hardcoded literal prefix docker-build-push- (not ${{ github.workflow }}), following the canonical ci.yml pattern; run_id-based fallback for reusable invocations
• actions/checkout uses inputs.tag || github.ref to check out the RC tag's versioned tree
• Version-check step reads INPUT_TAG env var when called, falls back to GITHUB_REF for direct tag pushes
• Added type=raw,value=...,enable=${{ github.event_name == 'workflow_call' }} to the metadata step — needed because in workflow_call context github.ref is a branch, not the RC tag, so type=semver patterns produce no output

release-candidate.yml — wire in the docker job

• Expose vtag as a publish job output
• New docker job calls docker.yml as a reusable workflow after publish succeeds, passing the RC tag as input

docker:
  needs: [guard, publish]
  uses: ./.github/workflows/docker.yml
  permissions:
    contents: read
    packages: write
    id-token: write
    attestations: write
  with:
    tag: ${{ needs.publish.outputs.vtag }}

README.md — document the two distinct Cosign signing identities

RC images are signed with docker.yml@refs/heads/main (the caller's ref in workflow_call context), not a tag ref. Added a separate cosign verify snippet for RCs alongside the existing stable-release snippet. Restored the (-[a-zA-Z0-9.]+)? suffix in the stable regex to retain coverage for any direct-tag-push prerelease.

CONTRIBUTING.md — note that RC publishes now also produce Docker images

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
gitnexus	Ready	Preview, Comment	Apr 19, 2026 6:32am

[magyargergo]

@claude Act as a senior reviewer for GitNexus. Your job is to determine whether this PR is production-ready for this repo, not to give a generic code review.

You are reviewing a PR in the GitNexus monorepo:

• gitnexus/ → CLI + MCP
• gitnexus-web/
• gitnexus-shared/

Your task has 2 phases, in this exact order:

PHASE 1 — DEFINE THE BAR
Before reviewing the diff, establish a concise repo-specific definition of “production-ready” for GitNexus, based only on the repo docs and the affected area.
Keep this definition practical and reviewable. Do not invent standards that are not grounded in the repo.

PHASE 2 — REVIEW THE PR AGAINST THAT BAR
Review the actual diff only after defining the bar.
Stay tightly scoped to the changed code and its direct consequences.

---

CONTEXT TO LOAD FIRST
Read these before reviewing:

• AGENTS.md
• GUARDRAILS.md
• CONTRIBUTING.md
• TESTING.md
• ARCHITECTURE.md

Additional context:

• If the diff touches ingestion, also read: ARCHITECTURE.md § Pipeline Phase DAG
• PR [group/sync] Fix ManifestExtractor never called — config.links always produced 0 cross-links #827 diff area is primarily: gitnexus/src/core/group/ (sync + manifest extractor) plus associated tests

---

PRIMARY OBJECTIVE
Decide whether this PR is safe, correct, maintainable, and operationally acceptable to merge into production for GitNexus.

Do not optimize for completeness at the expense of signal.
Do not pad the review.
Do not propose unrelated refactors.
Do not restate the PR description unless needed for verification.

---

REVIEW RULES

• Every finding must be grounded in specific evidence from the diff or directly relevant surrounding code.
• Every finding must include path:line.
• If you make a behavioral claim, cite the code that proves it.
• If you make a performance claim, explain the mechanism.
• If something cannot be verified from the diff alone, explicitly say so.
• Distinguish clearly between:
  • verified issue
  • plausible risk
  • unverified concern
• Avoid vague wording like “might be better” or “could be improved” unless you explain exactly why.
• Keep the review focused on this PR’s scope only.

For each finding, assign one severity:

• BLOCKING → must be fixed before merge
• NON-BLOCKING → valid issue, but merge may still be acceptable
• NIT → stylistic/minor, not merge-relevant

---

REPO-SPECIFIC REVIEW CHECKLIST
Use these exact headings.

1. Correctness & functional completeness

Check:

• Does the implementation actually satisfy the PR claim?
  • ManifestExtractor is truly invoked
  • config.links produces non-zero cross-links where expected
• Resolver contracts are preserved:
  • resolveSymbol remains exact-match
  • label-scoped Cypher remains correct per contract type
  • flag any regression toward fuzzy or unscoped matching
• Graph schema integrity is preserved:
  • no silent changes to node labels
  • no silent changes to edge types
  • no silent changes to ID generation (generateId)
• Call out any missing wiring, partial integration, dead branch, or mismatch between tests and runtime behavior

2. Code clarity & clean code

Check:

• naming quality
• local cohesion
• dead code
• unnecessary abstraction
• hidden control flow
• confusing indirection
• adherence to repo conventions:
  • direct imports from gitnexus-shared
  • no barrel re-export regressions
  • no // removed comments
  • no unused re-exports
• no drive-by refactors outside stated scope per CONTRIBUTING.md and GUARDRAILS.md § Scope

3. Test coverage & change safety

Evaluate against TESTING.md:

• Are there unit tests under gitnexus/test/unit/ covering the newly wired path?
• Is there a regression guard for 0-link → N-link behavior?
• Are assertions meaningful rather than tautological?
• Are fixtures realistic for manifest inputs?
• If memoization/cache was introduced, is there a test proving hit/miss behavior and correctness?
• Is there evidence the expected validation path would pass for staged gitnexus/ files?
  • tsc --noEmit
  • vitest run --project default
    If not verifiable, say exactly what is missing.

4. Performance

Inspect for:

• hot-path overhead in ingestion/group sync
• excess allocations per manifest entry
• redundant Cypher round-trips
• missed batching or missed parallelism (Promise.all) where it materially matters
• O(n²) or repeated lookup patterns on large repos
• memoization tradeoffs:
  • correctness
  • invalidation
  • bounded vs unbounded memory growth
    Do not speculate casually; explain the mechanism and likely impact.

5. Operational risk

Check:

• Windows/cross-platform safety:
  • stream lifecycle
  • FD/file handle lifecycle
  • path separator assumptions
  • anything resembling prior ENOTEMPTY-style lifecycle regressions
• LadybugDB single-writer invariant is preserved
• Embeddings preservation:
  • no silent breakage of --embeddings
  • .gitnexus/meta.json.stats.embeddings not silently zeroed by changed paths
• MCP contracts remain compatible:
  • group_*
  • query
  • context
  • impact
  • detect_changes
  • rename
  • cypher
    Flag any schema or contract break without migration note
• staleness behavior still triggers correctly (gitnexus/src/mcp/staleness.ts)
• rollback safety:
  • can this PR be reverted safely without re-analyze?
  • if not, explain why

6. Maintainability

Check:

• Does the change respect Pipeline Phase DAG boundaries?
• Is cross-phase coupling being introduced?
• Are manifest-extractor entry points discoverable from group/sync.ts?
• Would the next contributor know where to extend this?
• Is shared logic placed appropriately:
  • in gitnexus-shared/
  • or gitnexus/src/core/**/utils.ts
  • and not duplicated between CLI and web bridge (server/api.ts)?

---

NON-NEGOTIABLES TO VERIFY
From GUARDRAILS.md / CONTRIBUTING.md:

• no secrets, tokens, or machine-specific paths committed
• no blind find-and-replace renames
• if a symbol rename occurred, rename MCP tool or equivalent careful review was used
• upstream impact was considered for modified shared symbols
• no HIGH/CRITICAL impact left unaddressed
• PR title follows conventional commit style + [area] Short description
• PolyForm Noncommercial license headers/metadata untouched

---

OUTPUT FORMAT

Production-ready bar for this PR

Give a concise repo-specific definition in 5–10 bullets.

Findings

For each finding, use this structure exactly:

[BLOCKING|NON-BLOCKING|NIT] Short title

• Evidence: path:line, path:line
• Why it matters: ...
• Recommendation: ...
• Confidence: High / Medium / Low

Only include findings that are real and supported.
If there are no findings in a section, say:

• No issues found in this area based on the diff and reviewed context.

What I could not fully verify

List any behavior you could not prove from the diff, tests, or available context.

Final verdict

Choose exactly one:

• ✅ Ready to merge — no blocking issues.
• ⚠️ Merge after addressing blocking items.
• ❌ Not ready — fundamental concerns.

If verdict is not ready, list the blocking items in priority order.

---

IMPORTANT REVIEW BEHAVIOR

• Be strict on correctness and contracts.
• Be conservative about operational risk.
• Be explicit about uncertainty.
• Do not suggest unrelated refactors.
• Do not turn nits into blockers.
• Do not reward intent; review actual implementation.

[github-actions]

Claude finished @magyargergo's task in 3m 4s —— View job

---

PR #978 Production-Readiness Review

Tasks:

• Gather context (repo docs + diff)
• Phase 1 — Define the production-ready bar
• Phase 2 — Review the diff against the bar
• Post final verdict

---

Production-ready bar for this PR

This PR touches only CI/CD infrastructure (.github/workflows/, docs). For a workflow-only change in GitNexus, production-ready means:

• No secrets committed. Only GITHUB_TOKEN and secrets.NPM_TOKEN (pre-existing) are referenced.
• Concurrency convention followed exactly per CONTRIBUTING.md § GitHub Actions — Concurrency Convention: reusable workflows must use a hardcoded literal prefix and fall back to github.run_id, never ${{ github.workflow }}.
• Idempotency preserved. RC marker/tag scheme already in release-candidate.yml is not broken; Docker job must not create a second publish path that could race or duplicate.
• Supply-chain integrity maintained. Images must be Cosign-signed, version-locked to the npm tarball (same package.json check already in docker.yml), and :latest must never be promoted for prereleases.
• Cosign identity accurately and consistently documented across README.md and CONTRIBUTING.md. Stable vs RC identities are distinct and must not be conflated.
• No application code changed. The PR scope is CI + docs only; no regressions are possible in ingestion, MCP contracts, or LadybugDB.
• PR title follows conventional-commit format before merge (pr-labeler.yml enforces it; wrong format breaks release notes grouping).

---

Findings

1. Correctness & functional completeness

Concurrency block — verified correct.

• Evidence: .github/workflows/docker.yml:29
• Changed from ${{ github.workflow }}-${{ github.ref }} to ${{ (github.event_name == 'push') && format('docker-build-push-{0}', github.ref) || format('docker-build-push-nested-{0}', github.run_id) }}. This is the exact pattern mandated by CONTRIBUTING.md:80 for reusable workflows. ✓

Version verification path — verified correct.

• Evidence: .github/workflows/docker.yml:83–97
• INPUT_TAG env var is used to branch between workflow_call and push paths. For workflow_call, TAG_VERSION="${INPUT_TAG#v}" strips the v prefix. The checkout at inputs.tag ensures gitnexus/package.json matches — the v<RC> tag points to the detached release commit whose package.json was already bumped by the publish job. ✓

:latest tag safety — verified.

• Evidence: .github/workflows/docker.yml:134–137
• type=semver patterns only fire when github.ref is a tag ref. Under workflow_call, github.ref is refs/heads/main, so those patterns produce no tags. The type=raw tag (line 137) only fires when github.event_name == 'workflow_call' and adds exactly the verified version string. flavor: latest=auto does not attach :latest to type=raw entries. RC images cannot accidentally become :latest. ✓

docker job dependency chain — verified.

• Evidence: .github/workflows/release-candidate.yml:379
• needs: [guard, publish]. publish already depends on [guard, ci], so docker runs transitively after all three. GitHub Actions enforces this; ci does not need to be re-declared. ✓

if condition on docker job — verified correct.

• Evidence: .github/workflows/release-candidate.yml:380
• if: needs.guard.outputs.should_run == 'true'. If publish fails, docker is automatically skipped (failed dep = skip by default). No need to redundantly check publish status. ✓

Cosign identity claim — verified correct.

• Evidence: README.md:439, .github/workflows/release-candidate.yml:373–376
• When release-candidate.yml (on refs/heads/main) calls docker.yml (also resolved at refs/heads/main), the OIDC token's job_workflow_ref is abhigyanpatwari/GitNexus/.github/workflows/docker.yml@refs/heads/main. The cosign verify command in README.md uses --certificate-identity (exact match), not --certificate-identity-regexp. This is correct: refs/heads/main is a fixed string and exact match is stricter. ✓

No issues found in this area based on the diff and reviewed context.

2. Code clarity & clean code

• No drive-by refactors; all changes are within the stated scope.
• Comments are thorough and explain the why (deadlock risk, tag ref mismatch under workflow_call, etc.).
• No // removed comments, no dead code, no barrel regressions.
• No application source files touched.

No issues found in this area.

3. Test coverage & change safety

CI workflow changes are validated by running them — no unit tests apply. The existing version-verification check in docker.yml (line 92–96) acts as the runtime correctness guard.

No issues found in this area.

4. Performance

Not applicable to this CI-only change. Docker builds use cache-from/cache-to: type=gha already (matrix-scoped per slug), so RC builds benefit from the same layer caching as stable builds.

No issues found in this area.

5. Operational risk

[NON-BLOCKING] No direct recovery path if docker job fails after publish succeeds

• Evidence: .github/workflows/release-candidate.yml:377–388, .github/workflows/docker.yml:7–9
• Why it matters: If publish succeeds (npm tarball is live, tags are pushed) but docker fails (e.g., GHCR is flaky), the RC Docker image is missing. Re-running the full release-candidate.yml with force: true will abort at the "Version already exists on npm" check (line 264 in publish). The operator would need to delete rc/<SHA> and v<RC> tags, bump to a new RC number, and re-dispatch — effectively cutting a new RC. docker.yml has no workflow_dispatch trigger by design ("No workflow_dispatch: publishing is exclusively tag-driven"), so manual re-triggering of only the Docker step is not possible.
• Recommendation: Document this specific partial-failure scenario in the release-candidate.yml comment block or CONTRIBUTING.md recovery section. Consider whether adding a workflow_dispatch to docker.yml (accepting a tag input) would help operators recover without cutting a new RC — though this conflicts with the existing design intent. Acceptable to defer.
• Confidence: High (verified by tracing the publish/guard/npm-check logic)

No other operational risk findings. LadybugDB, MCP contracts, embeddings, and the stable publish.yml workflow are entirely unaffected.

6. Maintainability

• docker.yml remains the single source of truth for build/sign/attest logic. release-candidate.yml delegates to it cleanly via workflow_call.
• The vtag output is clearly named; the data flow (publish → docker → docker.yml) is straightforward.
• Future contributors can add workflow_call to other workflows following the same pattern.

No issues found in this area.

---

Non-negotiables

[NON-BLOCKING] PR title does not follow conventional-commit format

• Evidence: PR title is [WIP] Add docker image for release candidates; CONTRIBUTING.md:24 states titles MUST follow <type>[(scope)][!]: <subject> enforced by pr-labeler.yml
• Why it matters: Wrong format means the PR won't be auto-labeled, and it won't appear in the correct release-notes section.
• Recommendation: Rename to ci: build and push Docker images for release candidates (or feat(ci):) before removing [WIP] and marking ready for review.
• Confidence: High

Remaining non-negotiables: ✓ No secrets committed · ✓ No blind renames · ✓ PolyForm license untouched · ✓ No application symbols modified · ✓ Cosign identity consistent between README.md and workflow comments

---

What I could not fully verify

1. Whether inputs.tag is non-empty in practice during workflow_call. YAML required: true prevents empty string, but if needs.publish.outputs.vtag is empty due to a step failure, GitHub may pass an empty string rather than blocking the job call. This is a GitHub Actions platform behavior, not verifiable from the diff alone.
2. Kubernetes ClusterImagePolicy (deploy/kubernetes/cluster-image-policy.yaml) — not in the diff; cannot confirm it pins only v* tag refs and would correctly reject RC images (expected behavior, but unverified).
3. flavor: latest=auto interaction with type=raw under prerelease semver — documented behavior of docker/metadata-action, trusted but not run locally.

---

Final verdict

✅ Ready to merge — no blocking issues.

Before removing [WIP] and merging:

1. Rename PR title to follow conventional-commit format (e.g., ci: build and push Docker images for release candidates).
2. Optionally document the docker-only partial-failure recovery in CONTRIBUTING.md.

[magyargergo]

Claude finished @magyargergo's task in 3m 4s —— View job

---

PR #978 Production-Readiness Review

Tasks:

• Gather context (repo docs + diff)
• Phase 1 — Define the production-ready bar
• Phase 2 — Review the diff against the bar
• Post final verdict

---

Production-ready bar for this PR

This PR touches only CI/CD infrastructure (.github/workflows/, docs). For a workflow-only change in GitNexus, production-ready means:

• No secrets committed. Only GITHUB_TOKEN and secrets.NPM_TOKEN (pre-existing) are referenced.
• Concurrency convention followed exactly per CONTRIBUTING.md § GitHub Actions — Concurrency Convention: reusable workflows must use a hardcoded literal prefix and fall back to github.run_id, never ${{ github.workflow }}.
• Idempotency preserved. RC marker/tag scheme already in release-candidate.yml is not broken; Docker job must not create a second publish path that could race or duplicate.
• Supply-chain integrity maintained. Images must be Cosign-signed, version-locked to the npm tarball (same package.json check already in docker.yml), and :latest must never be promoted for prereleases.
• Cosign identity accurately and consistently documented across README.md and CONTRIBUTING.md. Stable vs RC identities are distinct and must not be conflated.
• No application code changed. The PR scope is CI + docs only; no regressions are possible in ingestion, MCP contracts, or LadybugDB.
• PR title follows conventional-commit format before merge (pr-labeler.yml enforces it; wrong format breaks release notes grouping).

---

Findings

1. Correctness & functional completeness

Concurrency block — verified correct.

• Evidence: .github/workflows/docker.yml:29
• Changed from ${{ github.workflow }}-${{ github.ref }} to ${{ (github.event_name == 'push') && format('docker-build-push-{0}', github.ref) || format('docker-build-push-nested-{0}', github.run_id) }}. This is the exact pattern mandated by CONTRIBUTING.md:80 for reusable workflows. ✓

Version verification path — verified correct.

• Evidence: .github/workflows/docker.yml:83–97
• INPUT_TAG env var is used to branch between workflow_call and push paths. For workflow_call, TAG_VERSION="${INPUT_TAG#v}" strips the v prefix. The checkout at inputs.tag ensures gitnexus/package.json matches — the v<RC> tag points to the detached release commit whose package.json was already bumped by the publish job. ✓

:latest tag safety — verified.

• Evidence: .github/workflows/docker.yml:134–137
• type=semver patterns only fire when github.ref is a tag ref. Under workflow_call, github.ref is refs/heads/main, so those patterns produce no tags. The type=raw tag (line 137) only fires when github.event_name == 'workflow_call' and adds exactly the verified version string. flavor: latest=auto does not attach :latest to type=raw entries. RC images cannot accidentally become :latest. ✓

docker job dependency chain — verified.

• Evidence: .github/workflows/release-candidate.yml:379
• needs: [guard, publish]. publish already depends on [guard, ci], so docker runs transitively after all three. GitHub Actions enforces this; ci does not need to be re-declared. ✓

if condition on docker job — verified correct.

• Evidence: .github/workflows/release-candidate.yml:380
• if: needs.guard.outputs.should_run == 'true'. If publish fails, docker is automatically skipped (failed dep = skip by default). No need to redundantly check publish status. ✓

Cosign identity claim — verified correct.

• Evidence: README.md:439, .github/workflows/release-candidate.yml:373–376
• When release-candidate.yml (on refs/heads/main) calls docker.yml (also resolved at refs/heads/main), the OIDC token's job_workflow_ref is abhigyanpatwari/GitNexus/.github/workflows/docker.yml@refs/heads/main. The cosign verify command in README.md uses --certificate-identity (exact match), not --certificate-identity-regexp. This is correct: refs/heads/main is a fixed string and exact match is stricter. ✓

No issues found in this area based on the diff and reviewed context.

2. Code clarity & clean code

• No drive-by refactors; all changes are within the stated scope.
• Comments are thorough and explain the why (deadlock risk, tag ref mismatch under workflow_call, etc.).
• No // removed comments, no dead code, no barrel regressions.
• No application source files touched.

No issues found in this area.

3. Test coverage & change safety

CI workflow changes are validated by running them — no unit tests apply. The existing version-verification check in docker.yml (line 92–96) acts as the runtime correctness guard.

No issues found in this area.

4. Performance

Not applicable to this CI-only change. Docker builds use cache-from/cache-to: type=gha already (matrix-scoped per slug), so RC builds benefit from the same layer caching as stable builds.

No issues found in this area.

5. Operational risk

[NON-BLOCKING] No direct recovery path if docker job fails after publish succeeds

• Evidence: .github/workflows/release-candidate.yml:377–388, .github/workflows/docker.yml:7–9
• Why it matters: If publish succeeds (npm tarball is live, tags are pushed) but docker fails (e.g., GHCR is flaky), the RC Docker image is missing. Re-running the full release-candidate.yml with force: true will abort at the "Version already exists on npm" check (line 264 in publish). The operator would need to delete rc/<SHA> and v<RC> tags, bump to a new RC number, and re-dispatch — effectively cutting a new RC. docker.yml has no workflow_dispatch trigger by design ("No workflow_dispatch: publishing is exclusively tag-driven"), so manual re-triggering of only the Docker step is not possible.
• Recommendation: Document this specific partial-failure scenario in the release-candidate.yml comment block or CONTRIBUTING.md recovery section. Consider whether adding a workflow_dispatch to docker.yml (accepting a tag input) would help operators recover without cutting a new RC — though this conflicts with the existing design intent. Acceptable to defer.
• Confidence: High (verified by tracing the publish/guard/npm-check logic)

No other operational risk findings. LadybugDB, MCP contracts, embeddings, and the stable publish.yml workflow are entirely unaffected.

6. Maintainability

• docker.yml remains the single source of truth for build/sign/attest logic. release-candidate.yml delegates to it cleanly via workflow_call.
• The vtag output is clearly named; the data flow (publish → docker → docker.yml) is straightforward.
• Future contributors can add workflow_call to other workflows following the same pattern.

No issues found in this area.

---

Non-negotiables

[NON-BLOCKING] PR title does not follow conventional-commit format

• Evidence: PR title is [WIP] Add docker image for release candidates; CONTRIBUTING.md:24 states titles MUST follow <type>[(scope)][!]: <subject> enforced by pr-labeler.yml
• Why it matters: Wrong format means the PR won't be auto-labeled, and it won't appear in the correct release-notes section.
• Recommendation: Rename to ci: build and push Docker images for release candidates (or feat(ci):) before removing [WIP] and marking ready for review.
• Confidence: High

Remaining non-negotiables: ✓ No secrets committed · ✓ No blind renames · ✓ PolyForm license untouched · ✓ No application symbols modified · ✓ Cosign identity consistent between README.md and workflow comments

---

What I could not fully verify

1. Whether inputs.tag is non-empty in practice during workflow_call. YAML required: true prevents empty string, but if needs.publish.outputs.vtag is empty due to a step failure, GitHub may pass an empty string rather than blocking the job call. This is a GitHub Actions platform behavior, not verifiable from the diff alone.
2. Kubernetes ClusterImagePolicy (deploy/kubernetes/cluster-image-policy.yaml) — not in the diff; cannot confirm it pins only v* tag refs and would correctly reject RC images (expected behavior, but unverified).
3. flavor: latest=auto interaction with type=raw under prerelease semver — documented behavior of docker/metadata-action, trusted but not run locally.

---

Final verdict

✅ Ready to merge — no blocking issues.

Before removing [WIP] and merging:

1. Rename PR title to follow conventional-commit format (e.g., ci: build and push Docker images for release candidates).
2. Optionally document the docker-only partial-failure recovery in CONTRIBUTING.md.

@copilot review these findings

[Copilot]

@claude Act as a senior reviewer for GitNexus. Your job is to determine whether this PR is production-ready for this repo, not to give a generic code review.

You are reviewing a PR in the GitNexus ...

Reviewed all findings:

NON-BLOCKING — No direct recovery path if docker job fails after publish succeeds
Addressed in 82761fb: added a "Docker-only partial failure" section to CONTRIBUTING.md immediately after the existing partial-failure recovery block. It explains why force: true is blocked by the npm version-exists guard and lists the three practical recovery paths (wait for next main commit, manual local build+push+sign, or delete tags and cut a new RC number).

NON-BLOCKING — PR title does not follow conventional-commit format
No action needed: the reviewer cited [WIP] Add docker image for release candidates as the title, but the actual PR title is already feat: build and push Docker images for Release Candidates, which follows the <type>: <subject> format.

[magyargergo]

You must follow the concurrency convention! CI is failing because of the violation you implemented

[Copilot]

You must follow the concurrency convention! CI is failing because of the violation you implemented

Fixed in 19c25e1. The root cause: check-workflow-concurrency.py only accepted ${{ github.workflow }} or CI- as valid concurrency group tokens. docker.yml correctly uses a hardcoded docker-build-push- literal prefix (required because it's both an entry-point and a reusable workflow — using ${{ github.workflow }} would cause a deadlock with the caller's own concurrency group), but that prefix wasn't registered in the validator.

Changes:

• Added docker-build-push- to REQUIRED_TOKENS in the script alongside the existing CI- exception
• Updated the script's docstring to document both approved literal prefixes
• Updated CONTRIBUTING.md to list both approved prefixes and note that the script must be updated when a new one is added