ci: improve docker_release workflow

[FletcherMan]

• Remove redundant if: github.event_name == 'push' condition
• Move registry login before build step
• Pass COMMIT and VERSION as build-args to populate image labels
• Simplify version extraction using github.ref_name instead of manual sed
• Add quotes to all variable references for robustness

1. Purpose or design rationale of this PR

...

2. PR title

Your PR title must follow conventional commits (as we are doing squash merge for each PR), so it must start with one of the following types:

• build: Changes that affect the build system or external dependencies (example scopes: yarn, eslint, typescript)
• ci: Changes to our CI configuration files and scripts (example scopes: vercel, github, cypress)
• docs: Documentation-only changes
• feat: A new feature
• fix: A bug fix
• perf: A code change that improves performance
• refactor: A code change that doesn't fix a bug, or add a feature, or improves performance
• style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
• test: Adding missing tests or correcting existing tests

3. Deployment tag versioning

Has the version in params/version.go been updated?

• This PR doesn't involve a new deployment, git tag, docker image tag, and it doesn't affect traces
• Yes

4. Breaking change label

Does this PR have the breaking-change label?

• This PR is not a breaking change
• Yes

Summary by CodeRabbit

• Chores
  • Improved Docker release workflow with enhanced build arguments and variable handling.
  • Standardized shell quoting and logging for improved release process reliability.

[coderabbitai]

📝 Walkthrough

Walkthrough

The GitHub Actions workflow refactors the Docker release pipeline to explicitly pass build arguments (COMMIT, VERSION) to the docker build step, improve variable quoting for shell safety, and standardize logging and variable handling throughout the Push suite.

Changes

Cohort / File(s)	Summary
Docker Release Workflow .github/workflows/docker_release.yml	Refactored docker build invocation to use multi-line format with explicit COMMIT and VERSION build arguments. Improved shell quoting and safety for IMAGE_ID and VERSION variables. Standardized logging with consistent variable referencing. Changed VERSION derivation from github.ref to github.ref_name with sed-based prefix stripping.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A workflow so tidy, with quotes standing tall,
Build args passed clearly, no risk of a fall,
From refs to variables, all trimmed just right,
Safe docker deployment, a beautiful sight! 🐳

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: improve docker_release workflow' is specific, clear, and directly relates to the main changes in the PR which focus on improving the Docker release CI workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/docker-release-workflow

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can use OpenGrep to find security vulnerabilities and bugs across 17+ programming languages.

OpenGrep is compatible with Semgrep configurations. Add an opengrep.yml or semgrep.yml configuration file to your project to enable OpenGrep analysis.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/docker_release.yml:
- Line 25: The workflow currently injects github.ref_name directly into the run
shell line (--build-arg VERSION="${{ github.ref_name }}"), which risks shell
expansion; instead add an environment variable (e.g., REF_NAME) in the step's
env and reference that inside the run/sh command (use "$REF_NAME" when passing
--build-arg VERSION) so the value is provided by GitHub Actions rather than
being expanded by the shell; update the step's env to set REF_NAME: ${{
github.ref_name }} and replace occurrences of ${{ github.ref_name }} in the run
with "$REF_NAME".

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e2376b00-b5c0-4339-99b3-ce69dee975bc

📥 Commits

Reviewing files that changed from the base of the PR and between 17af190 and b097b6a.

📒 Files selected for processing (1)

• .github/workflows/docker_release.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Verify direct interpolation exists in the workflow.
rg -nP '\$\{\{\s*github\.ref_name\s*\}\}' .github/workflows/docker_release.yml

# Demonstrate bash expansion risk with double-quoted payload.
python - <<'PY'
import subprocess
payload = 'morph-v$(printf injected)'
cmd = f'echo "{payload}"'
out = subprocess.check_output(["bash", "-lc", cmd], text=True).strip()
print("command:", cmd)
print("output :", out)
print("expanded_command_substitution:", out != payload)
PY

Repository: morph-l2/go-ethereum

Length of output: 422

---

Avoid direct ${{ github.ref_name }} interpolation inside shell scripts.

Using ${{ github.ref_name }} directly in run contexts allows shell expansion from crafted tag names (e.g., $()), enabling command injection. Pass it via step env instead and expand as $REF_NAME in shell.

🔧 Proposed fix

       - name: Build the Docker image
+        env:
+          REF_NAME: ${{ github.ref_name }}
         run: |
           docker build . --file Dockerfile \
             --build-arg COMMIT="${{ github.sha }}" \
-            --build-arg VERSION="${{ github.ref_name }}" \
+            --build-arg VERSION="$REF_NAME" \
             -t "${IMAGE_NAME}"
@@
       - name: Push image
+        env:
+          REF_NAME: ${{ github.ref_name }}
         run: |
           IMAGE_ID="ghcr.io/${{ github.repository }}"
@@
-          VERSION=$(echo "${{ github.ref_name }}" | sed -e 's/^morph-v//')
+          VERSION="${REF_NAME#morph-v}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docker_release.yml at line 25, The workflow currently
injects github.ref_name directly into the run shell line (--build-arg
VERSION="${{ github.ref_name }}"), which risks shell expansion; instead add an
environment variable (e.g., REF_NAME) in the step's env and reference that
inside the run/sh command (use "$REF_NAME" when passing --build-arg VERSION) so
the value is provided by GitHub Actions rather than being expanded by the shell;
update the step's env to set REF_NAME: ${{ github.ref_name }} and replace
occurrences of ${{ github.ref_name }} in the run with "$REF_NAME".