ci: run on all branches but release only from main via git tag detection

- Trigger CI on push for all branches and on pull_request
- Detect SemVer release tags (vX.Y.Z) via git tag --points-at
- Run publish-image and stable-tag only for tagged commits on main
- Pass version_tag and sha to reusable workflows
- Prevent tag pushes from triggering additional workflows

https://chatgpt.com/share/e/699044d3-c1d8-8013-a40d-974d1fc69974

.github/workflows/ci.yml

@@ -2,46 +2,75 @@ name: ci
 
 on:
   pull_request: {}
-  push: {}
+  push:
+    branches:
+      - "**"
 
 permissions:
   contents: write
   packages: write
 
 jobs:
-  detect-release:
-    runs-on: ubuntu-latest
-    outputs:
-      is_semver_tag: ${{ steps.detect.outputs.is_semver_tag }}
-    steps:
-      - id: detect
-        shell: bash
-        run: |
-          set -euo pipefail
-          # Only true for tag refs like v1.2.3 (no suffix)
-          if [[ "${GITHUB_REF}" == refs/tags/* ]] && [[ "${GITHUB_REF_NAME}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-            echo "is_semver_tag=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "is_semver_tag=false" >> "$GITHUB_OUTPUT"
-          fi
-
   tests:
     uses: ./.github/workflows/reusable-test.yml
     with:
       python-version: "3.12"
       matomo-token-description: "ci-token"
 
+  detect-release:
+    # Only consider releases on main branch pushes (not PRs, not other branches)
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    outputs:
+      is_semver_tag: ${{ steps.detect.outputs.is_semver_tag }}
+      version_tag: ${{ steps.detect.outputs.version_tag }}
+    steps:
+      - name: Checkout (full history for tags)
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - id: detect
+        shell: bash
+        run: |
+          set -euo pipefail
+          git fetch --tags --force
+
+          # Tags that point to the current commit
+          TAGS="$(git tag --points-at "$GITHUB_SHA" || true)"
+
+          # Pick the first strict SemVer tag: vX.Y.Z
+          VERSION_TAG="$(echo "$TAGS" | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | head -n1 || true)"
+
+          if [ -n "$VERSION_TAG" ]; then
+            echo "is_semver_tag=true" >> "$GITHUB_OUTPUT"
+            echo "version_tag=$VERSION_TAG" >> "$GITHUB_OUTPUT"
+            echo "Release tag detected on this commit: $VERSION_TAG"
+          else
+            echo "is_semver_tag=false" >> "$GITHUB_OUTPUT"
+            echo "version_tag=" >> "$GITHUB_OUTPUT"
+            echo "No SemVer tag on this commit."
+          fi
+
   publish-image:
+    # Only on main, and only if detect-release found a SemVer tag on this commit
     if: needs.detect-release.outputs.is_semver_tag == 'true'
-    needs: [detect-release, tests]
+    needs: [tests, detect-release]
     uses: ./.github/workflows/publish-image.yml
+    with:
+      version_tag: ${{ needs.detect-release.outputs.version_tag }}
+      sha: ${{ github.sha }}
     permissions:
       contents: read
       packages: write
 
   tag-stable:
+    # Only after tests + publish succeeded
     if: needs.detect-release.outputs.is_semver_tag == 'true'
-    needs: [detect-release, tests, publish-image]
+    needs: [tests, detect-release, publish-image]
     uses: ./.github/workflows/stable-tag.yml
+    with:
+      version_tag: ${{ needs.detect-release.outputs.version_tag }}
+      sha: ${{ github.sha }}
     permissions:
       contents: write

.github/workflows/publish-image.yml

@@ -1,7 +1,14 @@
 name: publish-image
 
 on:
-  workflow_call: {}
+  workflow_call:
+    inputs:
+      version_tag:
+        type: string
+        required: true
+      sha:
+        type: string
+        required: true
 
 jobs:
   build-and-push:
@@ -11,11 +18,11 @@ jobs:
       packages: write
 
     steps:
-      - name: Checkout
+      - name: Checkout (exact commit)
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          ref: ${{ github.ref }}   # bei tag-push ist das der Tag-Ref
+          ref: ${{ inputs.sha }}
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -36,8 +43,8 @@ jobs:
         run: |
           set -euo pipefail
           IMAGE="ghcr.io/${{ github.repository }}"
-          RAW_TAG="${{ github.ref_name }}"   # e.g. v1.1.7
+          RAW_TAG="${{ inputs.version_tag }}"   # e.g. v1.1.8
-          TAG="${RAW_TAG#v}"                 # -> 1.1.7
+          TAG="${RAW_TAG#v}"                    # -> 1.1.8
           echo "tags=$IMAGE:$TAG,$IMAGE:latest" >> "$GITHUB_OUTPUT"
 
       - name: Build and push

.github/workflows/stable-tag.yml

@@ -1,7 +1,14 @@
 name: Stable Tag
 
 on:
-  workflow_call: {}
+  workflow_call:
+    inputs:
+      version_tag:
+        type: string
+        required: true
+      sha:
+        type: string
+        required: true
 
 permissions:
   contents: write
@@ -16,16 +23,17 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Move stable tag to this version tag commit
+      - name: Move stable tag to the release commit
+        shell: bash
         run: |
           set -euo pipefail
 
-          echo "Triggered by tag: ${GITHUB_REF_NAME}"
+          echo "Release tag: ${{ inputs.version_tag }}"
-          echo "Commit: ${GITHUB_SHA}"
+          echo "Commit: ${{ inputs.sha }}"
 
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
 
           git fetch --tags --force
-          git tag -fa stable -m "stable -> ${GITHUB_REF_NAME} (${GITHUB_SHA})" "${GITHUB_SHA}"
+          git tag -fa stable -m "stable -> ${{ inputs.version_tag }} (${{ inputs.sha }})" "${{ inputs.sha }}"
           git push --force origin stable