Fix build container on tags

[aj-stein]

Committer Notes

{Please provide a brief description of what this PR accomplishes. Be sure to reference any issues addressed. If the PR is a work-in-progress submitted for early review, please include [WIP] at the beginning of the title or mark the PR as DRAFT.}

All Submissions:

• Have you selected the correct base branch per Contributing guidance?
• Have you followed the guidelines in our Contributing document?
• Have you checked to ensure there aren't other open Pull Requests for the same update/change?
• Have you squashed any non-relevant commits and commit messages? [instructions]
• Have you set "Allow edits and access to secrets by maintainers"?

By submitting a pull request, you are agreeing to provide this contribution under the CC0 1.0 Universal public domain dedication.

Changes to Core Features:

• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your core changes, as applicable?
• Have you included examples of how to use your new feature(s)?
• Have you updated all website and readme documentation affected by the changes you made?

Summary by CodeRabbit

• Chores
  • Enhanced deployment workflow with support for custom container image tagging and reference-based builds.
  • Added automated build artifact archival for distribution packages.
  • Integrated container image building into the deployment pipeline.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR adds flexibility to the container build workflow by introducing ref and custom_tag inputs for custom Git references and Docker tags. The release workflow now includes a new build-container job that reuses the container workflow to build and push container images after successful deployment.

Changes

Cohort / File(s)	Summary
Container workflow configuration .github/workflows/container.yml	Added ref and custom_tag workflow inputs; checkout step now uses parameterized ref; Docker metadata generation includes new raw tag type with value from custom_tag
Release workflow integration .github/workflows/release.yml	Added artifact upload step for build zip archive; introduced new build-container job that runs after deploy-to-nexus, reuses container workflow with push: true parameter, and includes container registry permissions

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• oscal-cli#208: Modifies the container build workflow and related build-container job configuration
• metaschema-java#562: Adds the same ref and custom_tag inputs to the container workflow with Docker metadata tag enhancements
• metaschema-java#585: Implements conditional logic on the build-container job to skip container builds for forked pull requests

Suggested reviewers

• david-waltermire

Poem

🐰 A workflow refined with inputs so neat,
Custom refs and tags make the build complete!
Container jobs dancing after deploy,
Pushing images with automated joy!
The release pipeline hops to the beat. 🚀

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately reflects the main objective: enabling container builds when Git tags are created, which is directly supported by the changes to add workflow inputs and propagate them through the container and release workflows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix-build-container-on-tags

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1268b57 and fca8c3f.

📒 Files selected for processing (1)

• .github/workflows/release.yml

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 623
File: .github/workflows/build.yml:8-14
Timestamp: 2026-01-07T04:40:01.060Z
Learning: In the metaschema-java repository, the build workflow intentionally includes `main` in the `pull_request.branches` trigger even though CONTRIBUTING.md requires PRs to target `develop`. This is a defensive design to provide feedback if someone accidentally targets main, rather than silent failure. The UPLOAD_SCAN_SARIF logic also needs main for security scan results.

📚 Learning: 2026-01-08T01:44:38.651Z

Learnt from: david-waltermire
Repo: metaschema-framework/oscal-cli PR: 208
File: .github/workflows/container-cleanup.yml:22-30
Timestamp: 2026-01-08T01:44:38.651Z
Learning: In the metaschema-framework organization, container cleanup workflows use GITHUB_TOKEN with packages:write permission for deleting old GHCR container images. This approach works for org-owned packages when the workflow runs from the same organization, following the pattern established in metaschema-java's container-cleanup.yml.

Applied to files:

• .github/workflows/release.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Website
• GitHub Check: Code

🔇 Additional comments (2)

.github/workflows/release.yml (2)

54-58: The artifact upload is correctly consumed. The container.yml workflow explicitly downloads the build_zip artifact using the actions/download-artifact action in the "Download build zip" step, placing it in ./metaschema-cli/target/ where it's used during the container build process.

Likely an incorrect or invalid review comment.

---

59-69: LGTM! Container workflow inputs are properly configured.

The job structure is correct:

• Appropriate permissions for pushing to GHCR with attestations
• Correct dependency on deploy-to-nexus to ensure artifacts are published first
• push: true correctly enables pushing the container image

The container.yml reusable workflow defaults inputs appropriately:

• ref defaults to github.ref when omitted (line 37), ensuring the current tag is used for release builds
• custom_tag defaults to empty and is only applied when explicitly provided (line 71), allowing auto-generated tags based on metadata (SHA, branch, tag)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/build.yml (1)

18-53: Missing custom_tag input in workflow_call.

The custom_tag input is defined for workflow_dispatch (lines 50-53) but not for workflow_call (lines 18-43). This means when this workflow is called by another workflow, inputs.custom_tag (referenced at line 335) will always be empty.

For consistency with ref (which is defined in both triggers), consider adding custom_tag to workflow_call:

Suggested fix

   workflow_call:
     inputs:
       ref:
         description: 'Git ref to checkout (branch, tag, or SHA)'
         required: false
         type: string
+      custom_tag:
+        description: 'Custom tag for container image (e.g., v3.0.0)'
+        required: false
+        type: string
       skip_code_scans:

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d336494 and 1268b57.

📒 Files selected for processing (2)

• .github/workflows/build.yml
• .github/workflows/container.yml

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: david-waltermire
Repo: metaschema-framework/metaschema-java PR: 623
File: .github/workflows/build.yml:8-14
Timestamp: 2026-01-07T04:40:01.060Z
Learning: In the metaschema-java repository, the build workflow intentionally includes `main` in the `pull_request.branches` trigger even though CONTRIBUTING.md requires PRs to target `develop`. This is a defensive design to provide feedback if someone accidentally targets main, rather than silent failure. The UPLOAD_SCAN_SARIF logic also needs main for security scan results.

📚 Learning: 2025-12-13T21:16:12.281Z

Learnt from: CR
Repo: metaschema-framework/metaschema PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T21:16:12.281Z
Learning: Use branch naming: `feature/*` for new features and enhancements, `release/*` (format: `release/MAJOR.MINOR`) for release preparation, `fix/*` for bug fixes

Applied to files:

• .github/workflows/build.yml

📚 Learning: 2025-12-13T21:16:12.281Z

Learnt from: CR
Repo: metaschema-framework/metaschema PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-13T21:16:12.281Z
Learning: All PRs must target the `develop` branch, not `main`. The `main` branch receives merges only from `develop` during releases.

Applied to files:

• .github/workflows/build.yml

📚 Learning: 2025-12-17T13:27:43.679Z

Learnt from: CR
Repo: metaschema-framework/metaschema-java PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-17T13:27:43.679Z
Learning: All PRs must be created from a personal fork and must target the develop branch (BLOCKING - required by CONTRIBUTING.md)

Applied to files:

• .github/workflows/build.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Code
• GitHub Check: Website

🔇 Additional comments (5)

.github/workflows/build.yml (2)

8-9: LGTM on tag trigger addition.

The v* pattern correctly captures semantic versioning tags (e.g., v1.0.0, v2.3.4-rc1), enabling container builds on release tags as intended.

---

334-335: Implementation correctly handles empty inputs on tag pushes.

On tag pushes, inputs.ref and inputs.custom_tag are empty strings. The container workflow handles this correctly:

• Checkout uses ${{ inputs.ref || github.ref }} (line 37), which treats empty string as falsy and falls back to the tag ref
• Docker metadata conditionally adds custom_tag only when inputs.custom_tag != '' (line 71)
• The type=ref,event=tag metadata rule (line 69) automatically generates tag-based image refs

No changes needed.

.github/workflows/container.yml (3)

10-17: LGTM on new workflow inputs.

The ref and custom_tag inputs are well-defined with clear descriptions. Making them optional allows the workflow to function both when called with explicit values and when triggered automatically (falling back to defaults).

---

35-39: LGTM on checkout ref handling.

The inputs.ref || github.ref pattern correctly falls back to the triggering ref when no explicit ref is provided, ensuring the workflow checks out the right commit for both manual and automated triggers.

---

66-71: LGTM on custom tag metadata.

The type=raw with enable=${{ inputs.custom_tag != '' }} correctly:

1. Adds the custom tag only when explicitly provided
2. Coexists with type=ref,event=tag (line 69) for automatic git tag detection

This enables both automatic tagging on v* tag pushes and manual override via workflow_dispatch.