fix(ci): improve ref derivation in docker publish workflow

[alco]

🔗 Context

When this workflow is called by the Changesets workflow, the github.event_name context variable evaluates to push (the parent's trigger) rather than workflow_call. This caused our previous logic to skip the release flow and default to canary builds.

So the most recent package publishing only pushed canary images:

 #1 [internal] pushing docker.io/electricsql/electric:canary
#1 0.000 pushing sha256:e372c6ad86713cdbf726bbef83920eb32ecf9034d3794abde8d9fa73805413b1 to docker.io/electricsql/electric:canary
#1 DONE 1.9s
#1 [internal] pushing docker.io/electricsql/electric-canary:3516b9780
#1 0.000 pushing sha256:e372c6ad86713cdbf726bbef83920eb32ecf9034d3794abde8d9fa73805413b1 to docker.io/electricsql/electric-canary:3516b9780
#1 ...

#2 [internal] pushing docker.io/electricsql/electric-canary:latest
#2 0.000 pushing sha256:e372c6ad86713cdbf726bbef83920eb32ecf9034d3794abde8d9fa73805413b1 to docker.io/electricsql/electric-canary:latest
#2 DONE 1.8s

#1 [internal] pushing docker.io/electricsql/electric-canary:3516b9780
#1 DONE 1.8s

🛠️ Changes

• Updated derive_build_vars job to prioritize inputs.release_tag and github.event.release.tag_name over the event name string.
• Refactored shell logic to use more idiomatic -n (non-zero string) checks.

Summary by CodeRabbit

• Refactor
  • Simplified the Docker Hub image sync workflow's release detection logic to prioritize explicit release tags and fallback to commit-based runs, preserving existing behavior for release and manual triggers.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Replaces event-name branching in the Docker Hub sync workflow with a linear if-elif-else chain that sets git_ref and is_release from inputs.release_tag, then github.event.release.tag_name, or falls back to the commit SHA. No public API changes. (50 words)

Changes

Cohort / File(s)	Summary
GitHub Actions workflow .github/workflows/sync_service_dockerhub_image.yml	Replaced per-event case branching with an if-elif-else chain; introduced/uses INPUT_RELEASE_TAG, EVENT_RELEASE_TAG, and COMMIT_SHA to set git_ref (refs/tags/... or SHA) and is_release (true/false).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• ci: Fix the Publish to Docker Hub workflow for good #3689: Modifies the same .github/workflows/sync_service_dockerhub_image.yml logic for deriving git_ref and is_release.

Suggested reviewers

• balegas

Poem

🐰 In workflows neat I hop and peep,
Tags first, then events, else SHA to keep.
If-elif steps tidy the trail,
A bunny nods as builds set sail. 🥕✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: improving how git references are derived in the Docker publish workflow, which directly addresses the core issue of ref derivation logic being refactored from event-name-based branching to input-prioritized sequential checks.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

---

📜 Recent review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 999574a and eebf7b2.

📒 Files selected for processing (1)

• .github/workflows/sync_service_dockerhub_image.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Test packages/y-electric w/ sync-service
• GitHub Check: Test packages/typescript-client w/ sync-service
• GitHub Check: Test packages/experimental w/ sync-service
• GitHub Check: Test packages/start w/ sync-service
• GitHub Check: Test packages/react-hooks w/ sync-service
• GitHub Check: Run Lux integration tests

🔇 Additional comments (2)

.github/workflows/sync_service_dockerhub_image.yml (2)

4-4: LGTM!

Comment accurately points maintainers to the correct location for conditional logic.

---

40-59: LGTM! Well-structured fix for the ref derivation logic.

The refactored approach correctly:

1. Uses environment variables to safely handle inputs (addressing the script injection concern)
2. Prioritizes inputs.release_tag over github.event.release.tag_name, fixing the root cause where workflow_call triggers inherit the caller's event_name
3. Uses idiomatic -n checks for non-empty strings

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.31%. Comparing base (21e920d) to head (eebf7b2).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3715      +/-   ##
==========================================
- Coverage   87.36%   87.31%   -0.05%     
==========================================
  Files          23       23              
  Lines        2011     2011              
  Branches      532      530       -2     
==========================================
- Hits         1757     1756       -1     
- Misses        252      253       +1     
  Partials        2        2              

Flag	Coverage Δ
packages/experimental	87.73% <ø> (ø)
packages/react-hooks	86.48% <ø> (ø)
packages/start	82.83% <ø> (ø)
packages/typescript-client	93.39% <ø> (-0.08%)	⬇️
packages/y-electric	56.05% <ø> (ø)
typescript	87.31% <ø> (-0.05%)	⬇️
unit-tests	87.31% <ø> (-0.05%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/sync_service_dockerhub_image.yml (1)

159-167: Consider using env vars here too for consistency.

While these values come from job outputs rather than direct user input (lower risk), using the same safe pattern with environment variables would be more defensive and consistent with the fix above.

♻️ Suggested improvement

       - name: Derive image tags from the GitHub Actions event
+        env:
+          IS_RELEASE: ${{ needs.derive_build_vars.outputs.is_release }}
+          ELECTRIC_VERSION: ${{ needs.derive_build_vars.outputs.electric_version }}
+          SHORT_SHA: ${{ needs.derive_build_vars.outputs.short_commit_sha }}
         run: |
-          if [ "${{ needs.derive_build_vars.outputs.is_release }}" = "true" ]; then
+          if [ "$IS_RELEASE" = "true" ]; then
             # A release triggers official release image publishing
-            echo "ELECTRIC_TAGS=-t $DOCKERHUB_REPO:latest -t $DOCKERHUB_REPO:${{ needs.derive_build_vars.outputs.electric_version }}" >> $GITHUB_ENV
+            echo "ELECTRIC_TAGS=-t $DOCKERHUB_REPO:latest -t $DOCKERHUB_REPO:$ELECTRIC_VERSION" >> $GITHUB_ENV
             echo "ELECTRIC_CANARY_TAGS=" >> $GITHUB_ENV
           else
             # A regular push to the main branch triggers canary image publishing
             echo "ELECTRIC_TAGS=-t $DOCKERHUB_REPO:canary" >> $GITHUB_ENV
-            echo "ELECTRIC_CANARY_TAGS=-t $DOCKERHUB_CANARY_REPO:latest -t $DOCKERHUB_CANARY_REPO:${{ needs.derive_build_vars.outputs.short_commit_sha }}" >> $GITHUB_ENV
+            echo "ELECTRIC_CANARY_TAGS=-t $DOCKERHUB_CANARY_REPO:latest -t $DOCKERHUB_CANARY_REPO:$SHORT_SHA" >> $GITHUB_ENV
           fi

🤖 Fix all issues with AI agents

In @.github/workflows/sync_service_dockerhub_image.yml:
- Around line 43-52: The workflow currently interpolates `${{ inputs.release_tag
}}` and `${{ github.event.release.tag_name }}` directly into the shell script
(setting `ref` and `is_release`), which risks command injection; change the
job/step to pass those values as environment variables (e.g., set env:
RELEASE_TAG: ${{ inputs.release_tag }} and env: GITHUB_RELEASE_TAG: ${{
github.event.release.tag_name }}) and then in the shell use safe, quoted POSIX
parameter checks like `if [ -n "$RELEASE_TAG" ]; then
ref="refs/tags/$RELEASE_TAG"; is_release=true; elif [ -n "$GITHUB_RELEASE_TAG"
]; then ref="refs/tags/$GITHUB_RELEASE_TAG"; is_release=true; else
ref="$GITHUB_SHA"; is_release=false; fi` so no workflow expressions are injected
directly into the script and all expansions are quoted.

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c25526c and 999574a.

📒 Files selected for processing (1)

• .github/workflows/sync_service_dockerhub_image.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Test packages/y-electric w/ sync-service
• GitHub Check: Test packages/start w/ sync-service
• GitHub Check: Test packages/typescript-client w/ sync-service
• GitHub Check: Test packages/react-hooks w/ sync-service
• GitHub Check: Test packages/experimental w/ sync-service
• GitHub Check: Run Lux integration tests

🔇 Additional comments (1)

.github/workflows/sync_service_dockerhub_image.yml (1)

4-4: LGTM!

Comment accurately reflects the updated location of trigger-dependent logic.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/sync_service_dockerhub_image.yml (1)

161-171: Consider applying the same environment variable pattern here for consistency.

While the values interpolated here (is_release, electric_version, short_commit_sha) are derived from controlled sources (step outputs and git metadata), using environment variables would maintain consistency with the security-conscious approach applied in the derive_build_vars job.

♻️ Optional: Environment variable approach for consistency

       - name: Derive image tags from the GitHub Actions event
+        env:
+          IS_RELEASE: ${{ needs.derive_build_vars.outputs.is_release }}
+          ELECTRIC_VERSION: ${{ needs.derive_build_vars.outputs.electric_version }}
+          SHORT_COMMIT_SHA: ${{ needs.derive_build_vars.outputs.short_commit_sha }}
         run: |
-          if [ "${{ needs.derive_build_vars.outputs.is_release }}" = "true" ]; then
+          if [ "$IS_RELEASE" = "true" ]; then
             # A release triggers official release image publishing
-            echo "ELECTRIC_TAGS=-t $DOCKERHUB_REPO:latest -t $DOCKERHUB_REPO:${{ needs.derive_build_vars.outputs.electric_version }}" >> $GITHUB_ENV
+            echo "ELECTRIC_TAGS=-t $DOCKERHUB_REPO:latest -t $DOCKERHUB_REPO:$ELECTRIC_VERSION" >> $GITHUB_ENV
             echo "ELECTRIC_CANARY_TAGS=" >> $GITHUB_ENV
           else
             # A regular push to the main branch triggers canary image publishing
             echo "ELECTRIC_TAGS=-t $DOCKERHUB_REPO:canary" >> $GITHUB_ENV
-            echo "ELECTRIC_CANARY_TAGS=-t $DOCKERHUB_CANARY_REPO:latest -t $DOCKERHUB_CANARY_REPO:${{ needs.derive_build_vars.outputs.short_commit_sha }}" >> $GITHUB_ENV
+            echo "ELECTRIC_CANARY_TAGS=-t $DOCKERHUB_CANARY_REPO:latest -t $DOCKERHUB_CANARY_REPO:$SHORT_COMMIT_SHA" >> $GITHUB_ENV
           fi

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 999574a and eebf7b2.

📒 Files selected for processing (1)

• .github/workflows/sync_service_dockerhub_image.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Test packages/y-electric w/ sync-service
• GitHub Check: Test packages/typescript-client w/ sync-service
• GitHub Check: Test packages/experimental w/ sync-service
• GitHub Check: Test packages/start w/ sync-service
• GitHub Check: Test packages/react-hooks w/ sync-service
• GitHub Check: Run Lux integration tests

🔇 Additional comments (2)

.github/workflows/sync_service_dockerhub_image.yml (2)

4-4: LGTM!

Comment accurately points maintainers to the correct location for conditional logic.

---

40-59: LGTM! Well-structured fix for the ref derivation logic.

The refactored approach correctly:

1. Uses environment variables to safely handle inputs (addressing the script injection concern)
2. Prioritizes inputs.release_tag over github.event.release.tag_name, fixing the root cause where workflow_call triggers inherit the caller's event_name
3. Uses idiomatic -n checks for non-empty strings

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}