chore: address CI hardening review feedback

2026-05-13 07:46:47 +00:00 · 2026-05-12 08:48:26 -04:00 · 2026-05-12 08:48:26 -04:00 · 1bf26b7b68
commit 1bf26b7b68
parent 574a12bf77
2 changed files with 4 additions and 4 deletions
--- a/.github/workflows/gitnexus-index.yml
+++ b/.github/workflows/gitnexus-index.yml
@ -25,7 +25,7 @@ on:
        type: string
        default: ''
      pr_ref:
-        description: 'PR head SHA or ref to check out (set by /gitnexus command)'
+        description: 'Optional PR head ref to check out; defaults to refs/pull/<pr_number>/head when pr_number is set'
        type: string
        default: ''

@ -74,7 +74,7 @@ jobs:
              exit 1
            fi
            EXPECTED_REF="refs/pull/${PR_NUMBER}/head"
-            if [ "$PR_REF" != "$EXPECTED_REF" ]; then
+            if [ -n "$PR_REF" ] && [ "$PR_REF" != "$EXPECTED_REF" ]; then
              echo "::error::pr_ref must match ${EXPECTED_REF}"
              exit 1
            fi
@ -169,7 +169,7 @@ jobs:
          # repo for every PR, so checkout works for fork PRs too. When
          # pr_ref is empty (native push/pull_request), fall back to the
          # default ref actions/checkout would use.
-          ref: ${{ inputs.pr_ref || '' }}
+          ref: ${{ inputs.pr_ref || (inputs.pr_number != '' && format('refs/pull/{0}/head', inputs.pr_number) || '') }}
          fetch-depth: 1
          persist-credentials: false

--- a/.github/workflows/main-image-workflow.yml
+++ b/.github/workflows/main-image-workflow.yml
@ -31,7 +31,7 @@ jobs:
        run: |
          set -euo pipefail
          git fetch --tags --force
-          LATEST_TAG=$(git tag --list 'v*' --sort=-creatordate | grep -E '^v[0-9]+[.][0-9]+[.][0-9]+$' | head -n 1)
+          LATEST_TAG=$(git tag --list 'v[0-9]*' --sort=-v:refname | grep -E '^v[0-9]+[.][0-9]+[.][0-9]+$' | head -n 1)
          if [ -z "$LATEST_TAG" ]; then
            echo "::error::No stable v<semver> tag found"
            exit 1