fix: ensure 'latest' Docker tag points only to releases

[RadCod3]

This pull request updates the Docker image tagging strategy to better distinguish between stable releases and development builds. The changes clarify which tags are used for production versus development images, both in the build workflow and in the documentation.

Docker Workflow Tagging Changes:

• Updated the Docker image tagging logic in .github/workflows/docker-publish.yml so that:
  • The latest tag is now only applied to images built from release tags (i.e., stable releases), not from the default branch.
  • The edge tag is now used for images built from the default branch (main), representing the latest development build.
  • The image scanning logic now uses the edge tag for non-tag pushes and the version tag for release builds.

Documentation Updates:

• Updated the README.md to clarify the meaning of the latest and edge tags:
  • latest is now described as the latest stable release, recommended for production.
  • edge is described as the development build from the main branch, which may be unstable.

Resolves #42

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Documentation

  • Updated Docker image documentation to highlight two variants: "Latest Stable" and "Development" (edge) versions, clarifying deployment options.

• Chores

  • Enhanced Docker build workflow with improved security scanning and metadata extraction.
  • Minor formatting consistency updates to CI/CD workflows.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Walkthrough

This pull request restructures the Docker publish workflow to ensure the latest tag exclusively points to version releases rather than main branch builds. The workflow steps are reorganized with updated metadata handling and scan logic. Documentation is updated to reflect the new edge tag for development builds.

Changes

Cohort / File(s)	Summary
Docker Workflow Restructuring .github/workflows/docker-publish.yml	Comprehensive workflow resequencing: version validation moved earlier, metadata-action enhanced with flavor: latest=false to disable auto-latest, scan tag logic switched to use edge for non-tag refs instead of latest, explicit latest tag only for version tags via startsWith(github.ref, 'refs/tags/v'), updated security scan action versions (codeql-action/upload-sarif to v4), tag filter uses double quotes.
Release Workflow Formatting .github/workflows/release.yml	Quote style normalization: single-quoted strings replaced with double-quoted (tags filter, workflow inputs), minor comment spacing adjustment (fetch-depth), build check-name references updated from single to double quotes. No functional logic changes.
Documentation Update README.md	Docker image table expanded from single "Latest" entry to two entries: "Latest Stable" (ghcr.io/radcod3/lampyrid:latest) for releases and "Development" (ghcr.io/radcod3/lampyrid:edge) for main branch builds.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Hops of joy! The workflow now shines so bright,
Latest points to stable releases, just right!
Edge for development, main branch clean,
Docker tags dance as they should be seen! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title accurately reflects the main change: ensuring the 'latest' Docker tag points only to releases, which is the core objective of the changeset.
Description check	✅ Passed	The PR description clearly explains the Docker tagging strategy changes and documentation updates, directly related to the changeset modifications.
Linked Issues check	✅ Passed	The code changes implement all requirements from issue #42: disabling auto 'latest', using 'edge' for main branch, explicitly setting 'latest' for version tags, and updating documentation.
Out of Scope Changes check	✅ Passed	All changes are within scope: workflow tagging updates, scanning logic adjustments, documentation clarification, and minor formatting/style cleanup directly address issue #42.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/docker-publish.yml:
- Around line 107-113: The workflow step "Run security scan on image" currently
uses aquasecurity/trivy-action@master which is a supply-chain risk; update the
uses entry for that step to pin a fixed release tag or commit SHA (e.g., change
aquasecurity/trivy-action@master to aquasecurity/trivy-action@vX.Y.Z or
aquasecurity/trivy-action@<commit-sha>) so the action version is immutable and
won't change unexpectedly.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fc7f6fc and aaddd1c.

📒 Files selected for processing (3)

• .github/workflows/docker-publish.yml
• .github/workflows/release.yml
• README.md

🔇 Additional comments (4)

.github/workflows/release.yml (1)

6-6: LGTM!

The formatting changes (single to double quotes, comment spacing) are cosmetic and maintain consistency across workflow files. The check-name: "build" correctly references the job name defined in docker-publish.yml.

Also applies to: 10-10, 29-29, 86-86

.github/workflows/docker-publish.yml (2)

64-73: LGTM! Tagging strategy correctly implements the PR objective.

The metadata configuration properly:

• Disables automatic latest tagging with flavor: latest=false
• Tags main branch builds with edge via type=raw,value=edge,enable={{is_default_branch}}
• Applies latest only for version tags via type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/v') }}

This ensures latest always points to the most recent release while edge tracks the development branch.

---

90-105: LGTM!

The scan tag determination logic correctly mirrors the tagging strategy - using the version tag for releases and edge for main branch builds. The lowercase conversion ensures registry compatibility.

README.md (1)

318-319: LGTM!

The documentation clearly explains the distinction between latest (stable releases for production) and edge (development builds from main). This aligns well with the workflow changes and helps users make informed choices about which tag to use.