fix: strip leading dots and hyphens from raw tags

[zry98]

According to the Docker image tag reference, the format is /[\w][\w.-]{0,127}/, a dot (.) or hyphen (-) is not allowed as a leading character.

sanitizeTag() was already replacing illegal characters from the middle of tag names, but not for the leading characters. A given raw tag like .foo\bar would be sanitized to .foo-bar, instead of foo-bar.

This PR added a second regex replacement pass .replace(/^[^a-zA-Z0-9_]+/, '') to strip any leading dots or hyphens.

Also added 3 related tests.

[zry98]

Hello @crazy-max , I see the CI failed with the yarn lockfile, is there something I need to update?

[crazy-max]

This is the right direction. Docker tags can contain . and -, but not as the first character, so stripping leading invalid characters matches the existing sanitizer behavior better than rejecting the tag.

One edge case needs tightening before merge: this can now sanitize a non-empty value into an empty tag, for example ..., ---, or /. setVersion() currently checks for empty before calling sanitizeTag(), so an empty sanitized value could become version.main and prevent a later valid tag from becoming the main version.

Could you move the empty check after sanitization?

val = Meta.sanitizeTag(val);
if (val.length == 0) {
  return version;
}

Please also add a focused test for that case, for example a higher-priority raw value that sanitizes to empty followed by a valid raw value, expecting the valid one to become main.

is there something I need to update?

See https://github.com/docker/metadata-action/blob/master/.github/CONTRIBUTING.md#submitting-a-pull-request

[zry98]

this can now sanitize a non-empty value into an empty tag, for example ..., ---, or /.

@crazy-max thank you for the nice catch! I've updated it and added some more related tests, please check.