Fix shell injection vulnerability in Docker release workflow inputs

[MarvelFisher]

fix inputs.tag inject to run shell
add Verify checkout ref matches expected tag
only push event can push latest image

[coderabbitai]

📝 Walkthrough

Walkthrough

The Docker release workflow now validates that checked-out code matches the expected git tag before building, updates how tag variables are computed in the metadata step, and conditionally applies the :latest Docker image tag only for push events, excluding manual workflow dispatch runs.

Changes

Docker release workflow tag validation and conditional tagging

Layer / File(s)	Summary
Tag validation and conditional Docker tagging .github/workflows/docker_release.yml	A new step validates that HEAD matches the expected git tag (derived from input or ref name), the metadata step now computes INPUT_TAG from ${{ inputs.tag || github.ref_name }}, and Docker tags conditionally include :latest only for push events, not manual dispatch.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• morph-l2/morph#912: Both PRs modify the same GitHub Actions workflow to manage Docker image tag and version handling.

Suggested reviewers

• tomatoishealthy
• curryxbo

Poem

🐰 A tag must match what we check out with care,
No latest when dispatch—only on push events fair,
The workflow now validates, extracts, and tags with grace,
So Docker images land in the proper place! 🐳

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title 'Fix shell injection vulnerability in Docker release workflow inputs' directly and accurately describes the main objective of the PR, which is to fix a shell injection vulnerability in the Docker release workflow by properly handling the inputs.tag parameter.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/fix_ghworkflow_shellinject

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}