From 6a56f9c06325eef899f7063aac6b206790acb68a Mon Sep 17 00:00:00 2001
From: "synacktra.work@gmail.com" <synacktra.work@gmail.com>
Date: Sat, 13 Dec 2025 09:10:02 +0530
Subject: [PATCH] fix(workflow): correct metadata extraction to prevent PRs
 from publishing unwanted tags

Split the final metadata-action step into PR, main, and semver-specific blocks so each
event only generates the appropriate tags. This prevents PR runs from pushing
`latest` or semver tags, ensuring the publish job creates multi-arch manifests
only for the tags intended for that event.
---
 .github/workflows/docker-reusable-publish.yml | 23 +++++++++++++++----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/docker-reusable-publish.yml b/.github/workflows/docker-reusable-publish.yml
index 68f74aed..e13585e1 100644
--- a/.github/workflows/docker-reusable-publish.yml
+++ b/.github/workflows/docker-reusable-publish.yml
@@ -161,20 +161,33 @@ jobs:
           username: ${{ inputs.docker_hub_org }}
           password: ${{ secrets.DOCKER_HUB_TOKEN }}
 
-      - name: Extract final metadata
-        id: metadata
+      - name: Extract final metadata (PR)
+        if: github.event_name == 'pull_request'
         uses: docker/metadata-action@v5
         with:
           images: ${{ inputs.docker_hub_org }}/${{ inputs.image_name }}
           tags: |
-            type=ref,event=branch
             type=ref,event=pr
             type=sha
+
+      - name: Extract final metadata (main)
+        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ inputs.docker_hub_org }}/${{ inputs.image_name }}
+          tags: |
+            type=raw,value=latest
+
+      - name: Extract final metadata (semver)
+        if: startsWith(github.ref, format('refs/tags/{0}', inputs.tag_prefix))
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ inputs.docker_hub_org }}/${{ inputs.image_name }}
+          tags: |
             type=semver,pattern={{version}},prefix=${{ inputs.tag_prefix }}
             type=semver,pattern={{major}}.{{minor}},prefix=${{ inputs.tag_prefix }}
             type=semver,pattern={{major}},prefix=${{ inputs.tag_prefix }}
-          flavor: |
-            latest=true
+            type=raw,value=latest
 
       - name: Download all digest artifacts
         uses: actions/download-artifact@v4