Adds more published docker image tags

[myurasov-nv]

Description

Adds per-build immutable tags to the Docker images published by .github/workflows/publish-images.yaml, and drops the bare commit-SHA tag (now redundant).

New tags published:

• develop builds: $IMAGE:latest-develop-<run#>-<sha-stub> (in addition to the existing $IMAGE:latest-develop)
• release/X builds: $IMAGE:latest-release-X-<run#>-<sha-stub> (in addition to the existing $IMAGE:latest-release-X)

Removed: $IMAGE:<full-sha>. The new run-number + short-SHA tags provide the same per-build immutability with a more readable tag name.

main tagging ($IMAGE:latest, $IMAGE:v<VERSION>) is unchanged aside from the dropped SHA tag.

The tagging-scheme comment in the workflow was updated to match.

Fixes # (issue)

Type of change

• New feature (non-breaking change which adds functionality)

Checklist

• I have read and understood the contribution guidelines
• I have run the pre-commit checks with ./isaaclab.sh --format
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• I have updated the changelog and the corresponding version in the extension's config/extension.toml file
• I have added my name to the CONTRIBUTORS.md or my name already exists there

[greptile-apps]

Greptile Summary

This PR adds immutable per-build tags (latest-develop-<run#>-<sha-stub> and latest-release-X-<run#>-<sha-stub>) for develop and release/* branches, replacing the bare $IMAGE:<full-sha> tag, and makes unrecognised branches a no-op via exit 0.

• The main branch now has no immutable per-build tag: latest is mutable and v<VERSION> is only unique if the VERSION file is bumped with every push. A hotfix or CI-only commit to main will silently overwrite the previous image with no uniquely addressable tag remaining, which was the primary value of the dropped SHA tag.

Confidence Score: 3/5

Not safe to merge as-is — main branch builds lose their only immutable per-build identifier, creating a traceability gap for production images.

A single P1 finding is present: the main branch, which is the production release path, gets no immutable per-build tag now that the SHA tag is removed. The develop and release branches correctly receive the new run+sha tags, but main only has mutable (latest) and semi-mutable (v) tags. This is a real regression in auditability for the most critical branch.

.github/workflows/publish-images.yaml — specifically the main case in the TAGS switch statement

Important Files Changed

Filename	Overview
.github/workflows/publish-images.yaml	Adds immutable per-build tags for develop/release branches and removes the bare SHA tag, but main branch now has no immutable per-build tag, creating a traceability gap for production images.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Push to branch] --> B{BRANCH_NAME?}
    B -- develop --> C["TAGS += IMAGE:latest-develop\nTAGS += IMAGE:latest-develop-run#-sha8"]
    B -- main --> D["TAGS += IMAGE:latest\nTAGS += IMAGE:v<VERSION>\n⚠️ No immutable per-build tag"]
    B -- "release/*" --> E["TAGS += IMAGE:latest-release-X\nTAGS += IMAGE:latest-release-X-run#-sha8"]
    B -- "*" --> F["echo skipping\nexit 0 — no build"]
    C --> G[docker buildx build --push]
    D --> G
    E --> G

Loading

Comments Outside Diff (1)

1. .github/workflows/publish-images.yaml, line 120-129 (link)

   main branch loses its only immutable per-build tag

   The develop and release/* cases each receive a new <run#>-<sha-stub> immutable tag, but main only gets latest and v<VERSION> — both of which are mutable. If main is pushed without a VERSION bump (e.g. a hotfix or CI-only change), the v<VERSION> tag silently overwrites the previous image with no way to reference the prior build. The dropped $IMAGE:$SHA tag was the only guaranteed-unique handle per commit on the main branch.

_{Reviews (1): Last reviewed commit: "Update tagging-scheme comment to match n..." | Re-trigger Greptile}