From 11938561e81b33a3931455b9f6203a642acc3e8f Mon Sep 17 00:00:00 2001
From: mm-psy <147830298+mm-psy@users.noreply.github.com>
Date: Thu, 29 Jan 2026 16:13:59 +0100
Subject: [PATCH 1/6] Update Docker publish workflow for tag handling

---
 .github/workflows/docker-publish.yml | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 113c32f..e1c12b5 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -71,11 +71,11 @@ jobs:
             latest=false
           tags: |
             type=semver,pattern={{raw}}
-            type=raw,value=develop-{{sha}},enable=${{startsWith(github.ref, 'refs/heads/develop')}}
-            type=raw,value=rc-{{branch}}-{{sha}},enable=${{startsWith(github.ref, 'refs/heads/release/')}}
-            type=raw,value={{branch}}-{{sha}},enable=${{startsWith(github.ref, 'refs/heads/hotfix/')}}
+            type=raw,value=develop-{{sha}},enable=${{startsWith(github.ref,'refs/heads/develop')}},priority=201
+            type=raw,value=develop,enable=${{startsWith(github.ref,'refs/heads/develop')}}
+            type=raw,value=rc-{{branch}}-{{sha}},enable=${{startsWith(github.ref,'refs/heads/release/')}}
+            type=raw,value={{branch}}-{{sha}},enable=${{startsWith(github.ref,'refs/heads/') && !startsWith(github.ref,'refs/heads/develop') && !startsWith(github.ref,'refs/heads/release/')}}
             type=ref,event=pr
-            type=raw,value=manual-{{branch}}-{{sha}},enable=${{github.event_name == 'workflow_dispatch'}}
 
       # Build and push Docker image with Buildx (don't push on PR)
       # https://github.com/docker/build-push-action
@@ -106,6 +106,12 @@ jobs:
           push: false
           outputs: type=local,dest=sbom-output
 
+      # Extract the first tag from the list for Trivy scanning
+      - name: Get first image tag
+        if: ${{ github.event_name != 'pull_request' }}
+        id: first-tag
+        run: echo "value=$(echo '${{ steps.meta.outputs.tags }}' | head -n1)" >> $GITHUB_OUTPUT
+
       # Generate container SBOM. 
       - name: Run Trivy in GitHub SBOM mode to generate CycloneDX SBOM for container
         if: ${{ github.event_name != 'pull_request' }}
@@ -114,7 +120,7 @@ jobs:
           scan-type: 'image'
           format: 'cyclonedx'
           output: 'sbom-output/sbom_container.cyclonedx.json'
-          image-ref: ${{ steps.meta.outputs.tags }}
+          image-ref: ${{ steps.first-tag.outputs.value }}
           skip-dirs: '/App' # Skip the /app directory as we handle the content of the application in a seperate SBOM for easier vulnerability management and because trivy misses important fields
           
       - name: Upload trivy/container AND application SBOMs as a Github artifact

From 58a8e74322d1a17cc4bcab6fde091acc00fea9d6 Mon Sep 17 00:00:00 2001
From: mm-psy <147830298+mm-psy@users.noreply.github.com>
Date: Thu, 29 Jan 2026 16:17:26 +0100
Subject: [PATCH 2/6] Update .github/workflows/docker-publish.yml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/docker-publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index e1c12b5..0271bb2 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -121,7 +121,7 @@ jobs:
           format: 'cyclonedx'
           output: 'sbom-output/sbom_container.cyclonedx.json'
           image-ref: ${{ steps.first-tag.outputs.value }}
-          skip-dirs: '/App' # Skip the /app directory as we handle the content of the application in a seperate SBOM for easier vulnerability management and because trivy misses important fields
+          skip-dirs: '/App' # Skip the /app directory as we handle the content of the application in a separate SBOM for easier vulnerability management and because trivy misses important fields
           
       - name: Upload trivy/container AND application SBOMs as a Github artifact
         if: ${{ github.event_name != 'pull_request' }}

From 1c06fd9fd76a03ecc189c17cc5fd07346ea19913 Mon Sep 17 00:00:00 2001
From: mm-psy <147830298+mm-psy@users.noreply.github.com>
Date: Thu, 29 Jan 2026 16:55:25 +0100
Subject: [PATCH 3/6] Clean up docker-publish.yml by removing empty line

Removed an empty line before the Export Application SBOM step.
---
 .github/workflows/docker-publish.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 0271bb2..8ae8ae5 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -93,7 +93,6 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
-
       # Extract the pure application SBOM from the artifact stage, we want to handle it separately from the container SBOM
       # This automaticaly re-uses the previously generated stage from cache, so we get the exact sbom from previous build step
       - name: Export Application SBOM from artifact stage

From 53a0d7502135ca6e90b17eef3bbab4df814b4cff Mon Sep 17 00:00:00 2001
From: mm-psy <147830298+mm-psy@users.noreply.github.com>
Date: Mon, 2 Feb 2026 13:27:28 +0100
Subject: [PATCH 4/6] Add comment for priority setting

---
 .github/workflows/docker-publish.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 8ae8ae5..0e41a8d 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -71,6 +71,7 @@ jobs:
             latest=false
           tags: |
             type=semver,pattern={{raw}}
+            # Priority is set to ensure the develop-{{sha}} tag is preferred over other tags for the develop branch
             type=raw,value=develop-{{sha}},enable=${{startsWith(github.ref,'refs/heads/develop')}},priority=201
             type=raw,value=develop,enable=${{startsWith(github.ref,'refs/heads/develop')}}
             type=raw,value=rc-{{branch}}-{{sha}},enable=${{startsWith(github.ref,'refs/heads/release/')}}

From 8fbfcf8e388bfc2e937b472daac63e8e822a537d Mon Sep 17 00:00:00 2001
From: mm-psy <147830298+mm-psy@users.noreply.github.com>
Date: Tue, 3 Feb 2026 13:06:28 +0100
Subject: [PATCH 5/6] Add clarifying comment to Docker tag rule for
 non-develop, non-release branches (exclude tags and PRs)

---
 .github/workflows/docker-publish.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 0e41a8d..83d0182 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -75,6 +75,7 @@ jobs:
             type=raw,value=develop-{{sha}},enable=${{startsWith(github.ref,'refs/heads/develop')}},priority=201
             type=raw,value=develop,enable=${{startsWith(github.ref,'refs/heads/develop')}}
             type=raw,value=rc-{{branch}}-{{sha}},enable=${{startsWith(github.ref,'refs/heads/release/')}}
+            # The following tag is only applied to regular branches except 'develop' and 'release/*' (i.e., not for tags or PRs)
             type=raw,value={{branch}}-{{sha}},enable=${{startsWith(github.ref,'refs/heads/') && !startsWith(github.ref,'refs/heads/develop') && !startsWith(github.ref,'refs/heads/release/')}}
             type=ref,event=pr
 

From 20d39726417f2b73588d82b704aaa34ee50ca59b Mon Sep 17 00:00:00 2001
From: mm-psy <147830298+mm-psy@users.noreply.github.com>
Date: Tue, 3 Feb 2026 13:10:25 +0100
Subject: [PATCH 6/6] Update tag extraction for Trivy scanning to prioritize
 highest tag

---
 .github/workflows/docker-publish.yml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 83d0182..5e6e4aa 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -107,11 +107,13 @@ jobs:
           push: false
           outputs: type=local,dest=sbom-output
 
-      # Extract the first tag from the list for Trivy scanning
-      - name: Get first image tag
+      # Extract the tag with the highest priority from the list for Trivy scanning
+      - name: Get highest priority image tag
         if: ${{ github.event_name != 'pull_request' }}
-        id: first-tag
-        run: echo "value=$(echo '${{ steps.meta.outputs.tags }}' | head -n1)" >> $GITHUB_OUTPUT
+        id: highest-priority-tag
+        run: |
+          # The first tag in the list is the one with the highest priority
+          echo "value=$(echo '${{ steps.meta.outputs.tags }}' | head -n1)" >> $GITHUB_OUTPUT
 
       # Generate container SBOM. 
       - name: Run Trivy in GitHub SBOM mode to generate CycloneDX SBOM for container
@@ -121,7 +123,7 @@ jobs:
           scan-type: 'image'
           format: 'cyclonedx'
           output: 'sbom-output/sbom_container.cyclonedx.json'
-          image-ref: ${{ steps.first-tag.outputs.value }}
+          image-ref: ${{ steps.highest-priority-tag.outputs.value }}
           skip-dirs: '/App' # Skip the /app directory as we handle the content of the application in a separate SBOM for easier vulnerability management and because trivy misses important fields
           
       - name: Upload trivy/container AND application SBOMs as a Github artifact