fix: restore semantic version tagging for Docker images

- Add back manual Git tag retrieval logic for branch pushes
- Fix version detection for both tag pushes (direct) and branch pushes (latest tag)
- Ensure semantic versions are properly applied to Docker images
- Fix vulnerability scanning and testing to use correct version tags
- Correct YAML syntax for push triggers (paths-ignore positioning)

This resolves the issue where branch pushes to main weren't getting semantic version tags,
only SHA-based tags. Now both scenarios work:
- Tag push (v2.0.14) → uses tag directly
- Branch push (main) → uses latest available Git tag

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: JohanDevl

.github/workflows/docker-build.yml

@@ -4,12 +4,12 @@ on:
   push:
     branches:
       - develop
-    tags:
-      - 'v*'
     paths-ignore:
       - "**.md"
       - "docs/**"
       - ".github/ISSUE_TEMPLATE/**"
+    tags:
+      - 'v*'
   pull_request:
     branches:
       - main
@@ -51,6 +51,27 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Get version info
+        id: version
+        run: |
+          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            # For tag pushes, use the tag directly
+            VERSION="${{ github.ref_name }}"
+            echo "version=$VERSION" >> $GITHUB_OUTPUT
+            echo "is_tag=true" >> $GITHUB_OUTPUT
+            echo "🏷️ Building from tag: $VERSION"
+          else
+            # For branch pushes, get the latest tag
+            git fetch --tags
+            LATEST_TAG=$(git tag -l "v*" | grep -v "-" | sort -V | tail -n 1)
+            if [ -z "$LATEST_TAG" ]; then
+              LATEST_TAG="v1.0.0"
+            fi
+            echo "version=$LATEST_TAG" >> $GITHUB_OUTPUT
+            echo "is_tag=false" >> $GITHUB_OUTPUT
+            echo "📋 Building from branch, using latest tag: $LATEST_TAG"
+          fi
+
       - name: Extract metadata for Docker
         id: meta
         uses: docker/metadata-action@v5
@@ -59,14 +80,15 @@ jobs:
             ${{ env.REGISTRY_IMAGE }}
             ${{ env.GITHUB_IMAGE }}
           tags: |
-            # Main branch tags (only via workflow_dispatch from auto-tag)
-            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
-            type=raw,value=main,enable=${{ github.ref == 'refs/heads/main' }}
+            # Main branch tags (manual or tag-triggered)
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }}
+            type=raw,value=main,enable=${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }}
+            type=raw,value=${{ steps.version.outputs.version }},enable=${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }}
             # Develop branch tag
             type=raw,value=develop,enable=${{ github.ref == 'refs/heads/develop' }}
             # PR tags
             type=ref,event=pr,prefix=PR-
-            # Release/tag-based builds (semantic versioning)
+            # Tag-based builds (semantic versioning from git tags)
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
 
@@ -99,15 +121,15 @@ jobs:
           cache-from: type=gha,scope=${{ github.workflow }}-${{ github.ref_name }}
           cache-to: type=gha,mode=max,scope=${{ github.workflow }}-${{ github.ref_name }}
           build-args: |
-            VERSION=${{ steps.meta.outputs.version }}
+            VERSION=${{ steps.version.outputs.version }}
             COMMIT_SHA=${{ github.sha }}
             BUILD_DATE=${{ steps.build_date.outputs.BUILD_DATE }}
 
       - name: Scan image for vulnerabilities
         if: github.event_name != 'pull_request'
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}
+          image-ref: ${{ env.REGISTRY_IMAGE }}:${{ steps.version.outputs.version }}
           format: "sarif"
           output: "trivy-results.sarif"
 
@@ -136,18 +158,27 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Extract Docker metadata for testing
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY_IMAGE }}
-          tags: |
-            type=semver,pattern={{version}}
-            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
-            type=raw,value=develop,enable=${{ github.ref == 'refs/heads/develop' }}
+      - name: Get version info for testing
+        id: version
+        run: |
+          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            # For tag pushes, use the tag directly
+            VERSION="${{ github.ref_name }}"
+            echo "version=$VERSION" >> $GITHUB_OUTPUT
+            echo "🏷️ Testing tag version: $VERSION"
+          else
+            # For branch pushes, get the latest tag
+            git fetch --tags
+            LATEST_TAG=$(git tag -l "v*" | grep -v "-" | sort -V | tail -n 1)
+            if [ -z "$LATEST_TAG" ]; then
+              LATEST_TAG="v1.0.0"
+            fi
+            echo "version=$LATEST_TAG" >> $GITHUB_OUTPUT
+            echo "📋 Testing branch version: $LATEST_TAG"
+          fi
 
       - name: Pull image for testing
-        run: docker pull ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}
+        run: docker pull ${{ env.REGISTRY_IMAGE }}:${{ steps.version.outputs.version }}
 
       - name: Test Docker image
         run: |
@@ -159,7 +190,7 @@ jobs:
             -v $(pwd)/test_config:/app/config \
             -v $(pwd)/test_logs:/app/logs \
             -v $(pwd)/test_exports:/app/exports \
-            ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} --help
+            ${{ env.REGISTRY_IMAGE }}:${{ steps.version.outputs.version }} --help
 
           echo "Docker image tests passed successfully"