refactor: restructure image tag derivation and pipeline token preparation for clarity and maintainability

Author: KristjanESPERANTO

.github/workflows/container-build.yaml

@@ -17,11 +17,19 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 60
     env:
-      IMAGE_TAG: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
+      IMAGE_TAG: ""
+      PIPELINE_BUILD_TOKEN: ""
     steps:
       - name: Checkout code
         uses: actions/checkout@v5
 
+      - name: Derive image tag
+        run: |
+          set -euo pipefail
+          repo="${GITHUB_REPOSITORY,,}"
+          ref="${GITHUB_REF_NAME,,}"
+          echo "IMAGE_TAG=ghcr.io/${repo}:${ref}" >> "$GITHUB_ENV"
+
       - name: Log in to GitHub Container Registry
         uses: docker/login-action@v3
         with:
@@ -30,33 +38,25 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Prepare pipeline token
-        env:
-          PIPELINE_GITHUB_TOKEN: ${{ secrets.PIPELINE_GITHUB_TOKEN }}
-          DEFAULT_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           set -euo pipefail
-          token="$PIPELINE_GITHUB_TOKEN"
-          source="PIPELINE_GITHUB_TOKEN"
-
-          if [ -z "$token" ]; then
-            token="$DEFAULT_GITHUB_TOKEN"
-            source="GITHUB_TOKEN"
+          if [ -n "${{ secrets.PIPELINE_GITHUB_TOKEN }}" ]; then
+            echo "::add-mask::${{ secrets.PIPELINE_GITHUB_TOKEN }}"
+            echo "PIPELINE_BUILD_TOKEN=${{ secrets.PIPELINE_GITHUB_TOKEN }}" >> "$GITHUB_ENV"
+            echo "PIPELINE_BUILD_TOKEN_SOURCE=PIPELINE_GITHUB_TOKEN" >> "$GITHUB_ENV"
+            echo "Using token source: PIPELINE_GITHUB_TOKEN"
+          else
+            if [ -z "${{ secrets.GITHUB_TOKEN }}" ]; then
+              echo "No GitHub token available. Configure PIPELINE_GITHUB_TOKEN or ensure GITHUB_TOKEN is accessible." >&2
+              exit 1
+            fi
             echo "PIPELINE_GITHUB_TOKEN not set; falling back to workflow GITHUB_TOKEN (may hit rate limits)." >&2
+            echo "::add-mask::${{ secrets.GITHUB_TOKEN }}"
+            echo "PIPELINE_BUILD_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> "$GITHUB_ENV"
+            echo "PIPELINE_BUILD_TOKEN_SOURCE=GITHUB_TOKEN" >> "$GITHUB_ENV"
+            echo "Using token source: GITHUB_TOKEN"
           fi
 
-          if [ -z "$token" ]; then
-            echo "No GitHub token available. Configure PIPELINE_GITHUB_TOKEN or rely on the default GITHUB_TOKEN." >&2
-            exit 1
-          fi
-
-          echo "::add-mask::$token"
-          {
-            echo "PIPELINE_BUILD_TOKEN=$token"
-            echo "PIPELINE_BUILD_TOKEN_SOURCE=$source"
-          } >> "$GITHUB_ENV"
-
-          echo "Using token source: $source"
-
       - name: Build and push image
         uses: docker/build-push-action@v6
         with: