ci(rest): disable main publish + fix duplicate SHA in image tag

[lachen-nv]

Summary

Temporarily disable REST publish on main/release/tags and fix the duplicate-SHA bug in REST image tags. Core publish is unchanged.

Why disable

Post-merge of #1800, main started pushing REST images to NGC with redundant SHA suffix:

nvcr.io/0837451325059433/carbide-dev/nico-rest-api:0.11.0-pr-3-g72855901-72855901
                                                                ^^^^^^^^^^^^^^^^^^
                                                                duplicated SHA

semantic_version from git describe --long already ends in -g<short_sha>, so appending -${short_sha} produced the duplicate.

Why fix in same PR

The tag fix is small and self-contained — shipping the disable and fix together means the follow-up PR is just removing the false toggles.

Changes

• rest-ci.yml: push_enabled: false (was conditional)
• rest-helm-workflows.yml: if: false on push-charts (was conditional)
• rest-build-push-service.yml:
  • PRIMARY_TAG = semantic_version (main branch) — drop redundant -short_sha
  • ARTIFACT_VERSION = semantic_version — drop redundant -short_sha
  • latest tarball upload path now uses artifact_version (was hardcoded with duplicate)

Scope

• REST docker push — disabled
• REST helm push — disabled
• Core CI publish — unchanged
• Promotion workflow — unchanged

Follow-up

Once verified the fix produces clean tags on a non-publish run, open a follow-up to revert the two false toggles:

# rest-ci.yml
push_enabled: ${{ github.event_name != 'workflow_dispatch' && !contains(github.ref, 'pull-request/') }}

# rest-helm-workflows.yml
if: ${{ !cancelled() && github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' && needs.validate-charts.result == 'success' && !contains(github.ref, 'pull-request/') }}

Expected tag after fix + re-enable

nvcr.io/0837451325059433/carbide-dev/nico-rest-api:0.11.0-pr-3-g72855901
nvcr.io/0837451325059433/carbide-dev/nico-rest-api:latest

[github-actions]

🔐 TruffleHog Secret Scan

✅ No secrets or credentials found!

Your code has been scanned for 700+ types of secrets and credentials. All clear! 🎉

🔗 View scan details

_{🕐 Last updated: 2026-05-25 05:34:53 UTC | Commit: 7c1e4e0}

[mmou-nv]

+1

[github-actions]

🔍 Container Scan Summary

Service	Total	Critical	High	Medium	Low	Other
nico-flow	66	4	34	18	2	8
nico-nsm	82	2	28	43	9	0
nico-psm	67	4	35	18	2	8
nico-rest-api	100	6	53	30	3	8
nico-rest-cert-manager	65	4	34	18	1	8
nico-rest-db	66	4	34	18	2	8
nico-rest-site-agent	65	4	34	18	1	8
nico-rest-site-manager	65	4	34	18	1	8
nico-rest-workflow	67	4	35	18	2	8
TOTAL	643	36	321	199	23	64

Per-CVE detail lives in the per-service grype-* artifacts (JSON + SARIF). Severity counts only — no CVE IDs published here.