ci: fix Trivy scan tag extraction and update SARIF action to v4

[wolf31o2]

Summary by cubic

Fixed Trivy scan tag extraction to get only the image tag, preventing colons in SARIF filenames. Also updated github/codeql-action/upload-sarif to v4.31.5.

^{Written for commit 2e8c5b3. Summary will update automatically on new commits.}

Summary by CodeRabbit

• Chores
  • Updated internal publishing workflow configuration and dependencies for improved build infrastructure and security scanning.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request modifies the GitHub Actions workflow in .github/workflows/publish.yml. The FIRST_TAG extraction logic is updated with an additional reversal and cut operation to parse the tag more precisely by removing a colon-delimited suffix. Additionally, the upload-sarif action version is bumped to a newer commit.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

• Single file affected (workflow configuration)
• Minor string manipulation logic update for tag parsing
• Routine dependency version bump

Possibly related PRs

• fix: enhance OpenVPN image security and privacy #16: Directly related—this PR originally introduced the Extract first tag step and related CI actions, while the current PR refines the FIRST_TAG parsing logic with additional string operations to strip colon suffixes.

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the two main changes: fixing Trivy scan tag extraction logic and updating the SARIF action dependency to v4.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix-trivy-scan

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b9144cb and 2e8c5b3.

📒 Files selected for processing (1)

• .github/workflows/publish.yml (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: cubic · AI code reviewer

🔇 Additional comments (2)

.github/workflows/publish.yml (2)

50-51: Tag extraction and upload-sarif version are both correct; no issues found.

The tag extraction logic using rev | cut -d: -f1 | rev correctly extracts the Docker tag portion after the last colon from docker/metadata-action's output. All realistic tag formats (version tags, branch names, SHA-based tags) are handled properly. The upload-sarif action update to v4.31.5 (commit fdbfb4d2750291e159f0156def62b853c2798ca2) is valid and verified in the official github/codeql-action repository.

---

68-68: No issues detected with upload-sarif v4.31.5 update.

The verification confirms:

1. ✓ Commit hash fdbfb4d2750291e159f0156def62b853c2798ca2 officially corresponds to v4.31.5 tag
2. ✓ No breaking changes in v4.31.5 (release only updates default CodeQL bundle to 2.23.6)
3. ✓ Current permissions (lines 17–20) remain sufficient—security-events: write is properly configured for SARIF uploads

The action update is safe to proceed.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 1 file