From 2e8c5b33823a0b341687eb0916e3af3b97f6298c Mon Sep 17 00:00:00 2001
From: Chris Gianelloni <wolf31o2@blinklabs.io>
Date: Wed, 26 Nov 2025 11:39:10 -0500
Subject: [PATCH] ci: fix Trivy scan tag extraction and update SARIF action to
 v4

Signed-off-by: Chris Gianelloni <wolf31o2@blinklabs.io>
---
 .github/workflows/publish.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 1b0ac2c..d49bb2e 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -47,7 +47,7 @@ jobs:
             type=ref,event=branch
       - name: Extract first tag
         run: |
-          FIRST_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n1)
+          FIRST_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n1 | rev | cut -d: -f1 | rev)
           echo "FIRST_TAG=$FIRST_TAG" >> $GITHUB_ENV
       - name: push
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 https://github.com/docker/build-push-action/releases/tag/v6.18.0
@@ -65,7 +65,7 @@ jobs:
           format: 'sarif'
           output: 'trivy-results-${{ env.FIRST_TAG }}.sarif'
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@d3ced5c96c16c4332e2a61eb6f3649d6f1b20bb8 # v3.31.5
+        uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
         if: always()
         with:
           sarif_file: 'trivy-results-${{ env.FIRST_TAG }}.sarif'