fix(ci): [DEFECT] Manual deploy workflow cicd_8manualdeploy (#34689) (#34699)

## Description

Fix the `cicd_8-manual-deploy.yml` workflow that was failing with
invalid input parameters, and improve CI/CD infrastructure consistency
across all workflows: run-name visibility, Docker image tag
architecture, nightly build repeatability and tag ordering, and CLI
artifact deployment control.

## Changes

### Bug Fixes (cicd_8 manual deploy)
- **Fix invalid inputs**: use `change-detection='disabled'` instead of
the invalid `validation-level='none'`
- **Make `ref` input optional**: defaults to the dispatch branch,
preserving legacy behavior and fixing the concurrency group fallback
when `ref` is empty

### Run-Name Improvements (all workflows)
- **Add `run-name` to all CI/CD workflows** (`cicd_1` through `cicd_8`)
so every run is identifiable in the GitHub Actions UI without opening it
- **Fix expression syntax**: switch run-name YAML strings from
single-quoted to double-quoted so that GitHub Actions expression parser
receives properly single-quoted string literals inside `${{ }}` — fixes
`Unexpected symbol: '"' in expression` validation error (cicd_3, cicd_4,
cicd_6, cicd_7, cicd_8)
- **Always show ref in manual deploy run-name**: fall back to
`github.ref_name` when the `ref` input is empty, so the run name is
always `Manual [branch-name]` rather than just `Manual`

### Nightly Build Repeatability (cicd_4)
- **New `setup` job** that determines the commit to build from before
any other jobs run
- **Default behavior (scheduled and manual dispatch)**: finds the last
commit on `main` at or before midnight UTC. This ensures repeatability —
re-running a nightly later in the day to investigate a failure produces
the exact same build as the scheduled run. The date tag
(`nightly_YYYYMMDD`) labels the day covered (yesterday), not the day the
workflow runs.
- **New `use-latest-commit` dispatch input**: set to `true` to build
from the current `HEAD` of `main` instead, useful when you need to pick
up commits made after midnight
- **All downstream jobs** (`build`, `deployment`, `finalize`) now depend
on `setup` and pass through its `build-ref` and `tag-date` outputs

### Docker Image Tag Architecture (nightly + all builds)
- **Redesign tag inputs on `deploy-docker` action**: replace raw
`type=raw,value=...,enable=` format strings with semantic
`identifier-tag` / `custom-tag` inputs — callers express intent, not
bake-meta syntax
- **Centralize tag computation**: `Compute Docker Tags` step
consolidates all tag logic in clear bash `if/else`, replacing the
previous `Compute Docker Base Tag` + scattered `enable=` expressions
- **Fix tag ordering**: identifier appears before suffix
(`nightly_20250218_java25`, not `nightly_java25_20250218`), consistent
with the release pattern
- **Retain `extra-tags`** as an escape hatch for advanced cases

### CLI Artifact Deployment Control
- **Add `deploy-cli` boolean input** to the deployment phase composite
workflow (default: `false`); replaces the previous hardcoded
`environment != 'manual'` name check
- **Explicit opt-in pattern**: trunk, nightly, and release callers set
`deploy-cli: true`; manual deploys omit it and default to `false`,
preventing accidental JFrog publishes from feature-branch builds —
mirrors the same pattern used by `publish-npm-cli` and
`publish-npm-sdk-libs`
- **Restore `publish-npm-sdk-libs`** condition to input-only guard
(environment hardcoding removed)

### Miscellaneous
- **Remove dead code**: `reuse-previous-build` removed from all
deployment-phase calls (only meaningful in the initialize phase)
- **Remove stale `java_version` default** from
`cicd_7-release-java-variant` dispatch input (`'25.0.1-open'` was
outdated); update description to reference the
`RELEASE_JAVA_VARIANT_VERSION` repository variable used by
push-triggered builds

## Files Changed

| File | What changed |
|------|-------------|
| `.github/actions/core-cicd/deployment/deploy-docker/action.yml` | New
`identifier-tag`/`custom-tag` inputs; centralized tag computation |
| `.github/workflows/cicd_1-pr.yml` | Add `run-name` |
| `.github/workflows/cicd_2-merge-queue.yml` | Add `run-name` |
| `.github/workflows/cicd_3-trunk.yml` | Add `run-name` (fixed quotes);
add `deploy-cli: true` |
| `.github/workflows/cicd_4-nightly.yml` | Add `setup` job for commit
pinning; add `use-latest-commit` input; add `run-name` (fixed quotes);
fix tag ordering; add `deploy-cli: true` |
| `.github/workflows/cicd_6-release.yml` | Fix `run-name` quotes; add
`deploy-cli: true` |
| `.github/workflows/cicd_7-release-java-variant.yml` | Fix `run-name`
quotes; remove stale `java_version` default |
| `.github/workflows/cicd_8-manual-deploy.yml` | Fix invalid inputs;
make `ref` optional; fix `run-name` always shows ref |
| `.github/workflows/cicd_comp_deployment-phase.yml` | Add `deploy-cli`
input; replace env-name guard with input guard |
| `.github/workflows/cicd_comp_initialize-phase.yml` | Minor cleanup |

## Testing

- Workflow YAML validates on push (GitHub Actions schema validation)
- Manual deploy workflow (`cicd_8`) can be triggered successfully
end-to-end
- Docker tags produced with correct naming pattern and ordering
- `run-name` displays correctly in GitHub Actions UI for all workflow
types
- CLI artifacts are not published when running manual/feature-branch
builds
- Nightly default behavior pins to the midnight UTC commit, not current
HEAD

Closes #34689

**Issue:** [DEFECT] Manual deploy workflow cicd_8manualdeploy

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: spbolton

.github/actions/core-cicd/deployment/deploy-docker/action.yml

@@ -22,8 +22,9 @@ inputs:
     description: 'The commit id that triggered the build'
     required: true
   ref:
-    description: 'The branch or type of build to tag the image with'
-    required: true
+    description: 'The branch or type of build to tag the image with. Only used when docker-use-ref is true; when docker-use-ref is false the version input drives all tags and this is ignored.'
+    required: false
+    default: ''
   docker-use-ref:
     description: 'The branch or type of build to tag the image with'
     required: false
@@ -65,6 +66,18 @@ inputs:
     description: 'Pull image before building'
     required: false
     default: 'false'
+  identifier-tag:
+    description: 'Optional mutable alias tag managed by the deployment phase (e.g., nightly_20250218_java25, manual_issue-123_java25). Applied when non-empty.'
+    required: false
+    default: ''
+  custom-tag:
+    description: 'Optional custom alias tag chosen by the developer (e.g., modernization, java25-testing). Applied when non-empty.'
+    required: false
+    default: ''
+  extra-tags:
+    description: 'Escape hatch: additional tags in docker/metadata-action format (type=raw,value=...), one per line. Use for cases not covered by identifier-tag or custom-tag.'
+    required: false
+    default: ''
 outputs:
   tags:
     description: "The tags that were used to build the image"
@@ -104,6 +117,9 @@ runs:
         REF: ${{ inputs.ref }}
         USE_REF: ${{ inputs.docker-use-ref }}
         VERSION: ${{ inputs.version }}
+        IDENTIFIER_TAG: ${{ inputs.identifier-tag }}
+        CUSTOM_TAG: ${{ inputs.custom-tag }}
+        EXTRA_TAGS: ${{ inputs.extra-tags }}
       run: |
         
         # Set defaults for flags
@@ -137,6 +153,13 @@ runs:
           echo "type=raw,value=${RESULT}_{{sha}},enable=true" >> $GITHUB_ENV
           echo "type=raw,value=${RESULT},enable=true" >> $GITHUB_ENV
           echo "type=raw,value=latest,enable=${enable_latest}" >> $GITHUB_ENV
+          [[ -n "${IDENTIFIER_TAG}" ]] && echo "type=raw,value=${IDENTIFIER_TAG},enable=true" >> $GITHUB_ENV
+          [[ -n "${CUSTOM_TAG}" ]] && echo "type=raw,value=${CUSTOM_TAG},enable=true" >> $GITHUB_ENV
+          if [[ -n "${EXTRA_TAGS}" ]]; then
+            while IFS= read -r tag_line; do
+              [[ -n "${tag_line}" ]] && echo "${tag_line}" >> $GITHUB_ENV
+            done <<< "${EXTRA_TAGS}"
+          fi
         echo "EOF" >> $GITHUB_ENV
     - name: Docker.io login
       uses: docker/login-action@v3.0.0

.github/workflows/cicd_1-pr.yml

@@ -20,6 +20,7 @@
 
 
 name: '-1 PR Check'
+run-name: 'PR #${{ github.event.pull_request.number }}: ${{ github.event.pull_request.title }} (@${{ github.event.pull_request.user.login }})'
 
 on:
   pull_request:

.github/workflows/cicd_2-merge-queue.yml

@@ -1,4 +1,5 @@
 name: '-2 Merge Group Check'
+run-name: 'MQ: ${{ github.event.merge_group.head_commit.message }}'
 on:
   merge_group:
     types: [ checks_requested ]

.github/workflows/cicd_3-trunk.yml

@@ -11,6 +11,7 @@
 # - Final reporting of the workflow status
 
 name: '-3 Trunk Workflow'
+run-name: "Trunk${{ inputs.java-version && format(' [{0}]', inputs.java-version) || '' }}"
 
 on:
   push:
@@ -129,8 +130,10 @@ jobs:
     uses: ./.github/workflows/cicd_comp_deployment-phase.yml
     with:
       artifact-run-id: ${{ needs.initialize.outputs.artifact-run-id }}
+      deploy-cli: true
       publish-npm-sdk-libs: ${{ fromJSON(needs.initialize.outputs.filters).sdk_libs == 'true' && github.event_name != 'workflow_dispatch' }}
       environment: trunk
+      # tag-identifier intentionally omitted: trunk uses only the environment name as its tag
       java-version: ${{ github.event.inputs.java-version || '' }}
       artifact-suffix: ${{ github.event.inputs.artifact-suffix || '' }}
     secrets:

.github/workflows/cicd_4-nightly.yml

@@ -10,8 +10,17 @@
 # - Optional NPM package publishing
 # - Deployment to the nightly environment
 # - Final reporting of the workflow status
+#
+# Commit pinning:
+# - Default (both scheduled and manual dispatch): builds from the last commit on main
+#   at or before midnight UTC. This ensures repeatability — manually re-running the
+#   nightly later in the day to investigate a failure produces the same build.
+#   The date tag (nightly_YYYYMMDD) correctly labels the day covered, not the run day.
+# - Manual dispatch with use-latest-commit=true: builds from current HEAD of main,
+#   useful when you want to pick up commits made after midnight.
 
 name: '-4 Nightly Workflow'
+run-name: "Nightly${{ inputs.use-latest-commit && ' (HEAD)' || '' }}${{ inputs.java-version && format(' [{0}]', inputs.java-version) || '' }}"
 
 on:
   schedule:
@@ -49,8 +58,57 @@ on:
         type: string
         required: false
         default: ''
+      use-latest-commit:
+        description: 'Use current HEAD of main instead of the midnight UTC commit. Set to true when you want to pick up commits made after midnight rather than reproduce the scheduled run.'
+        type: boolean
+        default: false
 
 jobs:
+  # Setup job - determines the commit to build from.
+  # Default (scheduled and manual): last commit on main at or before midnight UTC for repeatability.
+  # Manual with use-latest-commit=true: current HEAD of main.
+  setup:
+    name: Setup
+    runs-on: ubuntu-${{ vars.UBUNTU_RUNNER_VERSION || '24.04' }}
+    outputs:
+      build-ref: ${{ steps.find-commit.outputs.build-ref }}
+      tag-date: ${{ steps.find-commit.outputs.tag-date }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: main
+
+      - name: Find Build Commit
+        id: find-commit
+        run: |
+          if [[ "${{ inputs.use-latest-commit }}" == "true" ]]; then
+            # Explicit override: use current HEAD of main.
+            # Useful when you want to pick up commits made after midnight.
+            BUILD_REF=$(git rev-parse HEAD)
+            TAG_DATE=$(date -u +%Y%m%d)
+            echo "use-latest-commit=true: building from current HEAD of main: ${BUILD_REF}"
+          else
+            # Default for both scheduled and manual dispatch: use the last commit
+            # at or before midnight UTC. This ensures repeatability — manually
+            # re-running later in the day to investigate a failure gives the same build.
+            MIDNIGHT=$(date -u +"%Y-%m-%dT00:00:00")
+            BUILD_REF=$(git log --before="${MIDNIGHT}" --format="%H" -1)
+            if [[ -z "${BUILD_REF}" ]]; then
+              # No commits before today's midnight — use the absolute last commit.
+              # This handles edge cases (e.g., very new repos) without falling back to
+              # current HEAD which might include post-midnight commits.
+              BUILD_REF=$(git log --format="%H" -1)
+              echo "⚠️ No commit found before ${MIDNIGHT}, using last available commit: ${BUILD_REF}"
+            else
+              echo "Building from commit at midnight UTC (${MIDNIGHT}): ${BUILD_REF}"
+            fi
+            # Tag with yesterday's date: the nightly covers the previous calendar day
+            TAG_DATE=$(date -u -d "yesterday" +%Y%m%d)
+          fi
+          echo "build-ref=${BUILD_REF}" >> "$GITHUB_OUTPUT"
+          echo "tag-date=${TAG_DATE}" >> "$GITHUB_OUTPUT"
+
   # Initialize the nightly build process
   initialize:
     name: Initialize
@@ -64,10 +122,11 @@ jobs:
   # Build job - only runs if no artifacts were found during initialization
   build:
     name: Nightly Build
-    needs: [ initialize ]
+    needs: [ setup, initialize ]
     if: needs.initialize.outputs.found_artifacts == 'false'
     uses: ./.github/workflows/cicd_comp_build-phase.yml
     with:
+      ref: ${{ needs.setup.outputs.build-ref }}
       java-version: ${{ github.event.inputs.java-version || '' }}
       maven-compiler-release: ${{ github.event.inputs.maven-compiler-release || '' }}
       artifact-suffix: ${{ github.event.inputs.artifact-suffix || '' }}
@@ -108,15 +167,16 @@ jobs:
 
   # Deployment job - deploys to the nightly environment
   deployment:
-    needs: [ initialize,build-cli,test ]
+    needs: [ setup, initialize,build-cli,test ]
     if: always() && !failure() && !cancelled()
     uses: ./.github/workflows/cicd_comp_deployment-phase.yml
     with:
       artifact-run-id: ${{ needs.initialize.outputs.artifact-run-id }}
       environment: nightly
+      tag-identifier: ${{ needs.setup.outputs.tag-date }}
+      deploy-cli: true
       deploy-dev-image: true
       publish-npm-cli: ${{ ( github.event_name == 'workflow_dispatch' && inputs.publish-npm-cli == true ) || github.event_name == 'schedule' }}
-      reuse-previous-build: ${{ inputs.reuse-previous-build || false }}
       java-version: ${{ github.event.inputs.java-version || '' }}
       artifact-suffix: ${{ github.event.inputs.artifact-suffix || '' }}
     secrets:
@@ -132,7 +192,7 @@ jobs:
   finalize:
     name: Finalize
     if: always()
-    needs: [ initialize, build, build-cli, test, deployment ]
+    needs: [ setup, initialize, build, build-cli, test, deployment ]
     uses: ./.github/workflows/cicd_comp_finalize-phase.yml
     with:
       artifact-run-id: ${{ needs.initialize.outputs.artifact-run-id }}

.github/workflows/cicd_6-release.yml

@@ -18,6 +18,7 @@
 #
 
 name: '-6 Release Process'
+run-name: "Release ${{ inputs.release_version }}${{ inputs.java-version && format(' [{0}]', inputs.java-version) || '' }}"
 
 on:
   workflow_dispatch:
@@ -116,11 +117,13 @@ jobs:
     if: always() && !failure() && !cancelled()
     uses: ./.github/workflows/cicd_comp_deployment-phase.yml
     with:
-      environment: ${{ needs.release-prepare.outputs.release_version }}
+      environment: 'release'
+      tag-identifier: ${{ needs.release-prepare.outputs.release_version }}
+      omit-environment-prefix: true
       artifact-run-id: ${{ github.run_id }}
       latest: ${{ needs.release-prepare.outputs.is_latest == 'true' }}
+      deploy-cli: true
       deploy-dev-image: true
-      reuse-previous-build: false
       publish-npm-cli: false
       publish-npm-sdk-libs: false
       java-version: ${{ github.event.inputs.java-version }}

.github/workflows/cicd_7-release-java-variant.yml

@@ -28,6 +28,7 @@
 #
 
 name: '-7 Release Java Variant'
+run-name: "Release Java Variant - ${{ github.event_name == 'workflow_dispatch' && inputs.release_branch || github.ref_name }}${{ inputs.java_version && format(' [{0}]', inputs.java_version) || '' }}"
 
 on:
   push:
@@ -40,10 +41,10 @@ on:
         required: true
         type: string
       java_version:
-        description: 'Java version to build (SDKMAN format, e.g., 25.0.1-open)'
-        required: true
+        description: 'Java version to build (SDKMAN format, e.g., 25.0.2-ms). Leave empty to use the RELEASE_JAVA_VARIANT_VERSION repository variable (same as push-triggered builds).'
+        required: false
         type: string
-        default: '25.0.1-open'
+        default: ''
       artifact_suffix:
         description: 'Artifact suffix without leading separator (e.g., java25, java25-ms). Separators added automatically: dash (-) for Maven artifacts, underscore (_) for Docker tags. If not set, derived from java-version major (e.g., java25).'
         required: false
@@ -100,7 +101,7 @@ jobs:
     needs: [ extract-version ]
     uses: ./.github/workflows/cicd_comp_initialize-phase.yml
     with:
-      validation-level: 'none'
+      change-detection: 'disabled'  # Release builds everything - no change detection needed
 
   # Build - standard build phase with Java version override
   build:
@@ -127,7 +128,9 @@ jobs:
     if: always() && !failure() && !cancelled()
     uses: ./.github/workflows/cicd_comp_deployment-phase.yml
     with:
-      environment: ${{ needs.extract-version.outputs.version }}
+      environment: 'release'
+      tag-identifier: ${{ needs.extract-version.outputs.version }}
+      omit-environment-prefix: true
       artifact-run-id: ${{ github.run_id }}
       deploy-dev-image: true
       java-version: ${{ github.event_name == 'workflow_dispatch' && inputs.java_version || vars.RELEASE_JAVA_VARIANT_VERSION }}