fix(ci): fix manual deploy invalid inputs and improve CI/CD tag architecture (#34689)

- Fix cicd_8-manual-deploy: use change-detection='disabled' instead of
  invalid validation-level='none'; make ref input optional (defaults to
  dispatch branch, preserving legacy behavior)
- Redesign Docker tag architecture: add semantic identifier-tag/custom-tag
  inputs to deploy-docker action, replacing raw type=raw,value=...,enable=
  format strings passed from callers
- Centralize tag computation in Compute Docker Tags step (replaces
  Compute Docker Base Tag + raw extra-tags); identifier alias logic is
  now clear bash if/else instead of enable= expressions in format strings
- extra-tags retained as escape hatch for advanced cases
- Fix tag ordering: identifier before suffix (nightly_20250218_java25,
  not nightly_java25_20250218), consistent with release pattern
- Remove dead code: reuse-previous-build from deployment phase calls
  (only meaningful in initialize phase)
- Add run-name to all CI/CD workflows (cicd_1 through cicd_8) for better
  identification in GitHub Actions UI; uses format() now confirmed available
- Fix cicd_8 concurrency group to use fallback when ref input is empty

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: spbolton

.github/actions/core-cicd/deployment/deploy-docker/action.yml

@@ -22,8 +22,9 @@ inputs:
     description: 'The commit id that triggered the build'
     required: true
   ref:
-    description: 'The branch or type of build to tag the image with'
-    required: true
+    description: 'The branch or type of build to tag the image with. Only used when docker-use-ref is true; when docker-use-ref is false the version input drives all tags and this is ignored.'
+    required: false
+    default: ''
   docker-use-ref:
     description: 'The branch or type of build to tag the image with'
     required: false
@@ -65,6 +66,18 @@ inputs:
     description: 'Pull image before building'
     required: false
     default: 'false'
+  identifier-tag:
+    description: 'Optional mutable alias tag managed by the deployment phase (e.g., nightly_20250218_java25, manual_issue-123_java25). Applied when non-empty.'
+    required: false
+    default: ''
+  custom-tag:
+    description: 'Optional custom alias tag chosen by the developer (e.g., modernization, java25-testing). Applied when non-empty.'
+    required: false
+    default: ''
+  extra-tags:
+    description: 'Escape hatch: additional tags in docker/metadata-action format (type=raw,value=...), one per line. Use for cases not covered by identifier-tag or custom-tag.'
+    required: false
+    default: ''
 outputs:
   tags:
     description: "The tags that were used to build the image"
@@ -104,6 +117,9 @@ runs:
         REF: ${{ inputs.ref }}
         USE_REF: ${{ inputs.docker-use-ref }}
         VERSION: ${{ inputs.version }}
+        IDENTIFIER_TAG: ${{ inputs.identifier-tag }}
+        CUSTOM_TAG: ${{ inputs.custom-tag }}
+        EXTRA_TAGS: ${{ inputs.extra-tags }}
       run: |
         
         # Set defaults for flags
@@ -137,6 +153,13 @@ runs:
           echo "type=raw,value=${RESULT}_{{sha}},enable=true" >> $GITHUB_ENV
           echo "type=raw,value=${RESULT},enable=true" >> $GITHUB_ENV
           echo "type=raw,value=latest,enable=${enable_latest}" >> $GITHUB_ENV
+          [[ -n "${IDENTIFIER_TAG}" ]] && echo "type=raw,value=${IDENTIFIER_TAG},enable=true" >> $GITHUB_ENV
+          [[ -n "${CUSTOM_TAG}" ]] && echo "type=raw,value=${CUSTOM_TAG},enable=true" >> $GITHUB_ENV
+          if [[ -n "${EXTRA_TAGS}" ]]; then
+            while IFS= read -r tag_line; do
+              [[ -n "${tag_line}" ]] && echo "${tag_line}" >> $GITHUB_ENV
+            done <<< "${EXTRA_TAGS}"
+          fi
         echo "EOF" >> $GITHUB_ENV
     - name: Docker.io login
       uses: docker/login-action@v3.0.0

.github/workflows/cicd_1-pr.yml

@@ -20,6 +20,7 @@
 
 
 name: '-1 PR Check'
+run-name: 'PR #${{ github.event.pull_request.number }}: ${{ github.event.pull_request.title }} (@${{ github.event.pull_request.user.login }})'
 
 on:
   pull_request:

.github/workflows/cicd_2-merge-queue.yml

@@ -1,4 +1,5 @@
 name: '-2 Merge Group Check'
+run-name: 'MQ: ${{ github.event.merge_group.head_commit.message }}'
 on:
   merge_group:
     types: [ checks_requested ]

.github/workflows/cicd_3-trunk.yml

@@ -11,6 +11,7 @@
 # - Final reporting of the workflow status
 
 name: '-3 Trunk Workflow'
+run-name: 'Trunk${{ inputs.java-version && format(" [{0}]", inputs.java-version) || "" }}'
 
 on:
   push:
@@ -131,6 +132,7 @@ jobs:
       artifact-run-id: ${{ needs.initialize.outputs.artifact-run-id }}
       publish-npm-sdk-libs: ${{ fromJSON(needs.initialize.outputs.filters).sdk_libs == 'true' && github.event_name != 'workflow_dispatch' }}
       environment: trunk
+      # tag-identifier intentionally omitted: trunk uses only the environment name as its tag
       java-version: ${{ github.event.inputs.java-version || '' }}
       artifact-suffix: ${{ github.event.inputs.artifact-suffix || '' }}
     secrets:

.github/workflows/cicd_4-nightly.yml

@@ -10,8 +10,17 @@
 # - Optional NPM package publishing
 # - Deployment to the nightly environment
 # - Final reporting of the workflow status
+#
+# Commit pinning:
+# - Default (both scheduled and manual dispatch): builds from the last commit on main
+#   at or before midnight UTC. This ensures repeatability — manually re-running the
+#   nightly later in the day to investigate a failure produces the same build.
+#   The date tag (nightly_YYYYMMDD) correctly labels the day covered, not the run day.
+# - Manual dispatch with use-latest-commit=true: builds from current HEAD of main,
+#   useful when you want to pick up commits made after midnight.
 
 name: '-4 Nightly Workflow'
+run-name: 'Nightly${{ inputs.use-latest-commit && " (HEAD)" || "" }}${{ inputs.java-version && format(" [{0}]", inputs.java-version) || "" }}'
 
 on:
   schedule:
@@ -49,8 +58,57 @@ on:
         type: string
         required: false
         default: ''
+      use-latest-commit:
+        description: 'Use current HEAD of main instead of the midnight UTC commit. Set to true when you want to pick up commits made after midnight rather than reproduce the scheduled run.'
+        type: boolean
+        default: false
 
 jobs:
+  # Setup job - determines the commit to build from.
+  # Default (scheduled and manual): last commit on main at or before midnight UTC for repeatability.
+  # Manual with use-latest-commit=true: current HEAD of main.
+  setup:
+    name: Setup
+    runs-on: ubuntu-${{ vars.UBUNTU_RUNNER_VERSION || '24.04' }}
+    outputs:
+      build-ref: ${{ steps.find-commit.outputs.build-ref }}
+      tag-date: ${{ steps.find-commit.outputs.tag-date }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: main
+
+      - name: Find Build Commit
+        id: find-commit
+        run: |
+          if [[ "${{ inputs.use-latest-commit }}" == "true" ]]; then
+            # Explicit override: use current HEAD of main.
+            # Useful when you want to pick up commits made after midnight.
+            BUILD_REF=$(git rev-parse HEAD)
+            TAG_DATE=$(date -u +%Y%m%d)
+            echo "use-latest-commit=true: building from current HEAD of main: ${BUILD_REF}"
+          else
+            # Default for both scheduled and manual dispatch: use the last commit
+            # at or before midnight UTC. This ensures repeatability — manually
+            # re-running later in the day to investigate a failure gives the same build.
+            MIDNIGHT=$(date -u +"%Y-%m-%dT00:00:00")
+            BUILD_REF=$(git log --before="${MIDNIGHT}" --format="%H" -1)
+            if [[ -z "${BUILD_REF}" ]]; then
+              # No commits before today's midnight — use the absolute last commit.
+              # This handles edge cases (e.g., very new repos) without falling back to
+              # current HEAD which might include post-midnight commits.
+              BUILD_REF=$(git log --format="%H" -1)
+              echo "⚠️ No commit found before ${MIDNIGHT}, using last available commit: ${BUILD_REF}"
+            else
+              echo "Building from commit at midnight UTC (${MIDNIGHT}): ${BUILD_REF}"
+            fi
+            # Tag with yesterday's date: the nightly covers the previous calendar day
+            TAG_DATE=$(date -u -d "yesterday" +%Y%m%d)
+          fi
+          echo "build-ref=${BUILD_REF}" >> "$GITHUB_OUTPUT"
+          echo "tag-date=${TAG_DATE}" >> "$GITHUB_OUTPUT"
+
   # Initialize the nightly build process
   initialize:
     name: Initialize
@@ -64,10 +122,11 @@ jobs:
   # Build job - only runs if no artifacts were found during initialization
   build:
     name: Nightly Build
-    needs: [ initialize ]
+    needs: [ setup, initialize ]
     if: needs.initialize.outputs.found_artifacts == 'false'
     uses: ./.github/workflows/cicd_comp_build-phase.yml
     with:
+      ref: ${{ needs.setup.outputs.build-ref }}
       java-version: ${{ github.event.inputs.java-version || '' }}
       maven-compiler-release: ${{ github.event.inputs.maven-compiler-release || '' }}
       artifact-suffix: ${{ github.event.inputs.artifact-suffix || '' }}
@@ -108,15 +167,15 @@ jobs:
 
   # Deployment job - deploys to the nightly environment
   deployment:
-    needs: [ initialize,build-cli,test ]
+    needs: [ setup, initialize,build-cli,test ]
     if: always() && !failure() && !cancelled()
     uses: ./.github/workflows/cicd_comp_deployment-phase.yml
     with:
       artifact-run-id: ${{ needs.initialize.outputs.artifact-run-id }}
       environment: nightly
+      tag-identifier: ${{ needs.setup.outputs.tag-date }}
       deploy-dev-image: true
       publish-npm-cli: ${{ ( github.event_name == 'workflow_dispatch' && inputs.publish-npm-cli == true ) || github.event_name == 'schedule' }}
-      reuse-previous-build: ${{ inputs.reuse-previous-build || false }}
       java-version: ${{ github.event.inputs.java-version || '' }}
       artifact-suffix: ${{ github.event.inputs.artifact-suffix || '' }}
     secrets:
@@ -132,7 +191,7 @@ jobs:
   finalize:
     name: Finalize
     if: always()
-    needs: [ initialize, build, build-cli, test, deployment ]
+    needs: [ setup, initialize, build, build-cli, test, deployment ]
     uses: ./.github/workflows/cicd_comp_finalize-phase.yml
     with:
       artifact-run-id: ${{ needs.initialize.outputs.artifact-run-id }}

.github/workflows/cicd_6-release.yml

@@ -18,6 +18,7 @@
 #
 
 name: '-6 Release Process'
+run-name: 'Release ${{ inputs.release_version }}${{ inputs.java-version && format(" [{0}]", inputs.java-version) || "" }}'
 
 on:
   workflow_dispatch:
@@ -116,11 +117,12 @@ jobs:
     if: always() && !failure() && !cancelled()
     uses: ./.github/workflows/cicd_comp_deployment-phase.yml
     with:
-      environment: ${{ needs.release-prepare.outputs.release_version }}
+      environment: 'release'
+      tag-identifier: ${{ needs.release-prepare.outputs.release_version }}
+      omit-environment-prefix: true
       artifact-run-id: ${{ github.run_id }}
       latest: ${{ needs.release-prepare.outputs.is_latest == 'true' }}
       deploy-dev-image: true
-      reuse-previous-build: false
       publish-npm-cli: false
       publish-npm-sdk-libs: false
       java-version: ${{ github.event.inputs.java-version }}

.github/workflows/cicd_7-release-java-variant.yml

@@ -28,6 +28,7 @@
 #
 
 name: '-7 Release Java Variant'
+run-name: 'Release Java Variant - ${{ github.event_name == ''workflow_dispatch'' && inputs.release_branch || github.ref_name }}${{ inputs.java_version && format(" [{0}]", inputs.java_version) || "" }}'
 
 on:
   push:
@@ -100,7 +101,7 @@ jobs:
     needs: [ extract-version ]
     uses: ./.github/workflows/cicd_comp_initialize-phase.yml
     with:
-      validation-level: 'none'
+      change-detection: 'disabled'  # Release builds everything - no change detection needed
 
   # Build - standard build phase with Java version override
   build:
@@ -127,7 +128,9 @@ jobs:
     if: always() && !failure() && !cancelled()
     uses: ./.github/workflows/cicd_comp_deployment-phase.yml
     with:
-      environment: ${{ needs.extract-version.outputs.version }}
+      environment: 'release'
+      tag-identifier: ${{ needs.extract-version.outputs.version }}
+      omit-environment-prefix: true
       artifact-run-id: ${{ github.run_id }}
       deploy-dev-image: true
       java-version: ${{ github.event_name == 'workflow_dispatch' && inputs.java_version || vars.RELEASE_JAVA_VARIANT_VERSION }}