Fix docker build workflow tagging and scanning

.github/workflows/docker-build-publish.yml

@@ -14,10 +14,6 @@ on:
         required: true
         type: string
 
-      default_branch:
-        required: true
-        type: string
-
       build_args:
         required: false
         type: string
@@ -44,15 +40,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Determine branch context
-        id: branch
-        run: |
-          if [ "${{ github.ref_name }}" = "${{ inputs.default_branch }}" ]; then
-            echo "is_default=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "is_default=false" >> "$GITHUB_OUTPUT"
-          fi
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -84,17 +71,18 @@ jobs:
             CONTEXT=$(echo "$img" | jq -r '.context')
             DOCKERFILE=$(echo "$img" | jq -r '.dockerfile')
             TARGET=$(echo "$img" | jq -r '.target')
-            RAW_REF_NAME="${{ github.ref_name }}"
-            SAFE_REF_NAME=$(echo "$RAW_REF_NAME" | sed -E 's#[^A-Za-z0-9_.-]#-#g')
+            RAW_REF="${{ github.ref }}"
+            SHA_FULL="${{ github.sha }}"
+            SHA_SHORT="${SHA_FULL:0:12}"
 
             echo "==== Building $FULL_IMAGE ===="
 
             TAGS=()
-            TAGS+=("$FULL_IMAGE:$SAFE_REF_NAME")
-            TAGS+=("$FULL_IMAGE:${{ github.sha }}")
-
-            if [ "${{ steps.branch.outputs.is_default }}" = "true" ]; then
-              TAGS+=("$FULL_IMAGE:latest")
+            TAGS+=("$FULL_IMAGE:sha-$SHA_SHORT")
+            if [[ "$RAW_REF" =~ ^refs/tags/v([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+              TAGS+=("$FULL_IMAGE:v${BASH_REMATCH[1]}.${BASH_REMATCH[2]}.${BASH_REMATCH[3]}")
+              TAGS+=("$FULL_IMAGE:v${BASH_REMATCH[1]}.${BASH_REMATCH[2]}")
+              TAGS+=("$FULL_IMAGE:v${BASH_REMATCH[1]}")
             fi
 
             TAG_ARGS=$(printf -- "--tag %s " "${TAGS[@]}")