fix(ci): [DEFECT] Manual deploy workflow cicd_8manualdeploy (#34689)

[spbolton]

Description

Fix the cicd_8-manual-deploy.yml workflow that was failing with invalid input parameters, and improve CI/CD infrastructure consistency across all workflows: run-name visibility, Docker image tag architecture, nightly build repeatability and tag ordering, and CLI artifact deployment control.

Changes

Bug Fixes (cicd_8 manual deploy)

• Fix invalid inputs: use change-detection='disabled' instead of the invalid validation-level='none'
• Make ref input optional: defaults to the dispatch branch, preserving legacy behavior and fixing the concurrency group fallback when ref is empty

Run-Name Improvements (all workflows)

• Add run-name to all CI/CD workflows (cicd_1 through cicd_8) so every run is identifiable in the GitHub Actions UI without opening it
• Fix expression syntax: switch run-name YAML strings from single-quoted to double-quoted so that GitHub Actions expression parser receives properly single-quoted string literals inside ${{ }} — fixes Unexpected symbol: '"' in expression validation error (cicd_3, cicd_4, cicd_6, cicd_7, cicd_8)
• Always show ref in manual deploy run-name: fall back to github.ref_name when the ref input is empty, so the run name is always Manual [branch-name] rather than just Manual

Nightly Build Repeatability (cicd_4)

• New setup job that determines the commit to build from before any other jobs run
• Default behavior (scheduled and manual dispatch): finds the last commit on main at or before midnight UTC. This ensures repeatability — re-running a nightly later in the day to investigate a failure produces the exact same build as the scheduled run. The date tag (nightly_YYYYMMDD) labels the day covered (yesterday), not the day the workflow runs.
• New use-latest-commit dispatch input: set to true to build from the current HEAD of main instead, useful when you need to pick up commits made after midnight
• All downstream jobs (build, deployment, finalize) now depend on setup and pass through its build-ref and tag-date outputs

Docker Image Tag Architecture (nightly + all builds)

• Redesign tag inputs on deploy-docker action: replace raw type=raw,value=...,enable= format strings with semantic identifier-tag / custom-tag inputs — callers express intent, not bake-meta syntax
• Centralize tag computation: Compute Docker Tags step consolidates all tag logic in clear bash if/else, replacing the previous Compute Docker Base Tag + scattered enable= expressions
• Fix tag ordering: identifier appears before suffix (nightly_20250218_java25, not nightly_java25_20250218), consistent with the release pattern
• Retain extra-tags as an escape hatch for advanced cases

CLI Artifact Deployment Control

• Add deploy-cli boolean input to the deployment phase composite workflow (default: false); replaces the previous hardcoded environment != 'manual' name check
• Explicit opt-in pattern: trunk, nightly, and release callers set deploy-cli: true; manual deploys omit it and default to false, preventing accidental JFrog publishes from feature-branch builds — mirrors the same pattern used by publish-npm-cli and publish-npm-sdk-libs
• Restore publish-npm-sdk-libs condition to input-only guard (environment hardcoding removed)

Miscellaneous

• Remove dead code: reuse-previous-build removed from all deployment-phase calls (only meaningful in the initialize phase)
• Remove stale java_version default from cicd_7-release-java-variant dispatch input ('25.0.1-open' was outdated); update description to reference the RELEASE_JAVA_VARIANT_VERSION repository variable used by push-triggered builds

Files Changed

File	What changed
.github/actions/core-cicd/deployment/deploy-docker/action.yml	New identifier-tag/custom-tag inputs; centralized tag computation
.github/workflows/cicd_1-pr.yml	Add run-name
.github/workflows/cicd_2-merge-queue.yml	Add run-name
.github/workflows/cicd_3-trunk.yml	Add run-name (fixed quotes); add deploy-cli: true
.github/workflows/cicd_4-nightly.yml	Add setup job for commit pinning; add use-latest-commit input; add run-name (fixed quotes); fix tag ordering; add deploy-cli: true
.github/workflows/cicd_6-release.yml	Fix run-name quotes; add deploy-cli: true
.github/workflows/cicd_7-release-java-variant.yml	Fix run-name quotes; remove stale java_version default
.github/workflows/cicd_8-manual-deploy.yml	Fix invalid inputs; make ref optional; fix run-name always shows ref
.github/workflows/cicd_comp_deployment-phase.yml	Add deploy-cli input; replace env-name guard with input guard
.github/workflows/cicd_comp_initialize-phase.yml	Minor cleanup

Testing

• Workflow YAML validates on push (GitHub Actions schema validation)
• Manual deploy workflow (cicd_8) can be triggered successfully end-to-end
• Docker tags produced with correct naming pattern and ordering
• run-name displays correctly in GitHub Actions UI for all workflow types
• CLI artifacts are not published when running manual/feature-branch builds
• Nightly default behavior pins to the midnight UTC commit, not current HEAD

Closes #34689

Issue: [DEFECT] Manual deploy workflow cicd_8manualdeploy

[alwaysmeticulous]

🤖 No test run has been triggered as your Meticulous project has been deactivated (since you haven't viewed any test results in a while). Click here to reactivate.

_{Last updated for commit 3d5369b. This comment will update as new commits are pushed.}

[spbolton]

The changes to the manual workflow could be tested by selecting this branch as the workflow branch. It ran here and created an image with the expected tags. https://github.com/dotCMS/core/actions/runs/22202349916

The summary now provides additional information on the process:

[spbolton]

QA Steps

These steps are for anyone currently using the Build/Push dotCMS docker image workflow to build feature branches — in particular if you have been building issue-33882-primeng-update with a custom tag of modernization.

---

Background — what changed

The old workflow used the "Use workflow from" dropdown to do two things at once: select the version of the workflow code itself, and select the branch to build. Most of the time this was fine because they were the same thing.

The new -8 Manual Deploy workflow keeps these separate. There is now a dedicated "Branch, tag, or commit SHA to build" field for the branch you actually want to build. If you leave it empty it falls back to whichever branch you selected in the dropdown — so the default behaviour is identical to before.

---

Testing now (before this PR is merged to main)

Go to Actions → -8 Manual Deploy and set the following:

Field	Value
Use workflow from	issue-34689-defect-manual-deploy-workflow-cicd8-manual
Branch, tag, or commit SHA to build	issue-33882-primeng-update
Custom Docker Image Tag	modernization (or leave empty — see below)

Leave all other fields at their defaults.

---

After this PR is merged to main

The recommended approach — always works regardless of what is in your own branch:

Field	Value
Use workflow from	main
Branch, tag, or commit SHA to build	issue-33882-primeng-update
Custom Docker Image Tag	modernization (optional)

Alternatively, if you have merged the latest workflow changes from main into your branch, you can select issue-33882-primeng-update directly from the "Use workflow from" dropdown and leave "Branch, tag, or commit SHA to build" blank — exactly as you did before. If you have not merged those changes, use main in the dropdown and set the build field explicitly, otherwise you will be running an older version of the workflow from your branch.

---

Automatic tags — you don't always need a Custom Docker Image Tag

Every build automatically creates three tags without you needing to set anything:

• dotcms/dotcms:manual — always points to the most recent manual build
• dotcms/dotcms:manual_{sha} — immutable, permanent record of this exact build
• dotcms/dotcms:manual_issue-33882-primeng-update — rebuilt each time you build that branch

The branch-derived tag means your image is always findable by branch name.

Custom Docker Image Tag is for when you want a short, stable, hand-off-friendly name like modernization that others can reference without knowing your branch name. It adds one extra alias — it does not replace any of the automatic tags.

---

Done?

Once you have successfully triggered the workflow and confirmed the image is available (e.g. docker pull dotcms/dotcms:modernization or docker pull dotcms/dotcms:manual_issue-33882-primeng-update), please approve this PR.