From 8a1f9792ad83d3cf1c122033e90fbfd290d22bca Mon Sep 17 00:00:00 2001
From: Drew Newberry <anewberry@nvidia.com>
Date: Thu, 7 May 2026 07:54:19 -0700
Subject: [PATCH] fix(ci): pin tag release reusable workflows

---
 .github/workflows/docker-build.yml            |  7 ++++++
 .github/workflows/e2e-test.yml                |  7 ++++++
 .github/workflows/release-tag.yml             | 24 ++++++++++++++-----
 .../workflows/shadow-rust-native-build.yml    | 11 +++++++++
 4 files changed, 43 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 3b3aa1cb8..7cc1a90c6 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -37,6 +37,11 @@ on:
         required: false
         type: string
         default: ""
+      checkout-ref:
+        description: "Git ref to check out for build inputs (defaults to the workflow SHA)"
+        required: false
+        type: string
+        default: ""
 
 env:
   MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -150,6 +155,7 @@ jobs:
       component: ${{ needs.resolve.outputs.binary_component }}
       arch: ${{ matrix.arch }}
       cargo-version: ${{ inputs['cargo-version'] }}
+      checkout-ref: ${{ inputs['checkout-ref'] }}
       features: openshell-core/dev-settings
       artifact-name: ${{ needs.resolve.outputs.artifact_prefix }}-linux-${{ matrix.arch }}
     secrets: inherit
@@ -181,6 +187,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         with:
+          ref: ${{ inputs['checkout-ref'] || github.sha }}
           fetch-depth: 0
 
       - name: Mark workspace safe for git
diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml
index e8e03799e..db8010d0f 100644
--- a/.github/workflows/e2e-test.yml
+++ b/.github/workflows/e2e-test.yml
@@ -12,6 +12,11 @@ on:
         required: false
         type: string
         default: "linux-amd64-cpu8"
+      checkout-ref:
+        description: "Git ref to check out for test inputs (defaults to the workflow SHA)"
+        required: false
+        type: string
+        default: ""
 
 permissions:
   contents: read
@@ -54,6 +59,8 @@ jobs:
       OPENSHELL_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - uses: actions/checkout@v6
+        with:
+          ref: ${{ inputs['checkout-ref'] || github.sha }}
 
       - name: Install OS test dependencies
         if: matrix.apt_packages != ''
diff --git a/.github/workflows/release-tag.yml b/.github/workflows/release-tag.yml
index 8a3aa7ae5..d95bb555d 100644
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@@ -45,6 +45,8 @@ jobs:
       rpm_release: ${{ steps.v.outputs.rpm_release }}
       # Semver without 'v' prefix (e.g. 0.6.0), used for image tags and release body
       semver: ${{ steps.v.outputs.semver }}
+      # Commit resolved from RELEASE_TAG, used for image tags and downstream metadata
+      source_sha: ${{ steps.v.outputs.source_sha }}
     steps:
       - uses: actions/checkout@v6
         with:
@@ -67,6 +69,7 @@ jobs:
           echo "rpm_version=$(uv run python tasks/scripts/release.py get-version --rpm-version)" >> "$GITHUB_OUTPUT"
           echo "rpm_release=$(uv run python tasks/scripts/release.py get-version --rpm-release)" >> "$GITHUB_OUTPUT"
           echo "semver=${RELEASE_TAG#v}" >> "$GITHUB_OUTPUT"
+          echo "source_sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
 
   build-gateway:
     needs: [compute-versions]
@@ -74,6 +77,8 @@ jobs:
     with:
       component: gateway
       cargo-version: ${{ needs.compute-versions.outputs.cargo_version }}
+      image-tag: ${{ needs.compute-versions.outputs.source_sha }}
+      checkout-ref: ${{ inputs.tag || github.ref }}
 
   build-supervisor:
     needs: [compute-versions]
@@ -81,6 +86,8 @@ jobs:
     with:
       component: supervisor
       cargo-version: ${{ needs.compute-versions.outputs.cargo_version }}
+      image-tag: ${{ needs.compute-versions.outputs.source_sha }}
+      checkout-ref: ${{ inputs.tag || github.ref }}
 
   build-cluster:
     needs: [compute-versions]
@@ -88,12 +95,15 @@ jobs:
     with:
       component: cluster
       cargo-version: ${{ needs.compute-versions.outputs.cargo_version }}
+      image-tag: ${{ needs.compute-versions.outputs.source_sha }}
+      checkout-ref: ${{ inputs.tag || github.ref }}
 
   e2e:
-    needs: [build-gateway, build-supervisor, build-cluster]
+    needs: [compute-versions, build-gateway, build-supervisor, build-cluster]
     uses: ./.github/workflows/e2e-test.yml
     with:
-      image-tag: ${{ github.sha }}
+      image-tag: ${{ needs.compute-versions.outputs.source_sha }}
+      checkout-ref: ${{ inputs.tag || github.ref }}
       runner: linux-arm64-cpu8
 
   tag-ghcr-release:
@@ -110,16 +120,17 @@ jobs:
           set -euo pipefail
           REGISTRY="ghcr.io/nvidia/openshell"
           VERSION="${{ needs.compute-versions.outputs.semver }}"
+          SOURCE_TAG="${{ needs.compute-versions.outputs.source_sha }}"
           for component in gateway supervisor cluster; do
-            echo "Tagging ${REGISTRY}/${component}:${{ github.sha }} as ${VERSION} and latest..."
+            echo "Tagging ${REGISTRY}/${component}:${SOURCE_TAG} as ${VERSION} and latest..."
             docker buildx imagetools create \
               --prefer-index=false \
               -t "${REGISTRY}/${component}:${VERSION}" \
-              "${REGISTRY}/${component}:${{ github.sha }}"
+              "${REGISTRY}/${component}:${SOURCE_TAG}"
             docker buildx imagetools create \
               --prefer-index=false \
               -t "${REGISTRY}/${component}:latest" \
-              "${REGISTRY}/${component}:${{ github.sha }}"
+              "${REGISTRY}/${component}:${SOURCE_TAG}"
           done
 
   build-python-wheels-linux:
@@ -918,6 +929,7 @@ jobs:
         env:
           GITLAB_CI_TRIGGER_TOKEN: ${{ secrets.GITLAB_CI_TRIGGER_TOKEN }}
           GITLAB_CI_TRIGGER_URL: ${{ secrets.GITLAB_CI_TRIGGER_URL }}
+          COMMIT_SHA: ${{ needs.compute-versions.outputs.source_sha }}
           RELEASE_VERSION: ${{ needs.compute-versions.outputs.python_version }}
           RELEASE_TAG: ${{ env.RELEASE_TAG }}
           WHEEL_FILENAMES: ${{ needs.release.outputs.wheel_filenames }}
@@ -936,7 +948,7 @@ jobs:
             -F "ref=main" \
             -F "variables[PIPELINE_ACTION]=publish_wheels" \
             -F "variables[GITHUB_REPOSITORY]=${GITHUB_REPOSITORY}" \
-            -F "variables[COMMIT_SHA]=${GITHUB_SHA}" \
+            -F "variables[COMMIT_SHA]=${COMMIT_SHA}" \
             -F "variables[RELEASE_TAG]=${RELEASE_TAG}" \
             -F "variables[RELEASE_VERSION]=${RELEASE_VERSION}" \
             -F "variables[RELEASE_KIND]=stable" \
diff --git a/.github/workflows/shadow-rust-native-build.yml b/.github/workflows/shadow-rust-native-build.yml
index 245167a52..b943a1ddb 100644
--- a/.github/workflows/shadow-rust-native-build.yml
+++ b/.github/workflows/shadow-rust-native-build.yml
@@ -37,6 +37,11 @@ on:
         required: false
         type: string
         default: ""
+      checkout-ref:
+        description: "Git ref to check out for build inputs (defaults to the workflow SHA)"
+        required: false
+        type: string
+        default: ""
   workflow_dispatch:
     inputs:
       component:
@@ -75,6 +80,11 @@ on:
         required: false
         type: string
         default: ""
+      checkout-ref:
+        description: "Git ref to check out for build inputs (defaults to the workflow SHA)"
+        required: false
+        type: string
+        default: ""
 
 permissions:
   contents: read
@@ -113,6 +123,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         with:
+          ref: ${{ inputs['checkout-ref'] || github.sha }}
           fetch-depth: 0
 
       - name: Mark workspace safe for git