feat: Add manual workflow dispatch for Docker builds to fix GHCR access (#55)

* feat: Add manual workflow dispatch for Docker builds

Adds workflow_dispatch trigger to the publish workflow to enable
manual Docker image builds to both Docker Hub and GHCR without
requiring a new release.

This addresses issue #48 where users cannot pull from ghcr.io
because Docker images weren't built for recent releases.

Features:
- Manual trigger with tag input (e.g., v1.0.1)
- Docker-only mode to skip PyPI publishing
- Proper ref checkout for tagged versions
- Maintains backward compatibility with release events

Usage: Workflow can be manually triggered from GitHub Actions UI
to rebuild Docker images for any existing git tag.

Fixes #48

* fix: Address critical security and logic issues in workflow

Fixes all issues identified in Claude Code review:

🚨 Critical Fixes:
1. Remove redundant condition in deploy-prod job
   - Was checking github.event_name == 'release' twice
   - Simplified to: !inputs.docker_only

2. Fix Docker job condition logic
   - Removed flawed always() + needs dependency
   - Now runs independently for release or manual triggers
   - Docker builds don't require PyPI deployment success

🔐 Security Improvements:
3. Add tag format validation
   - Validates semver format: v1.2.3 or v1.2.3-alpha
   - Prevents arbitrary git ref injection

4. Add tag existence verification
   - Verifies tag exists before building
   - Provides clear error messages

🔧 Best Practice Improvements:
5. Normalize tag value extraction
   - Creates normalized tag output for metadata
   - Handles both release and manual trigger sources

6. Remove needs dependency from docker job
   - Docker builds are independent of PyPI
   - Allows manual Docker-only builds without test deploy

All changes maintain backward compatibility with release events
while enabling secure manual Docker builds.

Author: jamesbrink

.github/workflows/publish.yml

@@ -3,6 +3,17 @@ name: Publish Package
 on:
   release:
     types: [published]
+  workflow_dispatch:
+    inputs:
+      docker_only:
+        description: 'Build and push Docker images only (skip PyPI)'
+        required: false
+        type: boolean
+        default: true
+      tag:
+        description: 'Git tag to build from (e.g., v1.0.1)'
+        required: true
+        type: string
 
 permissions:
   contents: read
@@ -11,12 +22,16 @@ permissions:
 jobs:
   deploy-test:
     runs-on: ubuntu-latest
+    # Skip PyPI deployment when manually triggered with docker_only
+    if: ${{ github.event_name == 'release' || !inputs.docker_only }}
     environment: testpypi
     permissions:
       id-token: write
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        ref: ${{ inputs.tag || github.ref }}
 
     - name: Install Nix
       uses: cachix/install-nix-action@v31
@@ -39,14 +54,16 @@ jobs:
   deploy-prod:
     needs: deploy-test
     runs-on: ubuntu-latest
-    # Only deploy to PyPI for non-prerelease versions
-    if: ${{ !github.event.release.prerelease }}
+    # Only deploy to PyPI for non-prerelease versions and skip when manually triggered with docker_only
+    if: ${{ github.event_name == 'release' && !github.event.release.prerelease && !inputs.docker_only }}
     environment: pypi
     permissions:
       id-token: write
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        ref: ${{ inputs.tag || github.ref }}
 
     - name: Install Nix
       uses: cachix/install-nix-action@v31
@@ -65,14 +82,44 @@ jobs:
       uses: pypa/gh-action-pypi-publish@release/v1
 
   docker:
-    needs: deploy-test
+    # Run if: (1) release event after test deploy, or (2) manual trigger
+    # Note: Docker builds are independent and don't strictly require PyPI deployment
+    if: ${{ github.event_name == 'release' || github.event_name == 'workflow_dispatch' }}
     runs-on: ubuntu-latest
     permissions:
       packages: write
-    
+
     steps:
     - uses: actions/checkout@v4
-    
+      with:
+        ref: ${{ inputs.tag || github.ref }}
+
+    - name: Validate tag format
+      if: github.event_name == 'workflow_dispatch'
+      run: |
+        if [[ ! "${{ inputs.tag }}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9\-\.]+)?$ ]]; then
+          echo "❌ Invalid tag format. Expected: v1.2.3 or v1.2.3-alpha"
+          exit 1
+        fi
+
+    - name: Verify tag exists
+      if: github.event_name == 'workflow_dispatch'
+      run: |
+        if ! git rev-parse --verify "refs/tags/${{ inputs.tag }}" >/dev/null 2>&1; then
+          echo "❌ Tag ${{ inputs.tag }} does not exist"
+          exit 1
+        fi
+        echo "✓ Tag ${{ inputs.tag }} verified"
+
+    - name: Normalize tag
+      id: tag
+      run: |
+        if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
+          echo "tag=${{ inputs.tag }}" >> $GITHUB_OUTPUT
+        else
+          echo "tag=${{ github.ref_name }}" >> $GITHUB_OUTPUT
+        fi
+
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v3
 
@@ -84,7 +131,7 @@ jobs:
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_TOKEN }}
-    
+
     - name: Login to GitHub Container Registry
       uses: docker/login-action@v3
       with:
@@ -100,14 +147,14 @@ jobs:
           utensils/mcp-nixos
           ghcr.io/utensils/mcp-nixos
         tags: |
-          # Latest tag for stable releases
-          type=raw,value=latest,enable=${{ !github.event.release.prerelease }}
-          # Version tag from release
-          type=semver,pattern={{version}}
+          # Latest tag for stable releases (not for prereleases)
+          type=raw,value=latest,enable=${{ github.event_name == 'release' && !github.event.release.prerelease || github.event_name == 'workflow_dispatch' }}
+          # Version tag from release or manual input
+          type=semver,pattern={{version}},value=${{ steps.tag.outputs.tag }}
           # Major.minor tag
-          type=semver,pattern={{major}}.{{minor}}
+          type=semver,pattern={{major}}.{{minor}},value=${{ steps.tag.outputs.tag }}
           # Major tag (only for stable releases)
-          type=semver,pattern={{major}},enable=${{ !github.event.release.prerelease }}
+          type=semver,pattern={{major}},value=${{ steps.tag.outputs.tag }},enable=${{ github.event_name == 'release' && !github.event.release.prerelease || github.event_name == 'workflow_dispatch' }}
     
     - name: Build and push Docker image
       uses: docker/build-push-action@v6