Remove 'latest' tag, use immutable version tags only

- Removed 'latest' tag for production safety
- Uses git tag if available (e.g., v0.6.0-patched-1)
- Falls back to SHA-based tag for untagged commits
- Matches best practice for prod/preprod deployments

Author: pbasgod7

.github/workflows/build-and-push.yml

@@ -39,7 +39,16 @@ jobs:
         id: metadata
         run: |
           SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-7)
-          IMAGE_TAG="${GRAFANA_VERSION}-quickwit-0.6.0-patched-${SHORT_SHA}"
+
+          # Use git tag if available, otherwise use short SHA
+          if git describe --exact-match --tags HEAD 2>/dev/null; then
+            GIT_TAG=$(git describe --exact-match --tags HEAD)
+            # Strip 'v' prefix if present
+            VERSION=${GIT_TAG#v}
+            IMAGE_TAG="${GRAFANA_VERSION}-quickwit-${VERSION}"
+          else
+            IMAGE_TAG="${GRAFANA_VERSION}-quickwit-0.6.0-patched-${SHORT_SHA}"
+          fi
 
           echo "githash=${{ github.sha }}" >> $GITHUB_OUTPUT
           echo "short_sha=${SHORT_SHA}" >> $GITHUB_OUTPUT
@@ -141,23 +150,24 @@ jobs:
           github.event_name == 'workflow_dispatch' && github.event.inputs.force_publish == 'true' ||
           github.event.action == 'closed' && github.event.pull_request.merged == true ||
           github.ref == 'refs/heads/main' ||
-          github.ref == 'refs/heads/disable-field-caps-all-fields'
+          github.ref == 'refs/heads/disable-field-caps-all-fields' ||
+          startsWith(github.ref, 'refs/tags/')
         run: |
           aws ecr get-login-password --region $AWS_REGION_MGT | docker login --username AWS --password-stdin $DOCKER_REGISTRY_MGT
 
           docker tag ${{ env.ECR_REPOSITORY }}:${{ steps.metadata.outputs.image_tag }} \
             $DOCKER_REGISTRY_MGT/${{ env.ECR_REPOSITORY }}:${{ steps.metadata.outputs.image_tag }}
 
-          docker tag ${{ env.ECR_REPOSITORY }}:latest \
-            $DOCKER_REGISTRY_MGT/${{ env.ECR_REPOSITORY }}:latest
-
           docker push $DOCKER_REGISTRY_MGT/${{ env.ECR_REPOSITORY }}:${{ steps.metadata.outputs.image_tag }}
-          docker push $DOCKER_REGISTRY_MGT/${{ env.ECR_REPOSITORY }}:latest
 
           SUMMARY=$'# Published Grafana Quickwit Image to ECR\n'
-          SUMMARY+=$'## Images\n'
-          SUMMARY+=$'* '"$DOCKER_REGISTRY_MGT"'/${{ env.ECR_REPOSITORY }}:'"${{ steps.metadata.outputs.image_tag }}"$'\n'
-          SUMMARY+=$'* '"$DOCKER_REGISTRY_MGT"'/${{ env.ECR_REPOSITORY }}:latest'$'\n'
+          SUMMARY+=$'## Image\n'
+          SUMMARY+=$'```\n'
+          SUMMARY+=$''$DOCKER_REGISTRY_MGT'/${{ env.ECR_REPOSITORY }}:${{ steps.metadata.outputs.image_tag }}\n'
+          SUMMARY+=$'```\n'
+          SUMMARY+=$'\n## Usage in Deployments\n'
+          SUMMARY+=$'**Preprod**: Update gitops to use this tag for testing\n'
+          SUMMARY+=$'**Prod**: Promote this tag after preprod validation\n'
           SUMMARY+=$'\n## Details\n'
           SUMMARY+=$'* **Grafana Version**: ${{ env.GRAFANA_VERSION }}\n'
           SUMMARY+=$'* **Quickwit Plugin**: 0.6.0-patched (field_caps disabled)\n'