fix(ci): docker-publish version tag missing on workflow_dispatch

[dfrostar]

Summary

Small workflow YAML fix. One line of docker/metadata-action config.

Problem

The v0.9.0 GHCR image was pushed by docker-publish.yml but only got the :latest tag, not :v0.9.0. Confirmed via the GHCR anonymous tags API:

$ curl -fsS -H "Authorization: Bearer $token" \
    https://ghcr.io/v2/dfrostar/neuralmind/tags/list
{"name":"dfrostar/neuralmind","tags":["latest"]}

Root cause: line 76 used type=ref,event=tag. That pattern only fires on push:tag events. When the workflow is dispatched via workflow_dispatch (the backfill path for tags that didn't auto-fire because of #98), github.event_name is workflow_dispatch, not push, so event=tag doesn't match and no version tag is produced.

Fix

tags: |
  type=raw,value=${{ env.RELEASE_TAG }}      # ← was: type=ref,event=tag
  type=raw,value=latest,enable=${{ !contains(env.RELEASE_TAG, '-') }}

type=raw,value=${{ env.RELEASE_TAG }} reads from the RELEASE_TAG env var, which is set correctly for both event paths:

• push:tag → RELEASE_TAG = github.ref_name (= v0.9.0)
• workflow_dispatch → RELEASE_TAG = inputs.tag (= whatever the user typed)

The verify-pull job already reads the first tag from needs.build-and-push.outputs.tags for its smoke-test pull, so it naturally pulls the version-specific tag after the fix.

After this merges

Re-dispatch docker-publish.yml for v0.9.0 once to produce the missing :v0.9.0 tag:

gh workflow run docker-publish.yml --ref main -f tag=v0.9.0

(Or from mobile: https://github.com/dfrostar/neuralmind/actions/workflows/docker-publish.yml → Run workflow → enter v0.9.0 → green button.)

This will overwrite :latest with the same content + create :v0.9.0. Multi-platform manifest unchanged.

Test plan

• python3 -c "import yaml; yaml.safe_load(...)" parses
• No production code touched; no test changes
• Verified :latest already exists in GHCR (so the push path works — only the tagging pattern was wrong)
• Maintainer to verify after merge + re-dispatch: :v0.9.0 tag appears in GHCR tags list

Related

• Issue release.yml not triggered by release-please tag push (GITHUB_TOKEN anti-loop guard) #98 (GITHUB_TOKEN anti-loop guard) is the reason workflow_dispatch is the practical path until the PAT secret is set
• PR feat(ci): v0.9 enterprise-ready — GHCR auto-build, SBOM, air-gapped doc, compliance one-pager #129 introduced docker-publish.yml; this commit corrects an oversight in that PR's tagging pattern

https://claude.ai/code/session_01SH6iHNAqeMJHXdq7ubVcuJ

---

Generated by Claude Code

[Copilot]

Pull request overview

This PR fixes GHCR Docker image tagging so manually dispatched release backfills produce the version-specific image tag as well as latest.

Changes:

• Replaces docker/metadata-action tag generation from type=ref,event=tag to type=raw,value=${{ env.RELEASE_TAG }}.
• Updates inline workflow comments to explain behavior for both tag pushes and workflow_dispatch.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

NeuralMind self-benchmark

Status: PASS — floor 4×, measured 5.9×.

Phase 1 — Reduction on committed fixture

• Average reduction: 5.9×
• Top-k retrieval hit rate: 71.7%
• Naive baseline: 47,360 tokens (all fixture files concatenated)
• NeuralMind total: 8,149 tokens across 10 queries
• Estimated monthly savings @ 100 queries/day on Claude 3.5 Sonnet: ~$35.30

#	Query	Shape	Naive	NeuralMind	Ratio	Hit
1	auth-flow	cross-file	4,736	815	5.8×	33.3%
2	api-endpoints	focused	4,736	809	5.9×	100.0%
3	billing-flow	cross-file	4,736	846	5.6×	33.3%
4	user-storage	cross-file	4,736	672	7.0×	50.0%
5	jwt-verify	focused	4,736	681	7.0×	100.0%
6	stripe-webhook	focused	4,736	838	5.7×	100.0%
7	create-user	cross-file	4,736	794	6.0×	50.0%
8	refund	focused	4,736	827	5.7×	100.0%
9	db-choice	identity	4,736	899	5.3×	100.0%
10	invoice-send	cross-file	4,736	968	4.9×	50.0%

Phase 2 — Learning uplift

• Memory events logged: 20
• Learned patterns: 20
• Reduction ratio after neuralmind learn: 5.9× (Δ +0.00× vs. cold)
• Top-k hit rate after learning: 71.7% (Δ +0.0 points vs. cold)

Note: uplift numbers on a 500-line fixture are intentionally modest — the point is to
verify the learning mechanism persists and applies. On real production repos the lift
is larger; this test only catches regressions in persistence.

Assumptions

• Baseline: every .py file in tests/fixtures/sample_project/ concatenated.
• Tokenizer: tiktoken GPT-4o encoding (per-model breakdown in multi_model.json if generated).
• Pricing: Claude 3.5 Sonnet input @ $3.0/MTok.
• Regression floor: 4× — well below NeuralMind's typical 40–70× on real repos.

Per-model token reduction

Model	Tokenizer	Naive	NeuralMind	Ratio	Source
GPT-4o / GPT-4o-mini	tiktoken o200k_base	4,739	927	5.1×	measured
GPT-4 / GPT-3.5-turbo	tiktoken cl100k_base	4,710	918	5.1×	measured
Claude 3.5 Sonnet	estimated: GPT-4o × 1.08 — install anthropic for an exact count	5,118	1,001	5.1×	estimated
Llama 3 (70B)	estimated: GPT-4o × 1.22 — Llama tokenizer requires model weights; estimate based on published vocab ratios	5,781	1,130	5.1×	estimated

Rows marked measured use the provider's real tokenizer. Rows marked
estimated apply a published vocab-size correction to the GPT-4o count —
honest approximations, not hardcoded claims.

---

Automated by .github/workflows/ci-benchmark.yml — regenerate locally with python -m tests.benchmark.run.