Fix Docker tag model: add mutable variant release floating tag and restrict latest to release

[spbolton]

Description

One issue with the Docker tag model in the CI/CD deployment phase:

Missing floating tag for Java variant release builds

Java variant builds are only automatically created for the release workflow, driven by the RELEASE_JAVA_VARIANT_SUFFIX repository variable (e.g., java-25). For the primary non-variant release, latest is the mutable floating tag while the version string is version-specific. No equivalent floating tag exists for variant releases:

Release build	Floating tag	Version-specific tag
Primary (Java 21)	latest	25.02.16-01
Variant (configured suffix)	missing	25.02.16-01_{suffix}

Users who always want the latest release built with the configured Java variant (e.g., Java 25) must pin to a specific version, with no floating tag available.

The fix is to push a suffix-only mutable tag (the value of RELEASE_JAVA_VARIANT_SUFFIX, e.g., java-25) whenever raw_suffix is non-empty — unconditionally, with no latest gate. This tag is the variant equivalent of latest for primary builds.

Important: the latest input controls only one thing — whether the actual Docker latest tag is pushed (when the effective suffix is empty). It has no role in suffix floating tag logic, and cicd_7-release-java-variant.yml correctly omits latest: true since variant builds must never push latest.

Acceptance Criteria

• When a Java variant release completes, a mutable tag matching the raw artifact suffix (value of RELEASE_JAVA_VARIANT_SUFFIX, e.g., java-25) is pushed to Docker Hub for both dotcms/dotcms and dotcms/dotcms-dev
• The suffix-based floating tag is pushed unconditionally whenever raw_suffix is non-empty — it is not gated on inputs.latest
• The suffix-based floating tag is updated on each new variant release, always pointing to the latest version
• Existing tags are unaffected: {version}_{suffix} and {version}_{suffix}_{sha} continue to be created
• The latest tag for primary (non-variant) releases is unaffected
• cicd_7-release-java-variant.yml does not need latest: true — variant builds correctly never push latest
• Tag model documentation in cicd_comp_deployment-phase.yml (lines 14–41) updated to reflect the variant release floating tag

Priority

Medium

Additional Context

Key files:

• .github/workflows/cicd_comp_deployment-phase.yml:
  • Lines 241/284: when raw_suffix is non-empty, push the suffix-only mutable tag using custom-tag or extra-tags inputs on the deploy-docker action — no inputs.latest gate required
• .github/actions/core-cicd/deployment/deploy-docker/action.yml — no changes expected; custom-tag at line 157 already supports adding an arbitrary mutable tag
• .github/workflows/cicd_7-release-java-variant.yml — no changes needed

The raw_suffix output (e.g., java-25) is already computed by the get-sdkman-version step from the artifact-suffix input (which comes from RELEASE_JAVA_VARIANT_SUFFIX). No hardcoded values needed.

latest input semantics: this flag controls only whether the actual Docker latest tag is published. It applies exclusively to primary (non-variant) release builds where the effective suffix is empty. SHA-based version tags and all non-empty effective tags (suffix floating tags, environment tags) are always pushed regardless of this flag.

Related: dev image latest tag bug (nightly incorrectly overwrites dotcms/dotcms-dev:latest) tracked separately in #34765.

[spbolton]

Java Variant Suffix Naming Convention: java25 → java-25

Per team decision (Will Ezell's preference), the artifact suffix format for Java variants should use a dash separator between java and the version number (e.g., java-25 instead of java25).

Logic changes (3 files)

These are the only files with actual derivation logic that needs updating:

File	Line	Current	Updated
.github/workflows/cicd_comp_deployment-phase.yml	122	RAW_SUFFIX="java${JAVA_MAJOR}"	RAW_SUFFIX="java-${JAVA_MAJOR}"
.github/workflows/cicd_comp_release-phase.yml	119	RAW_SUFFIX="java${JAVA_MAJOR}"	RAW_SUFFIX="java-${JAVA_MAJOR}"
.github/actions/core-cicd/maven-job/action.yml	133	RAW_SUFFIX="java${JAVA_MAJOR}"	RAW_SUFFIX="java-${JAVA_MAJOR}"

Comment/description updates (example values only)

The following files contain java25 only in descriptions, comments, or example strings — no logic change, just update examples from java25 → java-25:

• .github/workflows/cicd_comp_deployment-phase.yml — lines 47, 101–107
• .github/workflows/cicd_comp_release-phase.yml — lines 61, 103–109
• .github/workflows/cicd_comp_build-phase.yml — line 57
• .github/workflows/cicd_6-release.yml — line 61
• .github/workflows/cicd_7-release-java-variant.yml — lines 16, 27, 48
• .github/workflows/cicd_8-manual-deploy.yml — lines 9, 25, 51
• .github/workflows/cicd_3-trunk.yml — line 53
• .github/workflows/cicd_4-nightly.yml — line 48
• .github/workflows/cicd_comp_test-phase.yml — line 64
• .github/actions/core-cicd/maven-job/action.yml — lines 100, 119–125
• .github/actions/core-cicd/deployment/deploy-docker/action.yml — line 61

Repo variable

The RELEASE_JAVA_VARIANT_SUFFIX repository variable currently set to java25 should be updated to java-25 after this change is merged.

Notes

• The multi-suffix form also changes: java25-ms → java-25-ms
• Existing tag examples in the Docker tag comment block should be updated: 25.02.16-01_java25_abc123 → 25.02.16-01_java-25_abc123
• This is a naming convention change only — the separator logic (dash for Maven, underscore for Docker) is unchanged

[github-actions]

PRs linked to this issue

• fix: add mutable floating tag for Java variant release builds (#34745) by @spbolton