From 8d0a4082a44403a7ed3f5d920b7b420a2cf72237 Mon Sep 17 00:00:00 2001
From: Abhi <43648792+abhipatel12@users.noreply.github.com>
Date: Mon, 14 Jul 2025 00:19:58 -0400
Subject: [PATCH] Fix(ci): Correct container publishing pipeline and improve
 robustness (#4093)

---
 .gcp/release-docker.yaml | 15 +++++++--------
 scripts/build_sandbox.js | 10 +++++++++-
 2 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/.gcp/release-docker.yaml b/.gcp/release-docker.yaml
index 1a8ad6b5..a3bd7e70 100644
--- a/.gcp/release-docker.yaml
+++ b/.gcp/release-docker.yaml
@@ -24,13 +24,15 @@ steps:
     args:
       - -c
       - |
+        SHELL_TAG_NAME="$TAG_NAME"
         FINAL_TAG="$SHORT_SHA" # Default to SHA
-        if [[ "$TAG_NAME" == *"-nightly"* ]]; then
+        if [[ "$$SHELL_TAG_NAME" == *"-nightly"* ]]; then
           echo "Nightly release detected."
-          FINAL_TAG="${TAG_NAME#v}"
-        elif [[ "$TAG_NAME" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+          FINAL_TAG="$${SHELL_TAG_NAME#v}"
+        # Also escape the variable in the regex match
+        elif [[ "$$SHELL_TAG_NAME" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
           echo "Official release detected."
-          FINAL_TAG="${TAG_NAME#v}"
+          FINAL_TAG="$${SHELL_TAG_NAME#v}"
         else
           echo "Development/RC release detected. Using commit SHA as tag."
         fi
@@ -58,10 +60,7 @@ steps:
       - -c
       - |
         set -e
-        IMAGE_TAG=$$(cat /workspace/image_tag.txt)
-        BASE_IMAGE_URI=$$(npm run -s config get sandboxImageUri)
-        IMAGE_URI_NO_TAG=$${BASE_IMAGE_URI%:*}
-        FINAL_IMAGE_URI="$${IMAGE_URI_NO_TAG}:$${IMAGE_TAG}"
+        FINAL_IMAGE_URI=$$(cat /workspace/final_image_uri.txt)
 
         echo "Pushing sandbox image: $${FINAL_IMAGE_URI}"
         $_CONTAINER_TOOL push "$${FINAL_IMAGE_URI}"
diff --git a/scripts/build_sandbox.js b/scripts/build_sandbox.js
index 962f99d9..51d0556e 100644
--- a/scripts/build_sandbox.js
+++ b/scripts/build_sandbox.js
@@ -18,7 +18,7 @@
 // limitations under the License.
 
 import { execSync } from 'child_process';
-import { chmodSync, readFileSync, rmSync } from 'fs';
+import { chmodSync, existsSync, readFileSync, rmSync, writeFileSync } from 'fs';
 import { join } from 'path';
 import yargs from 'yargs';
 import { hideBin } from 'yargs/helpers';
@@ -134,6 +134,14 @@ function buildImage(imageName, dockerfile) {
     { stdio: buildStdout, shell: '/bin/bash' },
   );
   console.log(`built ${finalImageName}`);
+  if (existsSync('/workspace/final_image_uri.txt')) {
+    // The publish step only supports one image. If we build multiple, only the last one
+    // will be published. Throw an error to make this failure explicit.
+    throw new Error(
+      'CI artifact file /workspace/final_image_uri.txt already exists. Refusing to overwrite.',
+    );
+  }
+  writeFileSync('/workspace/final_image_uri.txt', finalImageName);
 }
 
 if (baseImage && baseDockerfile) {