Address review: sanitize branch names, audit major.minor tags

- Apply same tag sanitization as docker.yml (replace / with -, strip
  leading v) in cleanup workflow, matching deploy-to-quay tag format
- Audit workflow now also checks X.Y-flavor tags (e.g., 3.0-baseimage)
  since those were affected in the incident too

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: dpark01

.github/workflows/audit-quay-tags.yml

@@ -38,24 +38,27 @@ jobs:
             exit 1
           fi
 
-          for VERSION in $VERSIONS; do
-            # Check mega tag (no suffix)
-            if ! crane manifest "${REPO}:${VERSION}" > /dev/null 2>&1; then
-              echo "::error::MISSING: ${REPO}:${VERSION}"
+          check_tag() {
+            local TAG="$1"
+            if ! crane manifest "${REPO}:${TAG}" > /dev/null 2>&1; then
+              echo "::error::MISSING: ${REPO}:${TAG}"
               FAILED=1
             else
-              echo "OK: ${REPO}:${VERSION}"
+              echo "OK: ${REPO}:${TAG}"
             fi
+          }
+
+          for VERSION in $VERSIONS; do
+            MAJOR_MINOR=$(echo "$VERSION" | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
+
+            # Check mega tag (no suffix) — both X.Y.Z and X.Y
+            check_tag "${VERSION}"
+            check_tag "${MAJOR_MINOR}"
 
-            # Check each flavor
+            # Check each flavor — both X.Y.Z-flavor and X.Y-flavor
             for FLAVOR in $FLAVORS; do
-              TAG="${VERSION}-${FLAVOR}"
-              if ! crane manifest "${REPO}:${TAG}" > /dev/null 2>&1; then
-                echo "::error::MISSING: ${REPO}:${TAG}"
-                FAILED=1
-              else
-                echo "OK: ${REPO}:${TAG}"
-              fi
+              check_tag "${VERSION}-${FLAVOR}"
+              check_tag "${MAJOR_MINOR}-${FLAVOR}"
             done
           done
 

.github/workflows/cleanup-images.yml

@@ -11,11 +11,22 @@ jobs:
     permissions: {}
 
     steps:
+      - name: Compute tag prefix
+        id: tag-prefix
+        run: |
+          # Apply the same sanitization as docker.yml's "Compute Docker image tag prefix":
+          # replace "/" with "-" and strip leading "v"
+          RAW="${{ github.event.ref }}"
+          PREFIX=$(echo "$RAW" | sed 's|/|-|g')
+          PREFIX=${PREFIX#v}
+          echo "prefix=${PREFIX}" >> $GITHUB_OUTPUT
+          echo "Tag prefix: ${PREFIX} (from branch: ${RAW})"
+
       - name: Safety check - refuse version-like branch names
         run: |
-          BRANCH_TAG="${{ github.event.ref }}"
-          if [[ "$BRANCH_TAG" =~ ^v?[0-9]+\.[0-9]+ ]]; then
-            echo "::error::Refusing to delete tags for version-like branch: $BRANCH_TAG"
+          PREFIX="${{ steps.tag-prefix.outputs.prefix }}"
+          if [[ "$PREFIX" =~ ^[0-9]+\.[0-9]+ ]]; then
+            echo "::error::Refusing to delete tags for version-like branch: $PREFIX"
             exit 1
           fi
 
@@ -31,15 +42,15 @@ jobs:
 
       - name: Delete feature branch tags from Quay
         run: |
-          BRANCH_TAG="${{ github.event.ref }}"
+          TAG_PREFIX="${{ steps.tag-prefix.outputs.prefix }}"
           QUAY_REPO="quay.io/broadinstitute/viral-ngs"
 
           # Image tag suffixes - must be kept in sync with deploy-to-quay in docker.yml
           # See: .github/workflows/docker.yml deploy-to-quay job matrix
           SUFFIXES=("-baseimage" "-core" "-assemble" "-classify" "-phylo" "")
 
           for SUFFIX in "${SUFFIXES[@]}"; do
-            TAG="${BRANCH_TAG}${SUFFIX}"
+            TAG="${TAG_PREFIX}${SUFFIX}"
             echo "Deleting ${QUAY_REPO}:${TAG}..."
             # Use crane delete instead of skopeo delete. crane removes only the tag
             # reference, not the underlying manifest. This prevents cascade deletion