Revert v2.15.2's CI dedup. Tag pushes now run the full quality job before docker.
Why
v2.15.2 skipped quality on tag pushes to avoid duplicate CI runs. That left a security gap: a tag pointing at an unvalidated commit (e.g. git tag v9.9.9 some-sha directly) would trigger a Docker push without going through type check / lint / tests.
Trade-off
Each release runs quality twice (~1m each) instead of once, but guarantees Docker images are only built from validated commits. Worth it.
No code changes. Same 906 tests.
🤖 Generated with Claude Code