From 1bf26b7b68b0c3a8a6cd30df3a0e4291773b54a8 Mon Sep 17 00:00:00 2001
From: Danny Avila <danny@librechat.ai>
Date: Tue, 12 May 2026 08:48:26 -0400
Subject: [PATCH] chore: address CI hardening review feedback

---
 .github/workflows/gitnexus-index.yml      | 6 +++---
 .github/workflows/main-image-workflow.yml | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/gitnexus-index.yml b/.github/workflows/gitnexus-index.yml
index a683a93df3..1e470e9384 100644
--- a/.github/workflows/gitnexus-index.yml
+++ b/.github/workflows/gitnexus-index.yml
@@ -25,7 +25,7 @@ on:
         type: string
         default: ''
       pr_ref:
-        description: 'PR head SHA or ref to check out (set by /gitnexus command)'
+        description: 'Optional PR head ref to check out; defaults to refs/pull/<pr_number>/head when pr_number is set'
         type: string
         default: ''
 
@@ -74,7 +74,7 @@ jobs:
               exit 1
             fi
             EXPECTED_REF="refs/pull/${PR_NUMBER}/head"
-            if [ "$PR_REF" != "$EXPECTED_REF" ]; then
+            if [ -n "$PR_REF" ] && [ "$PR_REF" != "$EXPECTED_REF" ]; then
               echo "::error::pr_ref must match ${EXPECTED_REF}"
               exit 1
             fi
@@ -169,7 +169,7 @@ jobs:
           # repo for every PR, so checkout works for fork PRs too. When
           # pr_ref is empty (native push/pull_request), fall back to the
           # default ref actions/checkout would use.
-          ref: ${{ inputs.pr_ref || '' }}
+          ref: ${{ inputs.pr_ref || (inputs.pr_number != '' && format('refs/pull/{0}/head', inputs.pr_number) || '') }}
           fetch-depth: 1
           persist-credentials: false
 
diff --git a/.github/workflows/main-image-workflow.yml b/.github/workflows/main-image-workflow.yml
index e2bdce1760..348012de22 100644
--- a/.github/workflows/main-image-workflow.yml
+++ b/.github/workflows/main-image-workflow.yml
@@ -31,7 +31,7 @@ jobs:
         run: |
           set -euo pipefail
           git fetch --tags --force
-          LATEST_TAG=$(git tag --list 'v*' --sort=-creatordate | grep -E '^v[0-9]+[.][0-9]+[.][0-9]+$' | head -n 1)
+          LATEST_TAG=$(git tag --list 'v[0-9]*' --sort=-v:refname | grep -E '^v[0-9]+[.][0-9]+[.][0-9]+$' | head -n 1)
           if [ -z "$LATEST_TAG" ]; then
             echo "::error::No stable v<semver> tag found"
             exit 1