chore(workflows): sync build workflows with rumba

Applies all fixes from the rumba workflows.

Author: caugner

.github/workflows/_build.yml

@@ -11,7 +11,6 @@ on:
       ref:
         description: "Branch to build (default: main)"
         type: string
-        default: main
 
       tag:
         description: "Additional tag for the Docker image"
@@ -24,11 +23,10 @@ env:
 
 concurrency:
   group: build-${{ inputs.environment }}
-  cancel-in-progress: false
 
 jobs:
   docker-build-push:
-    environment: ${{ inputs.environment }}
+    environment: build
     runs-on: ubuntu-latest
 
     permissions:
@@ -40,10 +38,21 @@ jobs:
       id-token: write
 
     steps:
-      - name: Checkout (rumba)
+      - name: Validate tag format
+        if: inputs.tag
+        env:
+          TAG: ${{ inputs.tag }}
+        run: |
+          if [[ ! "$TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            echo "❌ Invalid tag: $TAG does not match format vX.Y.Z (e.g., v1.2.3)"
+            exit 1
+          fi
+          echo "✅ Valid tag: $TAG"
+
+      - name: Checkout
         uses: actions/checkout@v4
         with:
-          ref: ${{ inputs.ref }}
+          ref: ${{ inputs.ref || github.event.repository.default_branch }}
 
       - name: Docker setup
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

.github/workflows/prod-build.yml

@@ -6,15 +6,25 @@ on:
       - "v*"
 
   workflow_dispatch:
+    inputs:
+      tag:
+        description: "Tag to build (e.g. v1.13.0)"
+        required: true
 
-permissions: {}
+permissions:
+  # Read/write GHA cache.
+  actions: write
+  # Checkout.
+  contents: read
+  # Authenticate with GCP.
+  id-token: write
 
 jobs:
   build:
-    if: github.repository_owner == 'mdn' && github.ref_protected
+    if: github.repository_owner == 'mdn'
     uses: ./.github/workflows/_build.yml
     secrets: inherit
     with:
-      environment: production
-      ref: ${{ github.ref }}
-      tag: ${{ github.ref_name }}
+      environment: prod
+      ref: ${{ inputs.tag || github.ref }}
+      tag: ${{ inputs.tag || github.ref_name }}

.github/workflows/stage-build.yml

@@ -10,15 +10,20 @@ on:
       ref:
         description: "Branch to build (default: main)"
         required: false
-        default: refs/heads/main
 
-permissions: {}
+permissions:
+  # Read/write GHA cache.
+  actions: write
+  # Checkout.
+  contents: read
+  # Authenticate with GCP.
+  id-token: write
 
 jobs:
   build:
     if: github.repository_owner == 'mdn' && github.actor != 'dependabot[bot]'
     uses: ./.github/workflows/_build.yml
     secrets: inherit
     with:
-      environment: staging
-      ref: ${{ inputs.ref }}
+      environment: stage
+      ref: ${{ inputs.ref || github.event.repository.default_branch }}