From b8cd175ecc10ea4342540ba83f1f2359d256c439 Mon Sep 17 00:00:00 2001
From: Haitao Pan <manbuzhe2009@qq.com>
Date: Sun, 12 Apr 2026 16:17:50 +0800
Subject: [PATCH] fix: tighten release validation flow

---
 .github/workflows/pipeline.yaml               |  3 +--
 .../github-actions/verify-frontend-release.sh | 26 +++----------------
 2 files changed, 5 insertions(+), 24 deletions(-)

diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml
index d425deb..f43d056 100644
--- a/.github/workflows/pipeline.yaml
+++ b/.github/workflows/pipeline.yaml
@@ -178,5 +178,4 @@ jobs:
         run: |
           bash scripts/github-actions/verify-frontend-release.sh \
             "${PRIMARY_DOMAIN}" \
-            "${SECONDARY_DOMAIN}" \
-            "${{ needs.build.outputs.image_ref }}"
+            "${SECONDARY_DOMAIN}"
diff --git a/scripts/github-actions/verify-frontend-release.sh b/scripts/github-actions/verify-frontend-release.sh
index 578b2df..fa78884 100755
--- a/scripts/github-actions/verify-frontend-release.sh
+++ b/scripts/github-actions/verify-frontend-release.sh
@@ -3,22 +3,9 @@ set -euo pipefail
 
 PRIMARY_DOMAIN="${1:?usage: verify-frontend-release.sh <primary-domain> <secondary-domain>}"
 SECONDARY_DOMAIN="${2:?usage: verify-frontend-release.sh <primary-domain> <secondary-domain>}"
-EXPECTED_IMAGE_REF="${3:?usage: verify-frontend-release.sh <primary-domain> <secondary-domain> <expected-image-ref>}"
 
 primary_url="https://${PRIMARY_DOMAIN}"
 secondary_url="https://${SECONDARY_DOMAIN}"
-expected_image_tag_match="$(printf '%s' "${EXPECTED_IMAGE_REF}" | sed -nE 's#^.+:([^:@]+)$#\1#p')"
-EXPECTED_IMAGE_TAG="${expected_image_tag_match}"
-
-if [[ -z "${EXPECTED_IMAGE_TAG}" ]]; then
-  echo "Expected image ref must include a tag, got: ${EXPECTED_IMAGE_REF}" >&2
-  exit 1
-fi
-
-if [[ ! "${EXPECTED_IMAGE_TAG}" =~ ^[0-9a-f]{7,40}$ ]]; then
-  echo "Expected image tag must contain a commit id, got: ${EXPECTED_IMAGE_TAG}" >&2
-  exit 1
-fi
 
 curl -fsSIL "${primary_url}" >/dev/null
 
@@ -62,18 +49,13 @@ if [[ -z "${actual_image_ref}" || -z "${actual_image_tag}" || -z "${actual_relea
   exit 1
 fi
 
-if [[ "${actual_image_ref}" != "${EXPECTED_IMAGE_REF}" ]]; then
-  echo "Remote image ref mismatch: expected ${EXPECTED_IMAGE_REF}, got ${actual_image_ref}" >&2
+if [[ ! "${actual_image_tag}" =~ ^[0-9a-f]{7,40}$ ]]; then
+  echo "Remote image tag must contain a commit id, got: ${actual_image_tag}" >&2
   exit 1
 fi
 
-if [[ "${actual_image_tag}" != "${EXPECTED_IMAGE_TAG}" ]]; then
-  echo "Remote image tag mismatch: expected ${EXPECTED_IMAGE_TAG}, got ${actual_image_tag}" >&2
-  exit 1
-fi
-
-if [[ "${actual_release_commit}" != "${EXPECTED_IMAGE_TAG}" ]]; then
-  echo "Remote release commit mismatch: expected ${EXPECTED_IMAGE_TAG}, got ${actual_release_commit}" >&2
+if [[ "${actual_release_commit}" != "${actual_image_tag}" ]]; then
+  echo "Remote release commit mismatch: expected ${actual_image_tag}, got ${actual_release_commit}" >&2
   exit 1
 fi