ci(core,rest): trigger release builds on tags only, not release/* branches

[lachen-nv]

Summary

• Remove release/* from on.push.branches in both ci.yaml (Core) and rest-ci.yml (REST) so that pushes to release branches no longer trigger full CI runs
• Release CI is now triggered exclusively by version tags (v*) which already exist in the on.push.tags globs
• Add refs/tags/ to the notify-build-status condition in ci.yaml so tag-triggered release builds still send Slack notifications

Closes #2340

Test plan

• Push a commit to a release/* branch — CI should not trigger
• Push a v* tag on a release branch — both Core and REST CI should trigger via the existing on.push.tags globs
• Verify notify-build-status fires on a tag-triggered build (check Slack notification)
• Verify main and pull-request/* push triggers are unaffected

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c3c7af83-518f-4d5b-8e3d-19435951833f

📥 Commits

Reviewing files that changed from the base of the PR and between 2f2ba99 and f111102.

📒 Files selected for processing (2)

• .github/workflows/ci.yaml
• .github/workflows/rest-ci.yml

💤 Files with no reviewable changes (1)

• .github/workflows/rest-ci.yml

---

Summary by CodeRabbit

• Chores
  • Updated continuous integration workflow configurations to refine build pipeline triggering conditions.

Note: This is an internal infrastructure update with no direct impact on user-facing functionality.

Walkthrough

The two GitHub Actions workflow files (ci.yaml and rest-ci.yml) have their on.push.branches trigger lists modified to remove the release/* pattern, retaining only main and pull-request/[0-9]+. Additionally, ci.yaml's notify-build-status job condition is expanded to include refs/tags/* refs.

Changes

CI Workflow Trigger and Notification Gate Updates

Layer / File(s)	Summary
Remove release/* from push branch filters .github/workflows/ci.yaml, .github/workflows/rest-ci.yml	Both workflows remove release/* from on.push.branches, so push events on release branches no longer trigger these workflows. Active push triggers are now main and pull-request/[0-9]+ only.
Extend notify-build-status condition to tag refs .github/workflows/ci.yaml	The notify-build-status job if: condition in ci.yaml is broadened to match refs/tags/* in addition to refs/heads/main and refs/heads/release/*, ensuring the notification job fires on tag-triggered runs.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the primary change: removing release/* branch triggers and relying exclusively on version tags for CI workflow execution.
Description check	✅ Passed	The description comprehensively explains the rationale, implementation details, and test plan, directly addressing the changeset modifications across both workflow files.
Linked Issues check	✅ Passed	The code changes fully satisfy issue #2340 requirements: removing release/* branch triggers, preserving tag-based triggering, and maintaining Slack notifications for tag-triggered builds.
Out of Scope Changes check	✅ Passed	All modifications are scoped to the stated objective of migrating release CI triggers from branch commits to version tags, with no extraneous changes detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔐 TruffleHog Secret Scan

✅ No secrets or credentials found!

Your code has been scanned for 700+ types of secrets and credentials. All clear! 🎉

🔗 View scan details

_{🕐 Last updated: 2026-06-16 10:26:00 UTC | Commit: f111102}

[github-actions]

🔍 Container Scan Summary

Service	Total	Critical	High	Medium	Low	Other
nico-nsm	133	11	45	66	11	0
nico-psm	128	14	57	44	5	8
nico-rest-api	192	17	89	70	8	8
nico-rest-api	192	17	89	70	8	8
nico-rest-cert-manager	105	6	52	35	4	8
nico-rest-db	126	14	55	44	5	8
nico-rest-site-agent	125	14	55	44	4	8
nico-rest-site-manager	112	7	53	40	4	8
nico-rest-workflow	128	14	57	44	5	8
TOTAL	1241	114	552	457	54	64

Per-CVE detail lives in the per-service grype-* artifacts (JSON + SARIF). Severity counts only — no CVE IDs published here.