From 1dbeaa7209c4c80b6fe74769017c78db44338c76 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=B9=9B=E5=85=AE?= <zhanxi@staruniongame.com>
Date: Fri, 5 Jun 2026 14:45:44 +0800
Subject: [PATCH] ci: harden production tag selection

---
 Jenkinsfile.prod | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/Jenkinsfile.prod b/Jenkinsfile.prod
index d29a22d..b907c45 100644
--- a/Jenkinsfile.prod
+++ b/Jenkinsfile.prod
@@ -10,7 +10,7 @@ pipeline {
       sortMode: 'DESCENDING_SMART',
       selectedValue: 'TOP',
       useRepository: 'http://127.0.0.1:3001/my-project/access-manage.git',
-      quickFilterEnabled: true,
+      quickFilterEnabled: false,
       listSize: '10',
       requiredParameter: true,
       description: '请选择要部署到生产环境的 Git Tag。列表自动来自当前项目仓库，生产只能从 Tag 发布。'
@@ -41,6 +41,14 @@ pipeline {
           set -eu
           test -n "$RELEASE_TAG"
           NORMALIZED_RELEASE_TAG="$(printf '%s' "$RELEASE_TAG" | sed 's/\\^{}$//')"
+          case "$NORMALIZED_RELEASE_TAG" in
+            v[0-9A-Za-z._-]*) ;;
+            *) echo "Invalid release tag: $NORMALIZED_RELEASE_TAG"; exit 2 ;;
+          esac
+          if ! git ls-remote --exit-code --tags origin "refs/tags/$NORMALIZED_RELEASE_TAG" >/dev/null; then
+            echo "Release tag does not exist in repository: $NORMALIZED_RELEASE_TAG"
+            exit 3
+          fi
           echo "Deploying production tag: $NORMALIZED_RELEASE_TAG"
           git fetch --tags --force
           git checkout -f "refs/tags/$NORMALIZED_RELEASE_TAG"