[Bug] RC Docker images are incorrectly tagged as latest

[jychp]

Description

• Docker images built for release candidates (e.g., v0.x.y-rc.1) are being tagged as latest on publication.
• Python packages for the same versions are correctly marked as pre-releases, but Docker consumers pulling latest receive an unstable RC image.

Impact:

• docker pull ghcr.io/cartography-cncf/cartography:latest may return an RC build.

• Automation tools (e.g., Dependabot/Renovate) that watch container tags may treat the RC as the newest release, triggering updates downstream.

Expected behavior:

latest must point only to the most recent stable release (no pre-release identifiers).

Steps to Reproduce

1. Push a tag like v0.110.0-rc.1.

2. CI publishes container images and applies tags.

3. Pull latest:
   docker pull ghcr.io/cartography-cncf/cartography:latest

4. Observe that latest resolves to the RC digest instead of the last stable release.

[Roniscend]

Hi, I noticed this issue and was wondering if anyone is currently working on it. If not, can I take this up?

[jychp]

Already working on it as part of a larger refactoring.