chore: Improved release pipeline

[brendan-kellam]

This PR improves the automated release pipeline in a few ways:

• GitHub releases will now only be minted after a build has succeeded and has been published to ghcr. This addresses [bug] v4.10.7 was not published to GHCR #713 in the event of a build failing. Releases are now more "atomic" in a sense.
• New helm chart versions will now automatically be minted after release

SOU-178

---

Note

Makes the release process atomic and self-contained within release-sourcebot.yml, replacing the separate ghcr-publish.yml workflow.

• Introduces a multi-job flow: prepare-release (calculate version, update CHANGELOG.md and version.ts, push a temp release-vX.Y.Z branch), build (Buildx multi-arch, cache, sign with cosign, upload digests, tag vX.Y.Z and latest), finalize-release (fast-forward main to temp branch, create annotated tag, push, assemble and push manifest list from digests, verify via inspect, then create GitHub release), update-helm-chart (trigger external workflow), and cleanup (delete temp branch).
• Uses GitHub App token for privileged operations; adds REGISTRY_IMAGE env; integrates image publishing/signing and manifest creation directly into the release workflow.
• Removes .github/workflows/ghcr-publish.yml.

^{Written by Cursor Bugbot for commit 8b63889. This will update automatically on new commits. Configure here.}

[coderabbitai]

Walkthrough

The PR consolidates Docker image publishing functionality by removing the dedicated ghcr-publish.yml workflow and integrating its capabilities into release-sourcebot.yml. The release workflow is restructured with additional jobs (build, finalize-release, update-helm-chart, cleanup) and introduces temporary branches, fast-forward validation, manifest operations, and external workflow dependencies.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflows ghcr-publish.yml	Entire file deleted (160 lines removed). Previously defined multi-platform Docker build, signing, and publish workflow to ghcr.io; functionality now consolidated into release workflow.
GitHub Actions Workflows release-sourcebot.yml	Restructured with multiple new jobs: prepare-release (renamed from release), push_temp_branch, build, finalize-release, update-helm-chart, and cleanup. Adds Docker metadata extraction, cosign signing, manifest creation, fast-forward branch validation, temporary branch handling, and external workflow dispatch for Helm chart updates.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• chore: Automated releases & bake SB version into code #680: Directly modifies the same GitHub Actions workflows for release and Docker image publishing, indicating coordinated changes to the CI/CD release infrastructure.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: Improved release pipeline' accurately describes the main changes: refactoring the release workflow by removing ghcr-publish.yml and substantially enhancing release-sourcebot.yml with new jobs, Docker operations, and Helm chart integration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[brendan-kellam]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/release-sourcebot.yml (1)

368-375: Consider removing unnecessary packages: write permission.

The cleanup job only deletes a Git branch; it doesn't interact with packages. The packages: write permission appears unnecessary and could be removed to follow the principle of least privilege.

Suggested fix

   cleanup:
     needs: [prepare-release, build, finalize-release, update-helm-chart]
     if: always() && needs.prepare-release.outputs.temp_branch != ''
     runs-on: ubuntu-latest
     permissions:
       contents: write
-      packages: write

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8c4af53 and 9d5034c.

📒 Files selected for processing (2)

• .github/workflows/ghcr-publish.yml
• .github/workflows/release-sourcebot.yml

💤 Files with no reviewable changes (1)

• .github/workflows/ghcr-publish.yml

🧰 Additional context used

🪛 GitHub Check: CodeQL

.github/workflows/release-sourcebot.yml

[warning] 365-368: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{}}

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Cursor Bugbot
• GitHub Check: build

🔇 Additional comments (9)

.github/workflows/release-sourcebot.yml (9)

15-21: LGTM!

The workflow-level configuration is well-structured. The concurrency group with cancel-in-progress: false is appropriate for release workflows to prevent accidental cancellation of in-progress releases.

---

47-91: LGTM!

The version calculation logic is correct. The version is properly extracted from CHANGELOG.md using grep, parsed into components, bumped according to the input type, and exported to both GITHUB_ENV (for subsequent steps) and GITHUB_OUTPUT (for dependent jobs).

---

134-142: Good approach using a temporary branch for atomic releases.

Pushing to a temporary branch before building ensures the release commit is stable during the build process, and allows for rollback if the build fails without polluting the main branch.

---

144-161: LGTM!

The matrix strategy correctly maps platforms to appropriate runners (ubuntu-latest for amd64, ubuntu-24.04-arm for arm64), enabling native builds for each architecture.

---

242-249: LGTM!

The cosign signing configuration is correctly set up. Using the OIDC identity token with Fulcio for keyless signing is the recommended approach for GitHub Actions.

---

277-301: LGTM!

The fast-forward merge logic is correctly implemented. The check git merge-base --is-ancestor main "$TEMP_BRANCH" correctly validates that main can be fast-forwarded to the release branch, and the error message helpfully shows which commits caused the conflict.

---

344-352: LGTM!

The manifest list creation correctly combines the platform-specific digests into a multi-architecture manifest and applies the version and latest tags.

---

390-400: LGTM!

Good defensive coding—checking if the branch exists before attempting deletion prevents errors when the branch was already cleaned up or never created.

---

364-366: Permissions block is not required for this job.

This job calls a reusable external workflow that supports workflow_call. The external workflow (update-sourcebot-version.yaml) does not accept any inputs and automatically determines the Sourcebot version by querying the latest GitHub release via API. It also defines its own permissions (contents: write, pull-requests: write) which are sufficient for its operations.

No action needed—the job is correctly configured.

[cursor]

This PR is being reviewed by Cursor Bugbot

Details

You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[cursor]

Helm chart workflow missing version input parameter

High Severity

The update-helm-chart job calls the external workflow update-sourcebot-version.yaml without passing the version as an input. Additionally, the job only declares needs: finalize-release, so it cannot access needs.prepare-release.outputs.version since GitHub Actions only allows accessing outputs from directly declared dependencies. The helm chart update workflow likely requires the version to know what Sourcebot version to configure, but currently receives no version information.