chore: Enhance cli release workflow

[morri-son]

What this PR does / why we need it

Implements a unified CLI release workflow with environment-gated promotion. RC and final release happen in a single workflow run, separated by a 14-day wait timer and required approval.

Key Changes

• Single Workflow Run: RC creation and final promotion in one execution
• Environment Gate: cli/release environment with 14-day wait + reviewer approval
• Simplified Attestations: Direct verification via gh attestation verify (no bundle exports)
• Consistent Changelogs: git-cliff for RC, copy body to final release notes
• Central JS script release-versioning.js and unit tests for all release related versioning calculations

Documentation

See RELEASE_PROCESS.md for the complete release manager guide.

[Skarlso]

Make sure to run these from time to time because:

➜ node export-attestations.test.js
file:///Users/skarlso/goprojects/sap/open-component-model/.github/scripts/export-attestations.test.js:9
import { parsePatterns, findAssets, bundleNameForAsset, sha256File } from "./export-attestations.js";
                                    ^^^^^^^^^^^^^^^^^^
SyntaxError: The requested module './export-attestations.js' does not provide an export named 'bundleNameForAsset'
    at #asyncInstantiate (node:internal/modules/esm/module_job:302:21)
    at async ModuleJob.run (node:internal/modules/esm/module_job:405:5)
    at async onImport.tracePromise.__proto__ (node:internal/modules/esm/loader:654:26)
    at async asyncRunEntryPointWithESMLoader (node:internal/modules/run_main:101:5)

Node.js v25.2.1

[matthiasbruns]

I have created a doc along the multiple changes. WDYT? Is it useful to place it along the workflow files or under .github/docs ?

technical-deep-dive-github-release-workflows.md

I would - do it in this PR that we can review it as well :)

[Skarlso]

So, I'm not sure how this is working, but there are several errors in the Javascripts... For example, once again, if I'm trying to run the test I'm getting import errors because certain things aren't exported:

➜ node export-attestations.test.js
file:///Users/skarlso/goprojects/sap/open-component-model/.github/scripts/export-attestations.test.js:9
import { parsePatterns, findAssets, bundleNameForAsset, sha256File } from "./export-attestations.js";
                                    ^^^^^^^^^^^^^^^^^^
SyntaxError: The requested module './export-attestations.js' does not provide an export named 'bundleNameForAsset'
    at #asyncInstantiate (node:internal/modules/esm/module_job:302:21)
    at async ModuleJob.run (node:internal/modules/esm/module_job:405:5)
    at async onImport.tracePromise.__proto__ (node:internal/modules/esm/loader:654:26)
    at async asyncRunEntryPointWithESMLoader (node:internal/modules/run_main:101:5)

Node.js v25.2.1

• bundleNameForAsset is a private function (no export keyword) in export-attestations.js
• parsePatterns, findAssets, and sha256File are defined in attestation-utils.js and only imported by
  export-attestations.js — they're not re-exported
• IMAGE_TAG is not checked. It could be empty, then things break.
• IMAGE_REF is never actually used.

I took a look at the attestation, I think we have a problem I didn't think about. The Attestation you download then upload if I understand correctly. This means you download it from the RC and the attestation will contain things like v2.0.0-rc which will be confusing for any consumer. Could you check that please to make sure the attestation is actually for the latest release and not the RC?

[Skarlso]

Here are some more things we'll discuss:

1. validate_final is just a test, this shouldn't be an entire separate job, it's a step. it's comparing two strings.
2. You are passing around the changelog base64 between jobs is fragile and hits GitHub's ~1MB output limit on large changelogs
3. There are too many javascript files right now. We have 9 JS files to maintain for what is
   essentially: "find latest tag, bump number, download/verify attestations." The version computation could be a 20-lines. The attestation export/verify wraps gh attestation download/verify with file renaming. This definitely needs to be smaller. I like that we are testing everything, but still.
4. compute-rc-version.js switch/case with fall-through — The version computation logic (lines 125–158) uses switch(true) with intentional fall-through between cases. That's a footgun waiting to fire.
5. cancel-in-progress: true. Are we sure this is really what we want?
6. If tag_final succeeds but promote_image or release_final fails, you have an orphaned final tag with no release. We don't have anything in place to clean this up.
7. There is a lot of duplication going on in here. Especially around the attestation and the test files.
   export-attestations.js and verify-attestations.js both import parsePatterns and findAssets from different places. The export test imports them from export-attestations.js, the verify test imports them from
   verify-attestations.js but they live in attestation-utils.js.

Actually, verify-attestations.js imports from ./attestation-utils.js but the test file imports parsePatterns, findAssets, and sha256File from ./verify-attestations.js which doesn't re-export them. Probably that's why the test is broken?
Both test files duplicate the exact same parsePatterns and findAssets test cases. That's test code you maintain twice.

Not sure what's going on there. :D
9. Export and verify could be one thing. They are one thing after all. :)
10. resolve-latest-rc.js and compute-rc-version.js. I really really feel these are doing the same thing. It's super difficult to explain why both exist. 🤔

And that's about it.

[morri-son]

@Skarlso, thx for the feedback! I'll look into all of it. Also discussed with @jakobmoellerdev about soley relying on GH's attestation endpoint and API, so I will remove all attestation download, persist as asset, use that for verify. Will also check where to merge existing scripts.

One thing I need to add is a gate after the RC, so that promote needs a 4-eyes-principle.

[Skarlso]

Overall, I think this is now pretty okay.

[Skarlso]

Let's try this out then. :)

[frewilhelm]

Let's get this merged :)