chore: remove publish images for release branches in cli worklfow

[morri-son]

On-behalf-of: Gerald Morrison (SAP) gerald.morrison@sap.com

What this PR does / why we need it

• Remove the publish of artifacts for release branches in cli workflow
• Remove workflow_dispatch from controller workflow, also simplifying the check if branch is eligible for push

Summary by CodeRabbit

• Chores
  • Broadened CI triggers to include release branches and tag patterns; release branches now run build & test validation while publishing remains tied to main or release tags.
  • Removed a manual debug trigger/input and simplified the publish/push decision logic to reduce conditional branching and streamline pipeline execution.

[coderabbitai]

Warning

Rate limit exceeded

@jakobmoellerdev has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 23 minutes and 19 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 91e79a10-7e22-4f31-adf5-e6f2413a8917

📥 Commits

Reviewing files that changed from the base of the PR and between f8094a8 and 738ec68.

📒 Files selected for processing (2)

• .github/workflows/cli.yml
• .github/workflows/kubernetes-controller.yml

📝 Walkthrough

Walkthrough

Updated two GitHub Actions workflows: CLI workflow adds release branch/tag push triggers and simplifies push eligibility; Kubernetes controller workflow removes manual dispatch and consolidates publish eligibility into a single ref-pattern check. Release branches run build/test only; publishing remains tied to main or release tags.

Changes

Cohort / File(s)	Summary
GitHub Actions: CLI workflow .github/workflows/cli.yml	Added push triggers for releases/v** branches and cli/v** tags; clarified comments about release-branch behavior; removed special-case check for releases/v0.* in should_push_oci_image logic and rely on default/ref patterns.
GitHub Actions: Kubernetes controller workflow .github/workflows/kubernetes-controller.yml	Removed workflow_dispatch input and debug step; consolidated publish eligibility to a single direct ref-pattern evaluation (default branch or release tag); adjusted triggers to include releases/v** pushes and PRs to main, and simplified branching logic.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

size/xs

Suggested reviewers

• matthiasbruns
• frewilhelm
• jakobmoellerdev

Poem

🐰 I hopped through YAML, swift and light,
I pruned a branch, set tags to right,
No manual click in my small den,
Builds still run, publishes wait for main,
A carrot cheer for CI tonight! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main objective of removing image publishing for release branches in the CLI workflow, which aligns with the primary changes in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can use OpenGrep to find security vulnerabilities and bugs across 17+ programming languages.

OpenGrep is compatible with Semgrep configurations. Add an opengrep.yml or semgrep.yml configuration file to your project to enable OpenGrep analysis.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

.github/workflows/kubernetes-controller.yml (1)

158-173: ⚠️ Potential issue | 🔴 Critical

Exclude PR events from the publish eligibility check.

On pull_request events, REF resolves to github.head_ref (Line 52). A PR branch named kubernetes/controller/v1.2.3 will match the version regex here and set should_publish=true, allowing the publish job (Line 295) to run on unmerged PR code. Add a guard condition to skip this check for PRs, as the CLI workflow already does.

Suggested fix

       - name: Determine publish eligibility
+        if: ${{ github.event_name != 'pull_request' }}
         id: branch-check
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         env:
           REF: ${{ env.REF }}
         with:
           script: |
             const ref = process.env.REF;
             const defaultBranch = context.payload.repository?.default_branch || 'main';
             // Publish for: main or release tags.
             // Release branches (releases/v*) only build+test.
             core.setOutput(
               'should_publish',
               ref === defaultBranch ||
               /^kubernetes\/controller\/v\d+\.\d+(\.\d+)?(-.*)?$/.test(ref)
             );

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/kubernetes-controller.yml around lines 158 - 173, The
branch-check step (id: branch-check) sets the output should_publish based only
on REF and a version-regex, which causes pull_request events (where REF is
github.head_ref) to incorrectly mark PR branches like
kubernetes/controller/v1.2.3 as publishable; update the script to first detect
the event type (e.g., context.eventName or github.event_name) and short-circuit
so that when the event is "pull_request" it sets should_publish to false (or
skips the regex check), otherwise proceed with the existing defaultBranch/ref vs
/^kubernetes\/controller\/v\d+\.\d+(\.\d+)?(-.*)?$/ test — modify the
branch-check step to include this guard so publish cannot run on unmerged PR
code.

.github/workflows/cli.yml (1)

124-133: ⚠️ Potential issue | 🟠 Major

Use the ref being built when deciding publish eligibility.

This step checks GITHUB_REF_NAME, but the workflow otherwise builds from env.REF (Lines 48 and 77). Under workflow_call, a caller can override ref; with the current code, the publish decision is made from the GitHub context ref instead of the actual ref being built. Reuse env.REF here for consistency.

Suggested fix

       - name: Determine if this is a push-eligible branch
         if: ${{ github.event_name != 'pull_request' }}
         id: branch-check
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        env:
+          REF: ${{ env.REF }}
         with:
           script: |
+            const ref = process.env.REF;
             core.setOutput(
               "should_push_oci_image",
-              process.env.GITHUB_REF_NAME === context.payload.repository.default_branch ||
-              /^cli\/v\d+\.\d+(\.\d+)?(-.*)?$/.test(process.env.GITHUB_REF_NAME)
+              ref === context.payload.repository.default_branch ||
+              /^cli\/v\d+\.\d+(\.\d+)?(-.*)?$/.test(ref)
             )

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/cli.yml around lines 124 - 133, The publish eligibility
check in the GitHub Action step with id "branch-check" uses
process.env.GITHUB_REF_NAME but the workflow builds from env.REF when callers
can override the ref; update the script used by actions/github-script (the
core.setOutput call that sets "should_push_oci_image") to use process.env.REF
instead of process.env.GITHUB_REF_NAME while keeping the existing comparison
against context.payload.repository.default_branch and the
/^cli\/v\d+\.\d+(\.\d+)?(-.*)?$/ regex so the decision reflects the actual ref
being built.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/cli.yml:
- Around line 124-133: The publish eligibility check in the GitHub Action step
with id "branch-check" uses process.env.GITHUB_REF_NAME but the workflow builds
from env.REF when callers can override the ref; update the script used by
actions/github-script (the core.setOutput call that sets
"should_push_oci_image") to use process.env.REF instead of
process.env.GITHUB_REF_NAME while keeping the existing comparison against
context.payload.repository.default_branch and the
/^cli\/v\d+\.\d+(\.\d+)?(-.*)?$/ regex so the decision reflects the actual ref
being built.

In @.github/workflows/kubernetes-controller.yml:
- Around line 158-173: The branch-check step (id: branch-check) sets the output
should_publish based only on REF and a version-regex, which causes pull_request
events (where REF is github.head_ref) to incorrectly mark PR branches like
kubernetes/controller/v1.2.3 as publishable; update the script to first detect
the event type (e.g., context.eventName or github.event_name) and short-circuit
so that when the event is "pull_request" it sets should_publish to false (or
skips the regex check), otherwise proceed with the existing defaultBranch/ref vs
/^kubernetes\/controller\/v\d+\.\d+(\.\d+)?(-.*)?$/ test — modify the
branch-check step to include this guard so publish cannot run on unmerged PR
code.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ea39c312-a9cb-4b21-b777-d9e7c6f096f2

📥 Commits

Reviewing files that changed from the base of the PR and between 1844459 and 34f71ff.

📒 Files selected for processing (2)

• .github/workflows/cli.yml
• .github/workflows/kubernetes-controller.yml

[matthiasbruns]

why? tickets? Can you please link or document your mental model in issues please?

[morri-son]

@matthiasbruns

why? tickets? Can you please link or document your mental model in issues please?

Came up in the war room. Is part of open-component-model/ocm-project#863. I added it.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/kubernetes-controller.yml:
- Around line 4-6: Update the header comment in the Kubernetes workflow to stop
implying tag-triggered runs: remove or rephrase the phrase "as well as release
tags" and explicitly state that the workflow triggers on pushes to main or
release branches and on PRs targeting main or release branches, and that tag
pushes (i.e. on.push.tags) are not defined so tags do not directly trigger this
workflow; ensure the comment references that release branches (e.g.
releases/v**) run builds and e2e tests but tags are not configured as triggers.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9a1f9811-2536-40f1-a694-b9de78cd9e6e

📥 Commits

Reviewing files that changed from the base of the PR and between 34f71ff and 582bb08.

📒 Files selected for processing (1)

• .github/workflows/kubernetes-controller.yml

[matthiasbruns]

lgtm