feat: unified release flow for a single github release version

[Skarlso]

What this PR does / why we need it

Update: We still do create the cli/v* tag as well, because things depend on it. 🤷

Okaaay. This is a larger one. I'll try to sensibly explain what my thinking was here and how I ended up with pipelines.yaml and release.yaml.

So this pr replaces our per-component release with a single unified release. We drop the cli/v* tags, because frankly, they aren't needed anymore, no-one is importing the CLI. We keep the kubernetes/controller/v* tags because those tags are used by people who import all things Kubernetes. If we ever want to create the cli tag again, that's super easy to add. ( we need to add the tag check to the javascript regex, release have to be made aware to push it, and create-tag.js updated ).

Now, if we don't tag, how does this all work? That's the neat part and that's why this unification is so nice! It's built from the same ref and get tested as a pair always!

What changed?

These are mostly structural changes. I tried to limit the number of things I moved but I deleted a bunch of action files, and copied most of their contents verbatim or with only very slight modifications because of the tags. The new things are mostly added for workflow coordination! The other thing we talked about is the conformance testing trigger. I moved that into the pipeline section which has arguably a lot of triggers, but this is MAIN FLOW for all builds, pushes and runs. And I would argue that everything is now IN ONE PLACE instead of several other places and files. And surprisingly, it's not significantly longer.

The tradeoff. CLI changes WILL run conformance and e2e. This is by design to make sure that the new CLI does not break the conformance tests. We can improve here in a followup ( because I wanted to keep this as minimal as possible ) to pass in a flag from CLI saying something like skipE2E and then at least that will not run. The conformance does NEED to run though and for that we need the build and chart because those are artifacts used by the conformance test.

The Javascript changes I did by hand first to my limited knowledge, then ran it through an llm a couple of times to see if it could improve on my logic. It did in a few places and added tests as well, which is nice.

Here is a test of this entire flow: https://github.com/Skarlso/open-component-model/actions/runs/25546869852

My test included an ocm-bot ( I created a github app, added GPG signing keys and everything ) so the flow is the same without any stupid modifications locally that would make it work. The bot had registry read/write and content read/write access.

Here is the release and pre release it created: https://github.com/Skarlso/open-component-model/releases/tag/v0.7.0
And: https://github.com/Skarlso/open-component-model/releases/tag/v0.7.0-rc.1
Ignore the changelog it's HUGE. I didn't have anything so it generated the entire commit history. :D

I also forgot to set up reviewers and the gate so it immediately ran through without waiting. :) That shouldn't happen here.

What else... I tried running some failure scenarios as well, to make sure I could restart the entire flow. The entire thing is pretty solid. You can literally re-run the whole thing over and over and it should either fail early with things like, already exists, yada yada, or just run through normally if nothing changed. The only real issue if the tag / release would be somehow pushed incorrectly. Then we'd have to revoke it, but that's an existing problem.

I did not update RELEASE_PROCESS.md yet. I'll do it after we decided that this is good. 😆

The pipeline:

Which issue(s) this PR fixes

Fixes open-component-model/ocm-project#1058.

Testing

How to test the changes

Verification

• I have added/updated tests for my changes (see Test Requirements)
• Tests pass locally (task test and task test/integration if applicable)
• If touching multiple modules, go work is enabled (see go.work)
• My changes do not decrease test coverage
• I have tested the changes locally by running ocm

[netlify]

✅ Deploy Preview for ocm-website ready!

Name	Link
🔨 Latest commit	98f9c6b
🔍 Latest deploy log	https://app.netlify.com/projects/ocm-website/deploys/6a168029fe5642000809d606
😎 Deploy Preview	https://deploy-preview-2468--ocm-website.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Consolidates component release flows into a unified two-phase Release workflow, adds idempotent multi-target tagging helpers, centralizes canonical version computation, enforces release-note size limits with safe truncation, and converts component builds into reusable pipeline jobs orchestrated by a new pipeline workflow.

Changes

Unified Release and CI/CD Pipeline

Layer / File(s)	Summary
Release Versioning Logic .github/scripts/release-versioning.js	Centralizes RC/promotion computation from branch-derived prefix, restricts previous-tag discovery to canonical vX.Y.Z, consolidates parsing/comparison helpers, refactors computeNextVersions, and emits module-side tag outputs plus changelog_range.
Versioning Tests .github/scripts/release-versioning.test.js	Refactored fixtures/expectations to assert canonical-only selection, ignore side-prefixed tags, and ensure previous-tag selection doesn't return newer stable tags.
Tagging Helpers .github/scripts/create-tag.js	Added idempotent tagAtHead and tagAtCommit, parsing of ADDITIONAL_TAGS, replaced single-tag entrypoints with createRcTags and createNewReleaseTags to support canonical + module tags.
Tagging Tests .github/scripts/create-tag.test.js	Updated tests to validate multi-tag creation, ADDITIONAL_TAGS parsing/whitespace tolerance, idempotency, and failure paths for missing env or mismatched commits.
Release Notes Handling .github/scripts/publish-final-release.js	Added GitHub release-body size guard (with safety buffer), unified RC-header promotion flow, truncation that avoids splitting UTF-16 surrogate pairs, and appended truncation notice.
Release Notes Tests .github/scripts/publish-final-release.test.js	Added tests for oversized-note truncation and within-limit behavior, asserting truncation notice and header retention.
Changelog Config cliff.toml, cli/cliff.toml	Consolidated per-component git-cliff into root cliff.toml, removed cli/cliff.toml, extended changelog template with CLI and Controller usage subsections, and simplified pre/postprocessor syntax.
CLI Reusable Workflow .github/workflows/cli.yml	Converted to workflow_call-only reusable workflow, removed on: push/pull_request, changed outputs to expose version, removed publish-eligibility branch-check, and normalized TAG_PREFIX to v.
Controller Reusable Workflow .github/workflows/kubernetes-controller.yml	Converted to workflow_call-only, removed workflow concurrency, added centralized IMAGE_NAME export, normalized TAG_PREFIX to v, and removed downstream publish/conformance chain.
Conformance Reusable Workflow .github/workflows/conformance.yml	Converted to workflow_call-only, removed workflow-level concurrency/static env image name, added Compute image refs step exporting CLI_IMAGE_NAME/CONTROLLER_IMAGE_NAME, updated inputs to prefer artifact mode, and require both CLI and toolkit images at validation.
Pipeline Orchestration Workflow .github/workflows/pipeline.yml	New reusable pipeline orchestrator that runs CLI/controller builds, conformance, decides publish eligibility, and conditionally publishes CLI/controller images and Helm chart with digest resolution and attestations.
Unified Release Workflow .github/workflows/release.yml	New two-phase release workflow: Phase 1 computes RC versions/changelog, optionally creates signed RC tags (createRcTags), triggers pipeline build, publishes RC prerelease, and verifies attestations; Phase 2 promotes tags (createNewReleaseTags), repackages/verifies Helm chart, and publishes final release using publish-final-release.js.
Removed Old Workflows .github/workflows/cli-release.yml, .github/workflows/controller-release.yml, .github/workflows/release-candidate-version.yml	Deleted legacy component-specific release workflows consolidated into unified release.yml and the new pipeline.
Website Workflow Update .github/workflows/website-live-test-install-script.yml	Resolve latest stable release without CLI prefix, reduce outputs to version only, and update failure messaging.
Docs RELEASE_PROCESS.md	Rewrote and condensed release process to a lockstep single Release workflow model with RC→promotion cadence and simplified operator guidance.

Sequence Diagram(s)

sequenceDiagram
  participant ReleaseWF as Release workflow
  participant Versioning as release-versioning.js
  participant Tagger as create-tag.js
  participant Pipeline as pipeline.yml
  participant Publisher as publish-final-release.js

  ReleaseWF->>Versioning: compute RC/promotion tags & changelog_range
  ReleaseWF->>Tagger: createRcTags(CANONICAL_TAG, ADDITIONAL_TAGS) at HEAD
  ReleaseWF->>Pipeline: invoke pipeline with ref/version
  Pipeline->>Publisher: publish and attest RC artifacts
  ReleaseWF->>Tagger: createNewReleaseTags(RC_TAG, NEW_RELEASE_TAG, ADDITIONAL_TAGS) at RC commit
  ReleaseWF->>Publisher: prepare final release notes & publish final GitHub release

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~105 minutes

Possibly related PRs

• open-component-model/open-component-model#2322: Related changes to website install/version-resolution flow and resolve outputs used by website/live-test scripts.
• open-component-model/open-component-model#2005: Overlaps on CLI/conformance workflow outputs and artifact-based inputs/flows.
• open-component-model/open-component-model#2131: Overlapping edits to .github/scripts/release-versioning.js (summary/table/output adjustments).

Suggested reviewers

• morri-son
• frewilhelm
• jakobmoellerdev

"I’m a rabbit with a tiny key,
Hopping tags from HEAD to tree,
RCs and promos, one neat line—
Pipelines hum and releases shine,
Tucked notes trimmed, the flow feels free."

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 76.47% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'feat: unified release flow for a single github release version' clearly and concisely summarizes the main change: consolidating multiple per-component release workflows into a single unified release process.
Linked Issues check	✅ Passed	The PR fulfills both core requirements from issue #1058: builds and tests CLI+controller together in unified pipeline.yml ensuring conformance validates matched pairs, and uses release.yml to dispatch releases from release branches, ensuring both components built from same ref.
Out of Scope Changes check	✅ Passed	All changes are scoped to the unified release objective: new pipeline.yml/release.yml workflows, script refactoring for multi-tag workflows, test updates, configuration changes for unified processes, and documentation updates. No unrelated modifications detected.
Description check	✅ Passed	The PR description comprehensively explains the unified release flow, architectural changes, workflow consolidation, and testing performed. It directly addresses the changeset and provides clear context for why these changes were made.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

.github/workflows/kubernetes-controller.yml (1)

272-272: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Stale inputs.debug reference — that input is not declared on this workflow.

The workflow_call.inputs block (Lines 7‑16) only declares artifact_name and ref; there is no debug input. inputs.debug == true evaluates to '' == true (always false), so this currently degrades to if: failure() and works by accident. Either declare the input (and have callers pass it) or drop the dead branch.

♻️ Proposed fix (option A — drop dead branch)

       - name: Debug cluster state
-        if: failure() || inputs.debug == true
+        if: failure()
         run: |

♻️ Proposed fix (option B — declare the input)

       ref:
         description: "The ref to build on (branch or tag). Defaults to the current ref."
         type: string
         required: false
+      debug:
+        description: "If true, emit cluster debug output even on success."
+        type: boolean
+        required: false
+        default: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/kubernetes-controller.yml at line 272, The if condition
uses a nonexistent workflow input (workflow_call.inputs has only artifact_name
and ref) so `inputs.debug == true` is dead; either remove the dead branch or
declare the input. Fix option A: update the step condition from `if: failure()
|| inputs.debug == true` to `if: failure()` and remove any callers relying on
inputs.debug. Fix option B: add an input named `debug` to the
`workflow_call.inputs` block (type: boolean, default: false) so `inputs.debug ==
true` becomes valid, and ensure callers pass the new input when invoking the
workflow. Ensure you modify the unique symbols `workflow_call.inputs` and the
step with `if: failure() || inputs.debug == true`.

.github/workflows/conformance.yml (1)

50-52: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Concurrency block in a workflow_call-only workflow can cancel the orchestrator's run.

In workflow_call context, github.workflow resolves to the caller's workflow name (pipeline.yml/release.yml), not Conformance. Combined with cancel-in-progress: true, a second pipeline run on the same ref will cancel this conformance job mid-flight — and because the conformance job is part of the caller's run, this can also disrupt the caller. This is the same trap the new comment in kubernetes-controller.yml (Lines 41‑44) explicitly calls out and avoided by removing its own concurrency block.

Consider removing this block and letting pipeline.yml own concurrency for the whole chain, matching the pattern adopted in kubernetes-controller.yml.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/conformance.yml around lines 50 - 52, Remove the
concurrency block from this workflow (the `concurrency` key and its nested
`group:` and `cancel-in-progress: true`) because this file is invoked via
`workflow_call` and `github.workflow` will resolve to the caller, which can
cause the caller's run to be cancelled; instead let the caller pipeline own
concurrency (follow the same approach used in `kubernetes-controller.yml`) so do
not set `concurrency` or `cancel-in-progress` in this `workflow_call`-only
workflow.

.github/workflows/cli.yml (1)

87-96: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Fix leftover cli/v prefix consumer: website-live-test-install-script.yml still hardcodes the old tag pattern.

The TAG_PREFIX change to "v" is incomplete. The workflow at .github/workflows/website-live-test-install-script.yml (line 40) still explicitly references const tagPrefix = 'cli/v';, which will cause it to look for releases with the legacy prefix instead of the new unified v* scheme. Update this hardcoded reference to use 'v' to align with the release scheme change.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cli.yml around lines 87 - 96, The workflow still hardcodes
the old release prefix; update the variable named tagPrefix in the
website-live-test-install-script.yml workflow (currently set to 'cli/v') to 'v'
so it matches the TAG_PREFIX change in the Compute VERSION step; locate the
declaration const tagPrefix = 'cli/v' and change its value to 'v' so the script
looks up releases using the unified v* tag scheme.

🧹 Nitpick comments (13)

.github/scripts/create-tag.test.js (1)

33-48: 💤 Low value

mockExecGit substring matching is fragile across the new test cases.

Patterns are matched by key.includes(pattern) and iterated in Object.entries insertion order, so any pattern that is a substring of another can shadow it. For example, in the "Wrong-commit existing tag" test (Lines 236‑240), "refs/tags/v0.1.0" is a substring of "rev-parse refs/tags/v0.1.0^{commit}", and the test passes only because the more specific "v0.1.0^{commit}" is declared first. Future additions are easy to break.

Consider switching to anchored/exact matching (e.g., key === pattern or a regex) and have callers pass full keys. Optional cleanup, not a blocker — the current tests are correct as written.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/scripts/create-tag.test.js around lines 33 - 48, The mockExecGit
helper uses substring matching (key.includes(pattern)) which allows shorter
patterns to shadow longer ones; change mockExecGit (fn) to use exact key
matching (key === pattern) or anchored regex matching when comparing keys
against responses so lookups are unambiguous, and update tests to pass full
command strings as response keys if necessary; ensure fn.calls remains populated
and behavior for Error responses is preserved.

.github/workflows/conformance.yml (2)

181-189: 💤 Low value

workflow_call is the only trigger — the if guard is dead code.

Since the on: block was reduced to workflow_call only (Lines 8‑9), github.event_name == 'workflow_call' is always true here and the conditional is always satisfied. This is harmless but misleading; consider removing the if to avoid implying there is another path.

♻️ Proposed fix

       - name: Validate required image references
-        if: ${{ github.event_name == 'workflow_call' }}
         run: |

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/conformance.yml around lines 181 - 189, The step named
"Validate required image references" contains a redundant if guard using
github.event_name == 'workflow_call' which is always true because the workflow
trigger is only workflow_call; remove the entire if: ${{ github.event_name ==
'workflow_call' }} line so the step always runs, keeping the run block that
checks CLI_IMAGE and TOOLKIT_IMAGE and prints their values (referencing
CLI_IMAGE and TOOLKIT_IMAGE in the existing run script).

---

70-78: ⚡ Quick win

Asymmetric semantics between CLI_IMAGE_NAME and CONTROLLER_IMAGE_NAME.

CLI_IMAGE_NAME is composed as ${REGISTRY}/$OWNER/cli (full ref including registry), while CONTROLLER_IMAGE_NAME is just $OWNER/kubernetes/controller (no registry). This is reflected at Line 145 where the controller usage manually re-prepends ${{ env.REGISTRY }}/. The asymmetry is easy to misuse — a future caller is likely to assume both variables follow the same convention.

Suggest making them consistent (either both include REGISTRY or both omit it).

♻️ Proposed fix

       - name: Compute image refs (lowercase owner)
         env:
           OWNER: ${{ github.repository_owner }}
         run: |
           OWNER="${OWNER,,}"
           {
             echo "CLI_IMAGE_NAME=${REGISTRY}/$OWNER/cli"
-            echo "CONTROLLER_IMAGE_NAME=$OWNER/kubernetes/controller"
+            echo "CONTROLLER_IMAGE_NAME=${REGISTRY}/$OWNER/kubernetes/controller"
           } >> "$GITHUB_ENV"

And update Line 145:

-          IMAGE_NAME: ${{ env.REGISTRY }}/${{ env.CONTROLLER_IMAGE_NAME }}
+          IMAGE_NAME: ${{ env.CONTROLLER_IMAGE_NAME }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/conformance.yml around lines 70 - 78, The two environment
variables have inconsistent semantics: CLI_IMAGE_NAME includes the registry
while CONTROLLER_IMAGE_NAME does not, causing callers to re-prepend env.REGISTRY
later; change CONTROLLER_IMAGE_NAME to include the registry as with
CLI_IMAGE_NAME by composing it as ${REGISTRY}/$OWNER/kubernetes/controller (so
both variables are full image refs), and then remove any manual re-prepending of
env.REGISTRY where CONTROLLER_IMAGE_NAME is used (update references that expect
a raw owner/path to use the new full ref).

.github/scripts/publish-final-release.test.js (1)

118-126: ⚡ Quick win

Truncation test bound is too loose.

Line 123 asserts result.length <= 125000, but MAX_RELEASE_BODY_LENGTH is 120000 — the assertion would pass even if truncation only partially worked (e.g., trimmed to 124000). Consider asserting the exact contract instead.

♻️ Proposed fix

-  assert.ok(result.length <= 125000, `Expected length <= 125000, got: ${result.length}`);
+  assert.strictEqual(result.length, 120000, `Expected exact MAX_RELEASE_BODY_LENGTH (120000), got: ${result.length}`);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/scripts/publish-final-release.test.js around lines 118 - 126, The
test currently checks result.length <= 125000 which is laxer than the actual
MAX_RELEASE_BODY_LENGTH; update the assertion in the truncation test to compare
against the real limit used by the implementation (use MAX_RELEASE_BODY_LENGTH
or the literal 120000) so it enforces the exact contract from
prepareReleaseNotes; locate the test block in
.github/scripts/publish-final-release.test.js referencing prepareReleaseNotes
and replace the length assertion to assert.ok(result.length <=
MAX_RELEASE_BODY_LENGTH, ...) (and update the failure message accordingly).

.github/scripts/publish-final-release.js (2)

5-13: ⚡ Quick win

Tighten the comment block and fix the typo.

Two small things:

• Line 7: preconfiugred → preconfigured.
• The "What is this and why is it here?" / "I'm willing to drop this …" framing is meta-commentary that belongs in the PR discussion, not the source. A concise rationale is sufficient here.

Also, the literal 125000-character in TRUNCATION_NOTICE is decoupled from MAX_RELEASE_BODY_LENGTH = 120000 — if you ever bump the cap, the notice will silently drift. Consider a GITHUB_RELEASE_BODY_LIMIT constant and interpolating it.

♻️ Proposed fix

-// What is this and why is it here? GitHub has a hard limit on the length of the changelog.
-// We could use git-cliff's [limit_commits](https://git-cliff.org/docs/configuration/git#limit_commits) setting, however,
-// that is a _hard_ limit. What does that mean? It will basically cut off at a preconfiugred number.
-// Meaning, the user will have no idea that there are supposed to be more commits if a release genuinely has
-// more than 200 commits (or whatever number is configured).
-// Now, this is fine, it's not really complexity, but I'm willing to drop this if we think it's just overkill.
-// I ran into this while testing the entire flow and had too many releases and went over the 125Kb limit.
-const MAX_RELEASE_BODY_LENGTH = 120000;
-const TRUNCATION_NOTICE = "\n\n---\n\n*Release notes truncated to fit GitHub's 125000-character body limit. See the source changelog or `git log` for the complete history.*";
+// GitHub's release body has a hard 125000-character limit. We truncate with
+// a notice instead of using git-cliff's `limit_commits`, which silently drops
+// commits beyond a preconfigured count without informing the reader.
+const GITHUB_RELEASE_BODY_LIMIT = 125000;
+const MAX_RELEASE_BODY_LENGTH = GITHUB_RELEASE_BODY_LIMIT - 5000; // safety buffer
+const TRUNCATION_NOTICE = `\n\n---\n\n*Release notes truncated to fit GitHub's ${GITHUB_RELEASE_BODY_LIMIT}-character body limit. See the source changelog or \`git log\` for the complete history.*`;

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/scripts/publish-final-release.js around lines 5 - 13, The comment
block around MAX_RELEASE_BODY_LENGTH is too wordy and contains a typo; shorten
it to a concise rationale (e.g., explain GitHub's release body limit and why
truncation logic exists) and fix "preconfiugred" → "preconfigured". Replace the
hard-coded 125000 literal by introducing a GITHUB_RELEASE_BODY_LIMIT constant,
set MAX_RELEASE_BODY_LENGTH from it (or derive consistently), and update
TRUNCATION_NOTICE to interpolate that constant so the notice and limit never
drift; reference MAX_RELEASE_BODY_LENGTH, TRUNCATION_NOTICE and add
GITHUB_RELEASE_BODY_LIMIT in the same snippet.

---

66-69: 💤 Low value

Truncation can split a UTF-16 surrogate pair.

String.prototype.substring operates on UTF-16 code units, so cutting at an arbitrary safeLength may slice a surrogate pair (e.g. emoji used in headings, contributor names) and produce a broken character right before the truncation notice. Low likelihood for changelog content, but trivial to harden:

♻️ Proposed fix

-  if (notes.length > MAX_RELEASE_BODY_LENGTH) {
-    const safeLength = MAX_RELEASE_BODY_LENGTH - TRUNCATION_NOTICE.length;
-    notes = notes.substring(0, safeLength) + TRUNCATION_NOTICE;
-  }
+  if (notes.length > MAX_RELEASE_BODY_LENGTH) {
+    let safeLength = MAX_RELEASE_BODY_LENGTH - TRUNCATION_NOTICE.length;
+    // Avoid splitting a UTF-16 surrogate pair.
+    const code = notes.charCodeAt(safeLength - 1);
+    if (code >= 0xd800 && code <= 0xdbff) safeLength -= 1;
+    notes = notes.substring(0, safeLength) + TRUNCATION_NOTICE;
+  }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/scripts/publish-final-release.js around lines 66 - 69, The
truncation using notes.substring(safeLength) can split a UTF-16 surrogate pair
and produce a broken character before TRUNCATION_NOTICE; update the truncation
logic around MAX_RELEASE_BODY_LENGTH so it trims by code points rather than code
units (or if using substring, decrement safeLength until the code unit at
safeLength-1 is not a high surrogate (0xD800–0xDBFF)) before appending
TRUNCATION_NOTICE; keep the same variables (notes, safeLength,
MAX_RELEASE_BODY_LENGTH, TRUNCATION_NOTICE) and ensure the resulting string
length stays ≤ MAX_RELEASE_BODY_LENGTH while avoiding splitting surrogate pairs.

.github/scripts/create-tag.js (1)

76-108: 💤 Low value

Helpers don't need to be async, but the entrypoints do — minor consistency note.

tagAtHead and tagAtCommit are synchronous and correctly typed. createRcTags / createNewReleaseTags are declared async but never await anything — they're effectively synchronous wrappers that return a Promise<void>. That's fine for actions/github-script callers, but if any future step performs real async work (e.g., waiting on a network call after pushing), be aware that the current loop will swallow rejections only at the call site.

No change required.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/scripts/create-tag.js around lines 76 - 108, The helpers tagAtHead
and tagAtCommit are synchronous and fine, but the public entrypoints
createRcTags and createNewReleaseTags are declared async yet perform no awaits
which can hide future rejections; either keep them synchronous (remove async)
or, preferably, make them correctly async by awaiting any internal async work
and propagating errors (e.g., if you add network calls, await those promises
inside createRcTags/createNewReleaseTags and rethrow or let the Promise reject
so callers can handle failures); locate createRcTags/createNewReleaseTags and
update their signatures/implementation to consistently await internal async
calls and add try/catch where you need to convert errors to core.setFailed.

cliff.toml (1)

38-44: 💤 Low value

Add --rm to the example docker run command.

The example will leave a stopped container behind on every invocation. For a one-shot CLI usage example, prefer --rm. Also, -t without -i is unusual for a --help run; consider dropping it or using -it.

✏️ Proposed fix

 ```bash
-docker run -t ghcr.io/open-component-model/cli:latest --help
+docker run --rm ghcr.io/open-component-model/cli:latest --help

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @cliff.toml around lines 38 - 44, Replace the example command "docker run -t
ghcr.io/open-component-model/cli:latest --help" by adding --rm to remove the
container after exit and remove the unnecessary -t; i.e. change that specific
"docker run -t ghcr.io/open-component-model/cli:latest --help" occurrence to
"docker run --rm ghcr.io/open-component-model/cli:latest --help" (or "docker run
--rm -it ghcr.io/open-component-model/cli:latest --help" if you prefer
interactive tty).

</details>

</blockquote></details>
<details>
<summary>.github/workflows/kubernetes-controller.yml (1)</summary><blockquote>

`91-94`: _💤 Low value_

**Image-ref computation is duplicated in `build` and `E2E` jobs.**

The same `Compute image refs (lowercase owner)` step appears at Lines 91‑94 and Lines 194‑197 with identical logic. Since each job runs on its own runner, you can't share the env, but you can avoid drift by exposing `IMAGE_NAME` as a `build` job output and referencing it from `E2E` via `needs.build.outputs.image_name`.

<details>
<summary>♻️ Proposed fix sketch</summary>

```diff
   build:
     ...
     outputs:
       artifact_name: ${{ env.ARTIFACT_NAME }}
       artifact_id: ${{ steps.upload-artifacts.outputs.artifact-id }}
       version: ${{ steps.version.outputs.version }}
+      image_name: ${{ steps.image-name.outputs.image_name }}
     steps:
       - name: Compute image refs (lowercase owner)
+        id: image-name
         env:
           OWNER: ${{ github.repository_owner }}
-        run: echo "IMAGE_NAME=${REGISTRY}/${OWNER,,}/kubernetes/controller" >> "$GITHUB_ENV"
+        run: |
+          IMAGE_NAME="${REGISTRY}/${OWNER,,}/kubernetes/controller"
+          echo "IMAGE_NAME=${IMAGE_NAME}" >> "$GITHUB_ENV"
+          echo "image_name=${IMAGE_NAME}" >> "$GITHUB_OUTPUT"
   ...
   E2E:
     ...
     steps:
-      - name: Compute image refs (lowercase owner)
-        env:
-          OWNER: ${{ github.repository_owner }}
-        run: echo "IMAGE_NAME=${REGISTRY}/${OWNER,,}/kubernetes/controller" >> "$GITHUB_ENV"
+      - name: Propagate IMAGE_NAME from build
+        run: echo "IMAGE_NAME=${{ needs.build.outputs.image_name }}" >> "$GITHUB_ENV"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/kubernetes-controller.yml around lines 91 - 94, Compute
the image ref once in the build job by turning the existing "Compute image refs
(lowercase owner)" step (which uses OWNER=${{ github.repository_owner }} and
REGISTRY) into a step that writes IMAGE_NAME to the job output (e.g., set-output
or outputs block named image_name) and remove the duplicate step from the E2E
job; then in the E2E job use needs.build.outputs.image_name to reference the
computed IMAGE_NAME instead of recomputing it, ensuring the build job declares
the output (job outputs) and the E2E job references that output.

.github/workflows/pipeline.yml (2)

175-178: 💤 Low value

TAG discovery from the OCI layout is fragile.

oras repo tags --oci-layout ${LAYOUT} | head -n 1 silently picks an arbitrary tag if the layout ever contains more than one. If the CLI build later starts emitting multiple tags (e.g. a version + latest), this will push the wrong reference. Consider passing the version explicitly from build_cli.outputs.version (the same way publish_controller does on line 285) so the published tag is deterministic.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pipeline.yml around lines 175 - 178, Replace the fragile
TAG discovery that uses "oras repo tags --oci-layout ${LAYOUT} | head -n 1" with
a deterministic value from the build job output; set TAG to the
build_cli.outputs.version (the same source used by publish_controller) instead
of parsing the OCI layout so the published tag is explicit and stable (update
the step that currently writes "TAG=$TAG" to GITHUB_ENV to source
build_cli.outputs.version).

---

145-206: ⚡ Quick win

Inconsistent floating-tag handling between CLI and controller publishers.

publish_controller retags the image (and chart) as main when REF == 'main' (lines 287–291, 316–320), but publish_cli has no equivalent step. Anyone consuming ghcr.io/<owner>/cli:main to track the default branch will not get an updated digest from this workflow.

If the CLI image is intentionally not floating-tagged, please document that here; otherwise add a parallel "Tag image with main floating tag" step to keep the two publishers symmetric.

.github/scripts/release-versioning.js (1)

299-306: 💤 Low value

Sort comparator returns -1 for equal items — fine for .pop(), but technically not a total order.

isStableNewer(va, vb) returns false when va === vb, so the comparator returns -1 for equal versions, violating the Array.prototype.sort contract (should return 0). It happens to be safe here because you only use the largest element via .pop() and duplicates of canonical release tags shouldn't exist on GitHub. Worth a small tweak if you want a clean comparator:

♻️ Suggested cleanup

-    return versions.sort((a, b) => isStableNewer(`v${a}`, `v${b}`) ? 1 : -1).pop();
+    return versions.sort((a, b) => {
+        if (isStableNewer(`v${a}`, `v${b}`)) return 1;
+        if (isStableNewer(`v${b}`, `v${a}`)) return -1;
+        return 0;
+    }).pop();

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/scripts/release-versioning.js around lines 299 - 306, The sort
comparator in extractHighestPreviousReleaseVersion uses isStableNewer and
returns -1 when versions are equal, violating Array.sort's contract; update the
comparator in extractHighestPreviousReleaseVersion so it returns 0 for equal
items (e.g., compare a and b for equality first, then call
isStableNewer(`v${a}`, `v${b}`) to return 1 or -1), ensuring a proper total
order before calling .pop().

.github/workflows/release.yml (1)

496-522: 💤 Low value

Chart-equivalence check is a good safeguard — minor caveat on the tag-normalization regex.

Diffing the RC chart against the repackaged final chart after stripping version/appVersion and normalizing the manager image tag prefix is a nice integrity check that catches accidental drift between RC and final. One caveat: '.manager.image.tag |= sub("^[^@]*", "")' only works if the rendered tag actually contains @<digest>. If a future change ships a chart that pins by tag without the digest pinning, this would clear the entire string in one and not the other depending on shape, masking a real difference. Worth a brief comment in the workflow noting that contract.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 496 - 522, The yq normalization '
.manager.image.tag |= sub("^[^@]*", "")' will zero-out the tag when there is no
'@' digest present; change the substitution to only strip the digest suffix by
using sub("@.*$", "") so tags without digests remain unchanged, update the two
yq invocations that operate on "$dir/values.yaml" (the lines that currently call
'.manager.image.tag |= sub("^[^@]*", "")'), and add a brief inline comment in
the workflow explaining the normalization only removes digest portions and will
not mask tag-vs-digest changes when a tag has no digest.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cliff.toml`:
- Around line 3-7: Fix the typos and tone in the top comment block: change
"unofied" to "unified" and "revelvant" to "relevant", and replace the personal
phrase "I copied over whatever was revelvant since both are now included in the
release." with a neutral wording such as "Contents from cli/cliff.toml and
kubernetes/controller/cliff.toml were merged; relevant settings were carried
over for the release." to make the config comment clear and impersonal.

---

Outside diff comments:
In @.github/workflows/cli.yml:
- Around line 87-96: The workflow still hardcodes the old release prefix; update
the variable named tagPrefix in the website-live-test-install-script.yml
workflow (currently set to 'cli/v') to 'v' so it matches the TAG_PREFIX change
in the Compute VERSION step; locate the declaration const tagPrefix = 'cli/v'
and change its value to 'v' so the script looks up releases using the unified v*
tag scheme.

In @.github/workflows/conformance.yml:
- Around line 50-52: Remove the concurrency block from this workflow (the
`concurrency` key and its nested `group:` and `cancel-in-progress: true`)
because this file is invoked via `workflow_call` and `github.workflow` will
resolve to the caller, which can cause the caller's run to be cancelled; instead
let the caller pipeline own concurrency (follow the same approach used in
`kubernetes-controller.yml`) so do not set `concurrency` or `cancel-in-progress`
in this `workflow_call`-only workflow.

In @.github/workflows/kubernetes-controller.yml:
- Line 272: The if condition uses a nonexistent workflow input
(workflow_call.inputs has only artifact_name and ref) so `inputs.debug == true`
is dead; either remove the dead branch or declare the input. Fix option A:
update the step condition from `if: failure() || inputs.debug == true` to `if:
failure()` and remove any callers relying on inputs.debug. Fix option B: add an
input named `debug` to the `workflow_call.inputs` block (type: boolean, default:
false) so `inputs.debug == true` becomes valid, and ensure callers pass the new
input when invoking the workflow. Ensure you modify the unique symbols
`workflow_call.inputs` and the step with `if: failure() || inputs.debug ==
true`.

---

Nitpick comments:
In @.github/scripts/create-tag.js:
- Around line 76-108: The helpers tagAtHead and tagAtCommit are synchronous and
fine, but the public entrypoints createRcTags and createNewReleaseTags are
declared async yet perform no awaits which can hide future rejections; either
keep them synchronous (remove async) or, preferably, make them correctly async
by awaiting any internal async work and propagating errors (e.g., if you add
network calls, await those promises inside createRcTags/createNewReleaseTags and
rethrow or let the Promise reject so callers can handle failures); locate
createRcTags/createNewReleaseTags and update their signatures/implementation to
consistently await internal async calls and add try/catch where you need to
convert errors to core.setFailed.

In @.github/scripts/create-tag.test.js:
- Around line 33-48: The mockExecGit helper uses substring matching
(key.includes(pattern)) which allows shorter patterns to shadow longer ones;
change mockExecGit (fn) to use exact key matching (key === pattern) or anchored
regex matching when comparing keys against responses so lookups are unambiguous,
and update tests to pass full command strings as response keys if necessary;
ensure fn.calls remains populated and behavior for Error responses is preserved.

In @.github/scripts/publish-final-release.js:
- Around line 5-13: The comment block around MAX_RELEASE_BODY_LENGTH is too
wordy and contains a typo; shorten it to a concise rationale (e.g., explain
GitHub's release body limit and why truncation logic exists) and fix
"preconfiugred" → "preconfigured". Replace the hard-coded 125000 literal by
introducing a GITHUB_RELEASE_BODY_LIMIT constant, set MAX_RELEASE_BODY_LENGTH
from it (or derive consistently), and update TRUNCATION_NOTICE to interpolate
that constant so the notice and limit never drift; reference
MAX_RELEASE_BODY_LENGTH, TRUNCATION_NOTICE and add GITHUB_RELEASE_BODY_LIMIT in
the same snippet.
- Around line 66-69: The truncation using notes.substring(safeLength) can split
a UTF-16 surrogate pair and produce a broken character before TRUNCATION_NOTICE;
update the truncation logic around MAX_RELEASE_BODY_LENGTH so it trims by code
points rather than code units (or if using substring, decrement safeLength until
the code unit at safeLength-1 is not a high surrogate (0xD800–0xDBFF)) before
appending TRUNCATION_NOTICE; keep the same variables (notes, safeLength,
MAX_RELEASE_BODY_LENGTH, TRUNCATION_NOTICE) and ensure the resulting string
length stays ≤ MAX_RELEASE_BODY_LENGTH while avoiding splitting surrogate pairs.

In @.github/scripts/publish-final-release.test.js:
- Around line 118-126: The test currently checks result.length <= 125000 which
is laxer than the actual MAX_RELEASE_BODY_LENGTH; update the assertion in the
truncation test to compare against the real limit used by the implementation
(use MAX_RELEASE_BODY_LENGTH or the literal 120000) so it enforces the exact
contract from prepareReleaseNotes; locate the test block in
.github/scripts/publish-final-release.test.js referencing prepareReleaseNotes
and replace the length assertion to assert.ok(result.length <=
MAX_RELEASE_BODY_LENGTH, ...) (and update the failure message accordingly).

In @.github/scripts/release-versioning.js:
- Around line 299-306: The sort comparator in
extractHighestPreviousReleaseVersion uses isStableNewer and returns -1 when
versions are equal, violating Array.sort's contract; update the comparator in
extractHighestPreviousReleaseVersion so it returns 0 for equal items (e.g.,
compare a and b for equality first, then call isStableNewer(`v${a}`, `v${b}`) to
return 1 or -1), ensuring a proper total order before calling .pop().

In @.github/workflows/conformance.yml:
- Around line 181-189: The step named "Validate required image references"
contains a redundant if guard using github.event_name == 'workflow_call' which
is always true because the workflow trigger is only workflow_call; remove the
entire if: ${{ github.event_name == 'workflow_call' }} line so the step always
runs, keeping the run block that checks CLI_IMAGE and TOOLKIT_IMAGE and prints
their values (referencing CLI_IMAGE and TOOLKIT_IMAGE in the existing run
script).
- Around line 70-78: The two environment variables have inconsistent semantics:
CLI_IMAGE_NAME includes the registry while CONTROLLER_IMAGE_NAME does not,
causing callers to re-prepend env.REGISTRY later; change CONTROLLER_IMAGE_NAME
to include the registry as with CLI_IMAGE_NAME by composing it as
${REGISTRY}/$OWNER/kubernetes/controller (so both variables are full image
refs), and then remove any manual re-prepending of env.REGISTRY where
CONTROLLER_IMAGE_NAME is used (update references that expect a raw owner/path to
use the new full ref).

In @.github/workflows/kubernetes-controller.yml:
- Around line 91-94: Compute the image ref once in the build job by turning the
existing "Compute image refs (lowercase owner)" step (which uses OWNER=${{
github.repository_owner }} and REGISTRY) into a step that writes IMAGE_NAME to
the job output (e.g., set-output or outputs block named image_name) and remove
the duplicate step from the E2E job; then in the E2E job use
needs.build.outputs.image_name to reference the computed IMAGE_NAME instead of
recomputing it, ensuring the build job declares the output (job outputs) and the
E2E job references that output.

In @.github/workflows/pipeline.yml:
- Around line 175-178: Replace the fragile TAG discovery that uses "oras repo
tags --oci-layout ${LAYOUT} | head -n 1" with a deterministic value from the
build job output; set TAG to the build_cli.outputs.version (the same source used
by publish_controller) instead of parsing the OCI layout so the published tag is
explicit and stable (update the step that currently writes "TAG=$TAG" to
GITHUB_ENV to source build_cli.outputs.version).

In @.github/workflows/release.yml:
- Around line 496-522: The yq normalization ' .manager.image.tag |=
sub("^[^@]*", "")' will zero-out the tag when there is no '@' digest present;
change the substitution to only strip the digest suffix by using sub("@.*$", "")
so tags without digests remain unchanged, update the two yq invocations that
operate on "$dir/values.yaml" (the lines that currently call '.manager.image.tag
|= sub("^[^@]*", "")'), and add a brief inline comment in the workflow
explaining the normalization only removes digest portions and will not mask
tag-vs-digest changes when a tag has no digest.

In `@cliff.toml`:
- Around line 38-44: Replace the example command "docker run -t
ghcr.io/open-component-model/cli:latest --help" by adding --rm to remove the
container after exit and remove the unnecessary -t; i.e. change that specific
"docker run -t ghcr.io/open-component-model/cli:latest --help" occurrence to
"docker run --rm ghcr.io/open-component-model/cli:latest --help" (or "docker run
--rm -it ghcr.io/open-component-model/cli:latest --help" if you prefer
interactive tty).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b99bfa8c-745c-4c4c-ad92-70f4efc4909c

📥 Commits

Reviewing files that changed from the base of the PR and between 154671b and 801db4c.

📒 Files selected for processing (16)

• .github/scripts/create-tag.js
• .github/scripts/create-tag.test.js
• .github/scripts/publish-final-release.js
• .github/scripts/publish-final-release.test.js
• .github/scripts/release-versioning.js
• .github/scripts/release-versioning.test.js
• .github/workflows/cli-release.yml
• .github/workflows/cli.yml
• .github/workflows/conformance.yml
• .github/workflows/controller-release.yml
• .github/workflows/kubernetes-controller.yml
• .github/workflows/pipeline.yml
• .github/workflows/release-candidate-version.yml
• .github/workflows/release.yml
• cli/cliff.toml
• cliff.toml

💤 Files with no reviewable changes (4)

• .github/workflows/release-candidate-version.yml
• cli/cliff.toml
• .github/workflows/controller-release.yml
• .github/workflows/cli-release.yml

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/conformance.yml (1)

182-189: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Require both resolved refs before starting conformance.

This reusable workflow now guarantees a matched CLI/controller pair, but Line 184 only errors when both are missing. If one artifact/input is absent, the other side can still fall back to the Taskfile default and the run stops validating the same ref on both components.

Suggested fix

       - name: Validate required image references
         run: |
-          if [ -z "$CLI_IMAGE" ] && [ -z "$TOOLKIT_IMAGE" ]; then
-            echo "::error::Neither CLI_IMAGE nor TOOLKIT_IMAGE is set. At least one must be provided via inputs or artifacts."
+          if [ -z "$CLI_IMAGE" ] || [ -z "$TOOLKIT_IMAGE" ]; then
+            echo "::error::Both CLI_IMAGE and TOOLKIT_IMAGE must be set via inputs or artifacts."
             exit 1
           fi
           echo "CLI_IMAGE=${CLI_IMAGE:-(using Taskfile default)}"
           echo "TOOLKIT_IMAGE=${TOOLKIT_IMAGE:-(using Taskfile default)}"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/conformance.yml around lines 182 - 189, The check
currently only errors when both CLI_IMAGE and TOOLKIT_IMAGE are missing; change
it to require both resolved refs by failing if either CLI_IMAGE or TOOLKIT_IMAGE
is empty. Update the shell conditional that inspects CLI_IMAGE and TOOLKIT_IMAGE
so it errors when [ -z "$CLI_IMAGE" ] || [ -z "$TOOLKIT_IMAGE" ] and keeps the
subsequent echo lines (echo "CLI_IMAGE=..." and echo "TOOLKIT_IMAGE=...") to
show the resolved values; reference the CLI_IMAGE and TOOLKIT_IMAGE variables in
your fix.

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

519-529: ⚡ Quick win

Fail fast if the chart stops pinning manager.image.tag by digest.

Right now the normalization can turn a tag-only value into an empty string on both sides, so diff -r would still pass after a real RC/final drift. Add an explicit digest-pinning assertion before rewriting the field.

Suggested hardening

           for dir in "$work/rc" "$work/final"; do
+            grep -q '@sha256:' "$dir/values.yaml" \
+              || { echo "::error::$dir/values.yaml is not digest-pinned"; exit 1; }
             yq -i 'del(.version, .appVersion)' "$dir/Chart.yaml"
             yq -i '.manager.image.tag |= sub("^[^@]*", "")' "$dir/values.yaml"
           done

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 519 - 529, Before normalizing
manager.image.tag, validate that the chart pins the image by digest: in the loop
over "$work/rc" and "$work/final" (the block that runs yq -i 'del(.version,
.appVersion)' "$dir/Chart.yaml" and yq -i '.manager.image.tag |= sub("^[^@]*",
"")' "$dir/values.yaml"), read .manager.image.tag (with yq) and assert it
contains a digest marker (e.g. "@sha256:"); if the check fails print a clear
error referencing the chart (Chart.yaml/values.yaml and manager.image.tag) and
exit non‑zero so the workflow fails fast before performing the substitution.
Ensure the assertion runs for each "$dir" prior to the sub(...) rewrite.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/conformance.yml:
- Around line 182-189: The check currently only errors when both CLI_IMAGE and
TOOLKIT_IMAGE are missing; change it to require both resolved refs by failing if
either CLI_IMAGE or TOOLKIT_IMAGE is empty. Update the shell conditional that
inspects CLI_IMAGE and TOOLKIT_IMAGE so it errors when [ -z "$CLI_IMAGE" ] || [
-z "$TOOLKIT_IMAGE" ] and keeps the subsequent echo lines (echo "CLI_IMAGE=..."
and echo "TOOLKIT_IMAGE=...") to show the resolved values; reference the
CLI_IMAGE and TOOLKIT_IMAGE variables in your fix.

---

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 519-529: Before normalizing manager.image.tag, validate that the
chart pins the image by digest: in the loop over "$work/rc" and "$work/final"
(the block that runs yq -i 'del(.version, .appVersion)' "$dir/Chart.yaml" and yq
-i '.manager.image.tag |= sub("^[^@]*", "")' "$dir/values.yaml"), read
.manager.image.tag (with yq) and assert it contains a digest marker (e.g.
"@sha256:"); if the check fails print a clear error referencing the chart
(Chart.yaml/values.yaml and manager.image.tag) and exit non‑zero so the workflow
fails fast before performing the substitution. Ensure the assertion runs for
each "$dir" prior to the sub(...) rewrite.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9227132a-15a6-4a47-a04f-c3f45c80ba06

📥 Commits

Reviewing files that changed from the base of the PR and between 801db4c and 1740f50.

📒 Files selected for processing (10)

• .github/scripts/publish-final-release.js
• .github/scripts/publish-final-release.test.js
• .github/scripts/release-versioning.js
• .github/workflows/conformance.yml
• .github/workflows/kubernetes-controller.yml
• .github/workflows/pipeline.yml
• .github/workflows/release.yml
• .github/workflows/website-live-test-install-script.yml
• cliff.toml
• website/static/install-cli.sh

✅ Files skipped from review due to trivial changes (2)

• cliff.toml
• .github/scripts/publish-final-release.test.js

🚧 Files skipped from review as they are similar to previous changes (3)

• .github/scripts/publish-final-release.js
• .github/scripts/release-versioning.js
• .github/workflows/kubernetes-controller.yml

[Skarlso]

Okay, it seems dropping cli/v* tag wasn't a good idea apparently. I'll add that back and then revert the fallback behavior of the script.

[Skarlso]

Running a full release test here: https://github.com/Skarlso/open-component-model/actions/runs/25560299137

For the creation of the cli tag that I just added back in and the creds persistence change.

[Skarlso]

Okay, here is a short description of how the release looks like right now:

Daily CI and releases both run through pipeline.yml, which builds the CLI and controller in parallel from the same ref, runs conformance against the resulting pair of them and only publishes if conformance passes. Because both components come from the same SHA every time, conformance always tests a pair that belongs together, including on release branches and backports.

Releases are dispatched via release.yml. This calls pipeline.yml for the build, cuts an RC tag, waits at an environment gate, and on approval promotes the RC to a final v0.X.Y. This did largely not change from the original.

We create three tags on each release. One canonical final vX.Y.X. One, cli/* and one for kubernetes/controller/* like I wrote above. Attestations, chart verification, changelog generation are the same as before. The refactor just unified triggers and ordering and did not change what gets shipped eventually.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/scripts/release-versioning.js:
- Around line 8-14: Update the outdated header comment that says cli/v* tags are
intentionally not emitted to reflect current behavior: mention that the release
now creates three tags (v0.X.Y for the canonical release,
kubernetes/controller/v0.X.Y for the Go module, and cli/v0.X.Y for the CLI) so
the unified release flow depends on all three; locate the top-of-file tag-scheme
comment in release-versioning.js and edit its wording to list the cli/v* tag
alongside the other two tags and remove the incorrect statement about not
emitting CLI tags.

In @.github/workflows/release.yml:
- Around line 544-566: The Push final chart step invokes the task helm/push with
REGISTRY="$CONTROLLER_IMAGE" which causes the chart to be pushed to the wrong
OCI path; update that invocation to pass REGISTRY="$CONTROLLER_CHART" (i.e.,
replace CONTROLLER_IMAGE with CONTROLLER_CHART) so the task helm/push and the
Resolve final chart step (chart-digest / oras resolve) use the same
registry/chart name.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 77c56816-d6d2-435c-a07a-afe45800b584

📥 Commits

Reviewing files that changed from the base of the PR and between 1740f50 and f4a825b.

📒 Files selected for processing (17)

• .github/scripts/create-tag.js
• .github/scripts/create-tag.test.js
• .github/scripts/publish-final-release.js
• .github/scripts/publish-final-release.test.js
• .github/scripts/release-versioning.js
• .github/scripts/release-versioning.test.js
• .github/workflows/cli-release.yml
• .github/workflows/cli.yml
• .github/workflows/conformance.yml
• .github/workflows/controller-release.yml
• .github/workflows/kubernetes-controller.yml
• .github/workflows/pipeline.yml
• .github/workflows/release-candidate-version.yml
• .github/workflows/release.yml
• .github/workflows/website-live-test-install-script.yml
• cli/cliff.toml
• cliff.toml

💤 Files with no reviewable changes (4)

• .github/workflows/controller-release.yml
• .github/workflows/cli-release.yml
• .github/workflows/release-candidate-version.yml
• cli/cliff.toml

🚧 Files skipped from review as they are similar to previous changes (10)

• cliff.toml
• .github/scripts/publish-final-release.test.js
• .github/scripts/publish-final-release.js
• .github/workflows/website-live-test-install-script.yml
• .github/scripts/create-tag.js
• .github/workflows/pipeline.yml
• .github/scripts/create-tag.test.js
• .github/scripts/release-versioning.test.js
• .github/workflows/cli.yml
• .github/workflows/kubernetes-controller.yml

[matthiasbruns]

this release flow is awesome 🚀
structure and files, call-sites are way easy to understand - mostly minor comments.

[jakobmoellerdev]

This PR should not go in without a change to release process md reflecting all of this

[Skarlso]

Frederic's concern is valid and will be fixed in the followup -> open-component-model/ocm-project#1076