ci: decouple chart publish from release-please

[StephanMeijer]

Publish on release: published instead of release-please outputs. Per-chart, idempotent, and recoverable via workflow_dispatch.

Summary by CodeRabbit

• New Features

  • Introduced automated Helm chart publishing workflow that validates releases, updates chart dependencies, and publishes packaged charts as OCI artifacts to the container registry with each release.

• Chores

  • Refined release automation workflow configuration for improved system efficiency and code maintainability.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR introduces a new GitHub Actions workflow for publishing Helm charts to GHCR as OCI artifacts on release events, with tag validation and component path resolution. It simultaneously removes step ID and outputs wiring from the release-please workflow, simplifying the release job configuration.

Changes

Helm Chart Publishing Workflow

Layer / File(s)	Summary
Workflow metadata and triggers .github/workflows/publish.yml (lines 1–15)	Establishes the "Publish Helm Chart" workflow, triggered on published releases or manual dispatch with tag input, with concurrency control to gate overlapping publishes by tag.
Job setup and permissions .github/workflows/publish.yml (lines 17–24)	Defines the publish job with scoped permissions for reading contents and publishing packages/attestations using OIDC.
Tag validation and chart path resolution .github/workflows/publish.yml (lines 25–39)	Validates tag format as <component>-v<version>, extracts component and version using regex, and computes charts/<component> as the chart path; fails on invalid format.
Repository setup and Helm installation .github/workflows/publish.yml (lines 40–48)	Checks out the repository at the resolved tag and installs a pinned Helm version.
GHCR authentication and chart publishing .github/workflows/publish.yml (lines 50–62)	Logs into GHCR, updates Helm dependencies, packages the chart with component/version naming, and pushes the OCI artifact to oci://ghcr.io/docspec/charts; ensures logout runs unconditionally.

Release-Please Configuration Update

Layer / File(s)	Summary
Step ID removal .github/workflows/release-please.yml (lines 19–24)	Removes the id: rp step identifier and disconnects downstream output wiring from the release-please action step while preserving the action invocation and config/manifest file inputs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐰 A chart for every release—now published with care,
GHCR awaits the artifacts rare!
With tag validation and Helm on the side,
To GHCR's OCI, let charts ride and glide!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main change: decoupling the chart publishing workflow from the release-please workflow by introducing a separate publish workflow triggered on release events.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/decouple-publish-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/publish.yml (1)

48-48: ⚡ Quick win

Update pinned Helm version: v4.1.4 is a valid Helm release, but the latest stable version is v4.2.0 (released May 14, 2026). Consider bumping the pinned version: v4.1.4 in .github/workflows/publish.yml to v4.2.0 to pick up fixes/security updates.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yml at line 48, Update the pinned Helm version in
the GitHub Actions workflow by changing the value currently set as "version:
v4.1.4" in .github/workflows/publish.yml to "v4.2.0" so the workflow uses the
latest stable Helm release; locate the line containing the literal string
version: v4.1.4 and replace it with version: v4.2.0.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish.yml:
- Around line 40-43: The Checkout step currently uses actions/checkout without
disabling credential persistence; update the step that uses
actions/checkout@de0fac2e... (the "Checkout" step) to add with:
persist-credentials: false (alongside any existing with keys like ref) so
credentials are not persisted to later steps.
- Line 28: The TAG assignment uses direct template expansion (TAG="${{
github.event.release.tag_name || inputs.tag }}") which allows shell template
injection; fix by moving the template result into the workflow environment and
then referencing that env var inside the shell step (e.g., define env: TAG: ${{
github.event.release.tag_name || inputs.tag }} for the job/step and in the run
use a safe expansion like TAG="$TAG" or printf '%s' "$TAG" so no template
content is re-interpreted by the shell), ensure the value is quoted and
validated against your regex after assigning from the env var.

---

Nitpick comments:
In @.github/workflows/publish.yml:
- Line 48: Update the pinned Helm version in the GitHub Actions workflow by
changing the value currently set as "version: v4.1.4" in
.github/workflows/publish.yml to "v4.2.0" so the workflow uses the latest stable
Helm release; locate the line containing the literal string version: v4.1.4 and
replace it with version: v4.2.0.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4eed3023-6079-42b8-b66e-994493ef96ed

📥 Commits

Reviewing files that changed from the base of the PR and between 4867945 and 9a4a22b.

📒 Files selected for processing (2)

• .github/workflows/publish.yml
• .github/workflows/release-please.yml

💤 Files with no reviewable changes (1)

• .github/workflows/release-please.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Code injection vulnerability via template expansion in shell script.

Direct expansion of ${{ github.event.release.tag_name || inputs.tag }} into a bash assignment allows code injection before the validation regex runs. An attacker with write access could craft a tag like $(malicious-command) to execute arbitrary code.

Use an environment variable to prevent template expansion within the shell script.

🔒 Proposed fix to use environment variable

       - name: Resolve tag
         id: tag
+        env:
+          TAG: ${{ github.event.release.tag_name || inputs.tag }}
         run: |
-          TAG="${{ github.event.release.tag_name || inputs.tag }}"
           if [[ ! "$TAG" =~ ^([a-z0-9-]+)-v([0-9]+\.[0-9]+\.[0-9]+)$ ]]; then
             echo "::error::Tag '$TAG' does not match expected format <component>-v<version>"

As per static analysis hints, this was flagged as template-injection by zizmor.

🧰 Tools

🪛 zizmor (1.25.2)

[error] 28-28: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

---

[error] 28-28: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yml at line 28, The TAG assignment uses direct
template expansion (TAG="${{ github.event.release.tag_name || inputs.tag }}")
which allows shell template injection; fix by moving the template result into
the workflow environment and then referencing that env var inside the shell step
(e.g., define env: TAG: ${{ github.event.release.tag_name || inputs.tag }} for
the job/step and in the run use a safe expansion like TAG="$TAG" or printf '%s'
"$TAG" so no template content is re-interpreted by the shell), ensure the value
is quoted and validated against your regex after assigning from the env var.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add persist-credentials: false to prevent credential leakage.

The checkout action persists credentials by default, which could be accessed by subsequent steps or malicious code in the repository. Since this workflow doesn't need to push commits, credentials should not be persisted.

🔒 Proposed fix to disable credential persistence

       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ steps.tag.outputs.ref }}
+          persist-credentials: false

As per static analysis hints, this was flagged as artipacked by zizmor.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Checkout
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
	with:
	ref: ${{ steps.tag.outputs.ref }}
	- name: Checkout
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
	with:
	ref: ${{ steps.tag.outputs.ref }}
	persist-credentials: false

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 40-43: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yml around lines 40 - 43, The Checkout step
currently uses actions/checkout without disabling credential persistence; update
the step that uses actions/checkout@de0fac2e... (the "Checkout" step) to add
with: persist-credentials: false (alongside any existing with keys like ref) so
credentials are not persisted to later steps.

[Copilot]

Pull request overview

This PR decouples Helm chart publishing from release-please by moving publishing into a dedicated workflow that runs when a GitHub Release is published (and can be rerun manually via workflow_dispatch). This aligns chart publishing with the actual release lifecycle and makes recovery possible by re-running the publish workflow for a specific tag.

Changes:

• Removed the chart publishing job and related outputs from the release-please workflow.
• Added a new publish.yml workflow that publishes a single chart based on the released tag (<component>-v<version>) or a manually provided tag.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/release-please.yml	Removes the in-workflow publish job, leaving release creation to release-please.
.github/workflows/publish.yml	Adds a release-triggered + manually invokable workflow to package and push a chart to GHCR as an OCI artifact.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.