Add release workflow for publishing Helm chart to ECR#23
Merged
maor-rozenfeld merged 6 commits intomainfrom Feb 19, 2026
Merged
Add release workflow for publishing Helm chart to ECR#23maor-rozenfeld merged 6 commits intomainfrom
maor-rozenfeld merged 6 commits intomainfrom
Conversation
Add a GitHub Actions workflow that packages the chart and pushes it as an OCI artifact to public.ecr.aws/openops/helm. The workflow supports manual dispatch and cross-repo triggers from the OSS release workflow, with version and draft inputs. - Create .github/workflows/release.yml with workflow_dispatch - Set Chart.yaml defaults to 0.0.1-dev (workflow sets real versions) - Update README.md with OCI install instructions - Update AGENTS.md with release workflow and versioning docs - Update NOTES.txt upgrade command to use OCI reference Part of CI-172 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
maor-rozenfeld
force-pushed
the
publish
branch
from
6550c02 to
d9b3cf8
Compare
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions release workflow to package and publish the OpenOps Helm chart as an OCI artifact to public ECR, and updates chart defaults/docs to reflect the new distribution path.
Changes:
- Introduces
.github/workflows/release.ymlto set versions at build time, package the chart, push to public ECR, and create a GitHub release. - Resets chart/runtime default versions to
0.0.1-devplaceholders (Chart.yaml,values.yaml) for workflow-driven versioning. - Updates user-facing install/upgrade documentation to prefer OCI (
README.md,AGENTS.md,chart/templates/NOTES.txt).
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/release.yml |
New manual release workflow to package/publish Helm chart to public ECR and create GitHub releases. |
chart/Chart.yaml |
Sets placeholder chart version and appVersion for workflow-time version injection. |
chart/values.yaml |
Sets placeholder global.version default intended to be replaced during release builds. |
README.md |
Adds OCI-based install instructions as the recommended quick start. |
AGENTS.md |
Documents the release workflow and versioning strategy for contributors/agents. |
chart/templates/NOTES.txt |
Updates post-install notes to show OCI-based upgrade command. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
# Conflicts: # .github/workflows/release.yml
helm push appends the chart name to the OCI URL, so pushing to oci://public.ecr.aws/openops/helm stores the chart at public.ecr.aws/openops/helm/openops. Updated the step summary and documentation install commands to reference the correct path. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (4)
README.md:35
- The OCI install example references
-f values.overrides.yaml, but the next step instructs users to createchart/values.overrides.yamland the source install example uses-f chart/values.overrides.yaml. This inconsistency will cause copy/paste installs to fail unless the user happens to have a root-levelvalues.overrides.yaml. Align the path across the quick start (either consistently usechart/values.overrides.yamlor update the copy step / other examples to use a root-level file).
helm install openops oci://public.ecr.aws/openops/helm/openops \
--version <VERSION> \
-n openops --create-namespace \
-f values.overrides.yaml
**AGENTS.md:45**
* This line says the repo defaults are `0.0.1-dev / 0.0.1-dev`, but `chart/Chart.yaml` currently sets `appVersion: "latest"`. Either update the documentation to reflect the actual defaults, or change `appVersion` to match the stated versioning strategy (unified versions).
- Do not bump versions in
Chart.yamlorvalues.yamlmanually—the release workflow sets them at build time. The repo defaults are0.0.1-dev/0.0.1-dev. - Required secrets:
ECR_ACCESS_KEY_ID,ECR_SECRET_ACCESS_KEY; required vars:ECR_PUBLIC_REGION.
**chart/templates/NOTES.txt:121**
* This upgrade example uses an OCI chart reference without specifying a version/tag. Since the release workflow pushes charts tagged with explicit versions (and not a `latest` tag), this command is likely to fail or be non-deterministic. Include `--version <VERSION>` (or `--version {{ .Chart.Version }}`) to make the upgrade command usable.
Upgrade deployment
helm upgrade {{ .Release.Name }} oci://public.ecr.aws/openops/helm/openops -n {{ .Release.Namespace }} -f values.overrides.yaml
**chart/Chart.yaml:6**
* `appVersion` is set to `"latest"`, but the documented versioning strategy says chart version = appVersion = `global.version` for unified releases. If the intent is unified versioning, consider setting `appVersion` to match the default dev version (e.g. `0.0.1-dev`) and rely on the release workflow to update it at build time; otherwise, update the versioning docs to reflect that `appVersion` defaults to `latest`.
version: 0.0.1-dev
appVersion: "latest"
</details>
---
💡 <a href="/openops-cloud/helm-chart/new/main/.github/instructions?filename=*.instructions.md" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Add Copilot custom instructions</a> for smarter, more guided reviews. <a href="https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions-for-github-copilot" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Learn how to get started</a>.
The helm push target oci://public.ecr.aws/openops/helm stores the chart at helm/openops (chart name appended). Updated AGENTS.md references to match the correct install/pull path. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The repo default global.version is 0.0.1-dev which does not exist as an image tag in ECR, causing ImagePullBackOff in CI. Set version to 'latest' in values.ci.yaml (all ECR images are tagged with latest) and update the schema pattern to allow it. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated no new comments.
Comments suppressed due to low confidence (10)
chart/Chart.yaml:6
appVersionis set to"latest", but the documented versioning strategy says chart version = appVersion =global.versionand that repo defaults are0.0.1-dev / 0.0.1-dev. To keep metadata consistent (and avoid confusinghelm show chartoutput), set the defaultappVersionto0.0.1-devas well (the release workflow can still overwrite it).
version: 0.0.1-dev
appVersion: "latest"
chart/values.ci.yaml:8
- Setting
global.version: "latest"for CI makes the e2e workflow pull moving image tags, which can make CI results non-deterministic/flaky as images change independently of chart changes. Consider pinning CI to a specific released version (or digest) and updating it intentionally, or have CI setglobal.versionfrom a known build artifact/tag.
global:
# Use latest published images for CI (repo default 0.0.1-dev does not exist in ECR)
version: "latest"
README.md:35
- The OCI quick-start uses
-f values.overrides.yaml, but the source install instructions below createchart/values.overrides.yaml. A user following both paths can easily end up with the overrides file in the wrong location. Consider standardizing on one path (eithervalues.overrides.yamlin the working dir, orchart/values.overrides.yaml) and updating the commands accordingly.
helm install openops oci://public.ecr.aws/openops/helm/openops \
--version <VERSION> \
-n openops --create-namespace \
-f values.overrides.yaml
**AGENTS.md:45**
* AGENTS.md states the repo defaults are `0.0.1-dev / 0.0.1-dev`, but `chart/Chart.yaml` currently defaults `appVersion` to `latest`. Either align the defaults in Chart.yaml, or update this documentation to match what’s in the repo.
- Also triggered cross-repo by
openops-cloud/openopsrelease workflow. - Creates a GitHub release (draft or published) with the packaged
.tgzas an asset. - Do not bump versions in
Chart.yamlorvalues.yamlmanually—the release workflow sets them at build time. The repo defaults are0.0.1-dev/0.0.1-dev. - Required secrets:
ECR_ACCESS_KEY_ID,ECR_SECRET_ACCESS_KEY; required vars:ECR_PUBLIC_REGION.
**AGENTS.md:42**
* The docs say draft versions are overwritable on ECR and final versions are immutable, but ECR tag mutability is repository-level and the workflow doesn’t currently enforce per-tag overwrite rules. If this behavior is required, consider adding a step to (a) fail when `draft=false` and the tag already exists, and (b) delete/overwrite the existing artifact when `draft=true`; otherwise, adjust the docs to reflect the actual registry behavior.
version(required): The release version (e.g.,0.6.15). Sets bothChart.yamlversion/appVersion andglobal.version(image tags).draft(boolean, defaulttrue): When true, appends-draftto the chart version (e.g.,0.6.15-draft). Draft versions are overwritable on ECR; final versions are immutable.- Also triggered cross-repo by
openops-cloud/openopsrelease workflow.
**.github/workflows/release.yml:78**
* `softprops/action-gh-release` will create a Git tag named `$CHART_VERSION` pointing at the current commit, but this repo intentionally keeps `Chart.yaml`/`values.yaml` at dev versions and only rewrites them during the workflow. That means the tag’s source tree won’t match the released chart metadata, which hurts reproducibility/debugging. Consider either committing the version bump as part of the release (then tagging that commit) or using a tag name that clearly indicates it’s an artifact-only release (so users don’t assume the repo at that tag contains the released versions).
- name: Create GitHub release
uses: softprops/action-gh-release@v2
with:
target_commitish: ${{ github.sha }}
tag_name: ${{ env.CHART_VERSION }}
name: openops-${{ env.CHART_VERSION }}
generate_release_notes: true
draft: ${{ inputs.draft }}
files: ${{ env.CHART_PACKAGE }}
**.github/workflows/release.yml:40**
* `inputs.version` flows into `$CHART_VERSION`/`$APP_VERSION` and is used to form OCI tags, Git tags, and `sed` replacements. Add an early validation step (e.g., regex check for SemVer + optional prerelease) to fail fast on invalid versions so you don’t publish malformed tags or end up with unexpected `sed` behavior.
env:
CHART_VERSION: ${{ inputs.draft && format('{0}-draft', inputs.version) || inputs.version }}
APP_VERSION: ${{ inputs.version }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Helm
uses: azure/setup-helm@v4
with:
version: v3.14.4
- name: Set chart version and appVersion
run: |
set -euo pipefail
sed -i "s/^version:.*/version: $CHART_VERSION/" chart/Chart.yaml
sed -i "s/^appVersion:.*/appVersion: \"$APP_VERSION\"/" chart/Chart.yaml
sed -i 's/^ version: .*/ version: "'"$APP_VERSION"'"/' chart/values.yaml
**chart/values.schema.json:16**
* The schema description still says the version tag is "Immutable", but the pattern now allows `latest`, which is intentionally mutable. Update the description to avoid claiming immutability when `latest` is accepted, or remove `latest` support if immutability is a requirement.
"type": "string",
"description": "Immutable version tag for app and engine images (semver, 8-char git hash, or 'latest')",
"pattern": "^([0-9]+\\.[0-9]+\\.[0-9]+(-[a-zA-Z0-9.-]+)?|[0-9a-fA-F]{8}|latest)$"
}
**chart/templates/NOTES.txt:122**
* The NOTES upgrade command pulls from an OCI registry without pinning a chart version. Without `--version`, `helm upgrade` will typically resolve the latest chart, which can lead to unintended major/minor upgrades. Consider including `--version {{ .Chart.Version }}` (or otherwise showing how to pin) in the suggested command.
Upgrade deployment
helm upgrade {{ .Release.Name }} oci://public.ecr.aws/openops/helm/openops -n {{ .Release.Namespace }} -f values.overrides.yaml
**.github/workflows/release.yml:60**
* The release workflow relies on long-lived AWS access keys stored as GitHub secrets. For better security, consider switching to GitHub OIDC with `aws-actions/configure-aws-credentials` (`role-to-assume` + `permissions: id-token: write`) so no static credentials are needed.
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.ECR_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
aws-region: ${{ vars.ECR_PUBLIC_REGION }}
</details>
---
💡 <a href="/openops-cloud/helm-chart/new/main/.github/instructions?filename=*.instructions.md" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Add Copilot custom instructions</a> for smarter, more guided reviews. <a href="https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions-for-github-copilot" class="Link--inTextBlock" target="_blank" rel="noopener noreferrer">Learn how to get started</a>.
- Chart.yaml: Set appVersion to 0.0.1-dev to match documented defaults - NOTES.txt: Use .Chart.Name and .Chart.Version in upgrade command - release.yml: Derive CHART_PACKAGE from helm package output instead of hardcoding the filename - AGENTS.md: Clarify versioning strategy applies to releases; dev defaults are normalized by the release workflow Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated no new comments.
Comments suppressed due to low confidence (5)
chart/templates/NOTES.txt:121
- The upgrade command in NOTES.txt assumes users are upgrading from an OCI-installed chart, but users who initially installed from source (./chart) may be confused by this command. Consider making the instruction more flexible or providing both options:
# Upgrade deployment (OCI)
helm upgrade {{ .Release.Name }} oci://public.ecr.aws/openops/helm/{{ .Chart.Name }} --version {{ .Chart.Version }} -n {{ .Release.Namespace }} -f values.overrides.yaml
# Upgrade deployment (source)
helm upgrade {{ .Release.Name }} ./chart -n {{ .Release.Namespace }} -f values.overrides.yaml
Alternatively, document that the upgrade path depends on the original installation method.
helm upgrade {{ .Release.Name }} oci://public.ecr.aws/openops/helm/{{ .Chart.Name }} --version {{ .Chart.Version }} -n {{ .Release.Namespace }} -f values.overrides.yaml
.github/workflows/release.yml:40
- The sed commands that modify Chart.yaml and values.yaml assume specific formatting and could break if the files are reformatted. For more robust version replacement, consider using yq (a YAML processor) instead of sed:
yq eval ".version = \"$CHART_VERSION\"" -i chart/Chart.yaml
yq eval ".appVersion = \"$APP_VERSION\"" -i chart/Chart.yaml
yq eval ".global.version = \"$APP_VERSION\"" -i chart/values.yamlThis would be more reliable and less prone to breaking on whitespace or formatting changes.
sed -i "s/^version:.*/version: $CHART_VERSION/" chart/Chart.yaml
sed -i "s/^appVersion:.*/appVersion: \"$APP_VERSION\"/" chart/Chart.yaml
sed -i 's/^ version: .*/ version: "'"$APP_VERSION"'"/' chart/values.yaml
README.md:35
- The OCI installation command references
values.overrides.yamlwhich assumes users have a local values file. Users installing directly from OCI without cloning the repository won't have this file. Consider clarifying the documentation to explain that users need to create their own values file or provide an example inline:
# Create a values file first with your configuration
cat > values.overrides.yaml <<EOF
global:
publicUrl: "https://openops.example.com"
# ... add your overrides ...
EOF
# Then install
helm install openops oci://public.ecr.aws/openops/helm/openops \
--version <VERSION> \
-n openops --create-namespace \
-f values.overrides.yamlOr mention that the values file should be created based on values.overrides-example.yaml from the source repository.
```bash
helm install openops oci://public.ecr.aws/openops/helm/openops \
--version <VERSION> \
-n openops --create-namespace \
-f values.overrides.yaml
**.github/workflows/release.yml:52**
* The `--version` and `--app-version` flags in the helm package command are redundant since the Chart.yaml file has already been updated with these values in lines 38-40. The helm package command will read these values from Chart.yaml. Consider removing these flags to avoid potential confusion:
```bash
helm package chart
This simplification makes it clearer that the version is controlled by the Chart.yaml modifications.
pkg_output=$(helm package chart --version "$CHART_VERSION" --app-version "$APP_VERSION")
.github/workflows/release.yml:55
- The awk parsing of helm package output could be fragile. If the helm output format changes or if there are unexpected messages, the chart_package variable might be empty or incorrect, leading to unclear failures in later steps. Consider adding validation after parsing:
chart_package=$(printf '%s\n' "$pkg_output" | awk '/Successfully packaged chart and saved it to:/ {print $NF}')
if [[ -z "$chart_package" || ! -f "$chart_package" ]]; then
echo "Error: Failed to determine chart package location"
exit 1
fi
echo "CHART_PACKAGE=$chart_package" >> "$GITHUB_ENV" chart_package=$(printf '%s\n' "$pkg_output" | awk '/Successfully packaged chart and saved it to:/ {print $NF}')
echo "CHART_PACKAGE=$chart_package" >> "$GITHUB_ENV"
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a GitHub Actions release workflow that packages and pushes the Helm chart as an OCI artifact to public.ecr.aws/openops/helm.
Changes
Follow-up
Closes CI-98