feat(tooling): add minor-rc, patch-rc, major-rc for 0.39.x->0.40.0-rc.1

casibbald · casibbald · commit 0c92c67ac77f · 2026-01-25T22:12:55.000+02:00
- ci: provenance and SBOM attestation on GHCR push; cosign for image and chart
- release: bump options patch-rc, minor-rc, major-rc
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -2,8 +2,13 @@
 # Replaces pr.yaml and the tag-driven parts of release-please.
 #
 # On tag (v*): release workflow has already bumped Chart/values/package.json and pushed
-# the tag. This workflow builds gitops-server image ( :X.Y.Z and :latest), pushes the
-# Helm chart OCI, and runs goreleaser for gitops CLI binaries.
+# the tag. This workflow:
+#   - build-push-gitops-server: builds and pushes gitops-server image (:tag, :latest)
+#     with provenance (mode=max) and SBOM attestations; keyless cosign signing and verify
+#   - build-and-push-chart: packages Helm chart, pushes OCI, keyless cosign sign and verify
+#   - goreleaser: builds gitops CLI binaries (linux/darwin, amd64/arm64), signs with cosign,
+#     uploads to GitHub Release (mode: keep-existing). For non-prerelease tags, includes
+#     Homebrew tap publish (.goreleaser.brew.yml).
 #
 # Runs on main and feature/re-implement-workflows (for testing). Fork-friendly: image,
 # chart and goreleaser use github.repository / github.repository_owner (your fork when
@@ -89,6 +94,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -112,6 +118,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push gitops-server
+        id: build
         uses: docker/build-push-action@v5
         with:
           context: .
@@ -120,13 +127,28 @@ jobs:
             LDFLAGS=${{ env.LDFLAGS }}
             GIT_COMMIT=${{ github.sha }}
           push: true
+          provenance: "mode=max"
+          sbom: true
           tags: |
             ghcr.io/${{ github.repository }}/gitops-server:${{ github.ref_name }}
             ghcr.io/${{ github.repository }}/gitops-server:latest
           cache-from: type=gha
           cache-to: type=gha,mode=max
           platforms: linux/amd64,linux/arm64
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v4
+
+      - name: Keyless signing of image
+        run: |
+          cosign sign --yes ghcr.io/${{ github.repository }}/gitops-server@${{ steps.build.outputs.digest }}
+
+      - name: Verify the image signing
+        run: |
+          cosign verify ghcr.io/${{ github.repository }}/gitops-server@${{ steps.build.outputs.digest }} \
+            --certificate-identity "https://github.com/${{ github.workflow_ref }}" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq .
+
   build-and-push-chart:
     name: Build and push Helm chart
     needs: [build-and-test]
@@ -135,6 +157,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      id-token: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -149,10 +172,27 @@ jobs:
           echo ${{ secrets.GITHUB_TOKEN }} | helm registry login ghcr.io -u ${{ github.actor }} --password-stdin
 
       - name: Package and push chart
+        id: push-chart
         run: |
           helm package charts/gitops-server -d /tmp
           CHART=$(ls /tmp/weave-gitops-*.tgz)
-          helm push "$CHART" oci://ghcr.io/${{ github.repository_owner }}
+          helm push "$CHART" oci://ghcr.io/${{ github.repository_owner }} 2>&1 | tee /tmp/push.log
+          CHART_DIGEST=$(awk '/Digest: /{print $2}' /tmp/push.log)
+          [ -n "$CHART_DIGEST" ] || { echo "Could not parse digest from helm push"; cat /tmp/push.log; exit 1; }
+          echo "digest=$CHART_DIGEST" >> $GITHUB_OUTPUT
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v4
+
+      - name: Keyless signing of chart
+        run: |
+          cosign sign --yes ghcr.io/${{ github.repository_owner }}/weave-gitops@${{ steps.push-chart.outputs.digest }}
+
+      - name: Verify the chart signing
+        run: |
+          cosign verify ghcr.io/${{ github.repository_owner }}/weave-gitops@${{ steps.push-chart.outputs.digest }} \
+            --certificate-identity "https://github.com/${{ github.workflow_ref }}" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq .
 
   goreleaser:
     name: Goreleaser (gitops CLI)
@@ -161,6 +201,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      id-token: write
     env:
       FLUX_VERSION: "2.7.2"
     steps:
@@ -178,6 +219,13 @@ jobs:
       - name: Set CHART_VERSION from tag
         run: echo "CHART_VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_ENV
 
+      - name: Include brew publishing
+        if: "!contains(github.ref_name, '-')"
+        run: cat .goreleaser.brew.yml >> .goreleaser.yml
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v4
+
       - uses: goreleaser/goreleaser-action@v6
         with:
           distribution: goreleaser
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -15,7 +15,7 @@ on:
   workflow_dispatch:
     inputs:
       bump:
-        description: "Bump type (default: patch). rc = 0.39.0-rc.2 -> 0.39.0-rc.3"
+        description: "Bump type. minor-rc: 0.39.x -> 0.40.0-rc.1; rc: 0.39.0-rc.2 -> 0.39.0-rc.3"
         required: false
         default: patch
         type: choice
@@ -24,6 +24,9 @@ on:
           - minor
           - major
           - rc
+          - patch-rc
+          - minor-rc
+          - major-rc
       branch:
         description: "Branch to release from (e.g. main or feature/re-implement-workflows)"
         required: false
diff --git a/tooling/README.md b/tooling/README.md
@@ -4,8 +4,8 @@ Release and build tooling for Weave GitOps.
 
 ## Commands
 
-- **weavegitops release bump** [patch|minor|major|rc]  
-  Bump version from `charts/gitops-server/Chart.yaml`; update Chart.yaml (version, appVersion), `charts/gitops-server/values.yaml` (image.tag), `package.json` (version). Use **rc** for release candidates: `0.39.0-rc.2` → `0.39.0-rc.3` (or `0.39.0` → `0.39.0-rc.1`). Writes `version` to `GITHUB_OUTPUT` when set.
+- **weavegitops release bump** [patch|minor|major|rc|patch-rc|minor-rc|major-rc]  
+  Bump from `charts/gitops-server/Chart.yaml`; updates Chart, values, package.json. **rc**: `0.39.0-rc.2` → `0.39.0-rc.3` or `0.39.0` → `0.39.0-rc.1`. **minor-rc**: `0.39.x` → `0.40.0-rc.1` (start RC for next minor). Also **patch-rc**, **major-rc**. Writes `version` to `GITHUB_OUTPUT` when set.
 
 - **weavegitops release generate-notes** --version X.Y.Z [--output PATH] [--template PATH] [--since-tag TAG] [--provider openai|anthropic]  
   Generate release notes from commits since the previous tag via OpenAI or Anthropic.
diff --git a/tooling/src/weave_gitops_tooling/cli/main.py b/tooling/src/weave_gitops_tooling/cli/main.py
@@ -59,8 +59,8 @@ def _build_parser():
         "bump",
         nargs="?",
         default="patch",
-        choices=["patch", "minor", "major", "rc"],
-        help="Bump type: patch|minor|major|rc (default: patch). rc: 0.39.0-rc.2 -> 0.39.0-rc.3",
+        choices=["patch", "minor", "major", "rc", "patch-rc", "minor-rc", "major-rc"],
+        help="Bump: patch|minor|major|rc|patch-rc|minor-rc|major-rc. minor-rc: 0.39.x -> 0.40.0-rc.1",
     )
     prlgn = prl_sub.add_parser(
         "generate-notes",
diff --git a/tooling/src/weave_gitops_tooling/cli/release.py b/tooling/src/weave_gitops_tooling/cli/release.py
@@ -31,7 +31,7 @@ def run_release(args, project_root: Path) -> None:
         )
         sys.exit(rc)
     print("weavegitops release: use subcommand 'bump' or 'generate-notes'")
-    print("  weavegitops release bump [patch|minor|major|rc]")
+    print("  weavegitops release bump [patch|minor|major|rc|patch-rc|minor-rc|major-rc]")
     print(
         "  weavegitops release generate-notes --version X.Y.Z [--output PATH] [--template PATH] [--since-tag TAG] [--provider openai|anthropic]"
     )
diff --git a/tooling/src/weave_gitops_tooling/release/bump.py b/tooling/src/weave_gitops_tooling/release/bump.py
@@ -1,11 +1,14 @@
 """Bump version from charts/gitops-server/Chart.yaml; update Chart, values, package.json.
 
-Source of truth: charts/gitops-server/Chart.yaml `version`. For bump=rc: parses -rc.N
-and produces X.Y.Z-rc.(N+1); if no -rc, produces X.Y.Z-rc.1. For patch|minor|major:
-strips -rc.N (or similar) to get base X.Y.Z and bumps that. Writes: Chart.yaml
-(version, appVersion), values.yaml (image.tag), package.json (version). Tags use v
-prefix (workflow adds 'v' when creating the git tag). Appends version=... to
-GITHUB_OUTPUT when set.
+Source of truth: charts/gitops-server/Chart.yaml `version`.
+
+Bump types:
+  - patch|minor|major: strip -rc.N, bump X.Y.Z (e.g. 0.39.0-rc.2 --minor--> 0.40.0).
+  - rc: keep base, X.Y.Z-rc.(N+1) or X.Y.Z-rc.1 (e.g. 0.39.0-rc.2 -> 0.39.0-rc.3).
+  - patch-rc|minor-rc|major-rc: bump base then add -rc.1 (e.g. 0.39.x --minor-rc--> 0.40.0-rc.1).
+
+Writes: Chart.yaml (version, appVersion), values.yaml (image.tag), package.json (version).
+Tags use v prefix (workflow adds 'v'). Appends version=... to GITHUB_OUTPUT when set.
 """
 
 from __future__ import annotations
@@ -30,8 +33,8 @@ def _read_current(chart_yaml: Path) -> tuple[str, int | None]:
 
 
 def _next_version(old: str, bump: str, *, rc_num: int | None = None) -> str:
-    """Compute next version. old is X.Y.Z or vX.Y.Z. bump: patch|minor|major|rc.
-    For rc: keeps base, yields X.Y.Z-rc.(N+1) or X.Y.Z-rc.1 if no prior -rc. Otherwise returns X.Y.Z."""
+    """Compute next version. old is X.Y.Z or vX.Y.Z. bump: patch|minor|major|rc|patch-rc|minor-rc|major-rc.
+    For rc: keeps base, X.Y.Z-rc.(N+1) or X.Y.Z-rc.1. For *-rc: bump base then -rc.1."""
     b = (bump or "patch").lower()
     if b == "rc":
         old = old.lstrip("v")
@@ -41,6 +44,11 @@ def _next_version(old: str, bump: str, *, rc_num: int | None = None) -> str:
             raise SystemExit(msg)
         n = (rc_num + 1) if rc_num is not None else 1
         return f"{old}-rc.{n}"
+    # patch-rc, minor-rc, major-rc: bump base then append -rc.1 (ignore rc_num)
+    if b in ("patch-rc", "minor-rc", "major-rc"):
+        base = old.lstrip("v").split("-")[0]  # 0.39.0 or 0.39.0 from 0.39.0-rc.2
+        base = _next_version(base, b.replace("-rc", ""), rc_num=None)
+        return f"{base}-rc.1"
     # patch, minor, major: ignore rc_num
     old = old.lstrip("v")
     parts = old.split(".")
@@ -57,7 +65,7 @@ def _next_version(old: str, bump: str, *, rc_num: int | None = None) -> str:
         x += 1
         y = z = 0
     else:
-        msg = f"Unknown bump: {bump}. Use patch, minor, major, or rc."
+        msg = f"Unknown bump: {bump}. Use patch, minor, major, rc, patch-rc, minor-rc, or major-rc."
         raise SystemExit(msg)
     return f"{x}.{y}.{z}"
 
diff --git a/tooling/tests/test_release_bump.py b/tooling/tests/test_release_bump.py
@@ -73,6 +73,19 @@ def test_rc_from_clean_version(self) -> None:
         assert _next_version("0.39.0", "rc", rc_num=None) == "0.39.0-rc.1"
         assert _next_version("1.2.3", "rc") == "1.2.3-rc.1"
 
+    def test_minor_rc_from_039x(self) -> None:
+        assert _next_version("0.39.0", "minor-rc") == "0.40.0-rc.1"
+        assert _next_version("0.39.1", "minor-rc") == "0.40.0-rc.1"
+        assert _next_version("0.39.0-rc.2", "minor-rc") == "0.40.0-rc.1"
+
+    def test_patch_rc(self) -> None:
+        assert _next_version("0.39.0", "patch-rc") == "0.39.1-rc.1"
+        assert _next_version("0.39.0-rc.2", "patch-rc") == "0.39.1-rc.1"
+
+    def test_major_rc(self) -> None:
+        assert _next_version("0.39.0", "major-rc") == "1.0.0-rc.1"
+        assert _next_version("1.2.3", "major-rc") == "2.0.0-rc.1"
+
 
 class TestUpdateChartYaml:
     def test_updates_version_and_appversion(self, tmp_path: Path) -> None:
@@ -196,3 +209,20 @@ def test_rc_bump_writes_github_output(self, tmp_path: Path) -> None:
             rc = run(tmp_path, "rc")
         assert rc == 0
         assert "version=0.39.0-rc.3\n" in gh_out.read_text()
+
+    def test_minor_rc_from_039x_produces_0400_rc1(self, tmp_path: Path) -> None:
+        chart_dir = tmp_path / "charts" / "gitops-server"
+        chart_dir.mkdir(parents=True)
+        (chart_dir / "Chart.yaml").write_text(
+            'version: 0.39.0-rc.2 # x\nappVersion: "v0.39.0-rc.2"\n'
+        )
+        (chart_dir / "values.yaml").write_text('image:\n  tag: "v0.39.0-rc.2"\n')
+        (tmp_path / "package.json").write_text('{"version": "0.39.0-rc.2"}\n')
+
+        rc = run(tmp_path, "minor-rc")
+
+        assert rc == 0
+        assert "version: 0.40.0-rc.1" in (chart_dir / "Chart.yaml").read_text()
+        assert 'appVersion: "v0.40.0-rc.1"' in (chart_dir / "Chart.yaml").read_text()
+        assert 'tag: "v0.40.0-rc.1"' in (chart_dir / "values.yaml").read_text()
+        assert '"version": "0.40.0-rc.1"' in (tmp_path / "package.json").read_text()

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ def run_release(args, project_root: Path) -> None:`
`31`	`31`	`)`
`32`	`32`	`sys.exit(rc)`
`33`	`33`	`print("weavegitops release: use subcommand 'bump' or 'generate-notes'")`
`34`		`- print(" weavegitops release bump [patch\|minor\|major\|rc]")`
	`34`	`+ print(" weavegitops release bump [patch\|minor\|major\|rc\|patch-rc\|minor-rc\|major-rc]")`
`35`	`35`	`print(`
`36`	`36`	`" weavegitops release generate-notes --version X.Y.Z [--output PATH] [--template PATH] [--since-tag TAG] [--provider openai\|anthropic]"`
`37`	`37`	`)`