✨ simplify release process and operator image tag handling (#1444)

* ✨ enhance: simplify release workflow and update documentation for version preparation

* ✨ enhance: simplify image tag handling in values and templates for the operator

Author: slntopp

.github/workflows/release.yaml

@@ -1,19 +1,22 @@
 # Copyright (c) Mondoo, Inc.
 # SPDX-License-Identifier: BUSL-1.1
 
-name: Release
+name: Prepare Release
 
 on:
-  release:
-    types: [created]
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Release version (e.g., 13.0.2) — without the 'v' prefix"
+        required: true
+        type: string
 
 jobs:
   prepare-release:
     runs-on: ubuntu-latest
-    # Only run for stable version tags (skip pre-releases like v1.0.0-alpha.1)
-    if: startsWith(github.event.release.tag_name, 'v') && !contains(github.event.release.tag_name, '-')
     permissions:
       contents: write
+      pull-requests: write
 
     steps:
       - name: Checkout main branch
@@ -36,13 +39,14 @@ jobs:
           sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
           sudo chmod +x /usr/local/bin/yq
 
-      - name: Extract version from tag
+      - name: Set version
         id: version
         run: |
-          TAG="${{ github.event.release.tag_name }}"
-          VERSION="${TAG#v}"
+          VERSION="${{ inputs.version }}"
+          # Strip leading 'v' if accidentally included
+          VERSION="${VERSION#v}"
           echo "version=${VERSION}" >> $GITHUB_OUTPUT
-          echo "tag=${TAG}" >> $GITHUB_OUTPUT
+          echo "tag=v${VERSION}" >> $GITHUB_OUTPUT
 
       - name: Update version files
         run: |
@@ -65,30 +69,40 @@ jobs:
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
 
-      - name: Commit version updates
-        id: commit
+      - name: Create release branch and PR
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           VERSION="${{ steps.version.outputs.version }}"
+          TAG="${{ steps.version.outputs.tag }}"
+          BRANCH="release/${TAG}"
 
+          git checkout -b "${BRANCH}"
           git add -A
           if git diff --staged --quiet; then
-            echo "No changes to commit"
-            echo "changed=false" >> $GITHUB_OUTPUT
-          else
-            git commit -m "🚀 Release v${VERSION}"
-            git push origin main
-            echo "changed=true" >> $GITHUB_OUTPUT
+            echo "No changes to commit — version files are already up to date"
+            exit 0
           fi
 
-      - name: Move tag to include version updates
-        if: steps.commit.outputs.changed == 'true'
-        run: |
-          TAG="${{ steps.version.outputs.tag }}"
+          git commit -m "🚀 Release ${TAG}"
+          git push origin "${BRANCH}"
+
+          gh pr create \
+            --title "🚀 Release ${TAG}" \
+            --body "$(cat <<EOF
+          ## Release ${TAG}
+
+          This PR updates version files for the ${TAG} release.
 
-          # Delete the old tag (local and remote)
-          git tag -d "${TAG}" || true
-          git push origin ":refs/tags/${TAG}" || true
+          ### Changed files
+          - \`charts/mondoo-operator/Chart.yaml\` — version and appVersion → ${VERSION}
+          - \`config/manager/kustomization.yaml\` — image tag → ${TAG}
+          - Generated manifests and Helm CRDs
 
-          # Create new tag at current HEAD (which includes version updates)
-          git tag "${TAG}"
-          git push origin "${TAG}"
+          ### After merging
+          [Create a new GitHub Release](https://github.com/${{ github.repository }}/releases/new?tag=${TAG}&target=main&title=${TAG}) with tag \`${TAG}\` targeting \`main\`.
+          The **Publish** workflow will then build and push container images and the Helm chart.
+          EOF
+          )" \
+            --base main \
+            --head "${BRANCH}"

RELEASE.md

@@ -1,41 +1,53 @@
 # Operator Release
 
-## Automated Release Process
+## Release Process
 
-Releases are fully automated via GitHub Actions.
+Releases follow a two-step process: first prepare the version bump via PR, then create the GitHub Release.
 
-### To Release a New Version:
+### Step 1: Prepare the Release
+
+1. Go to **Actions** > **Prepare Release** workflow
+2. Select **Run workflow**
+3. Enter the version number (e.g., `13.0.2`) — without the `v` prefix
+4. Select **Run workflow**
+
+The workflow will:
+- Create a `release/v13.0.2` branch
+- Update version in `Chart.yaml` and `kustomization.yaml`
+- Regenerate Helm chart CRDs and manifests
+- Open a PR titled "Release v13.0.2"
+
+5. Review and merge the PR
+
+### Step 2: Create the GitHub Release
 
 1. Go to the repository's **Releases** page
 2. Select **Draft a new release**
-3. Select **Choose a tag** and type the new version (e.g., `v12.1.0`)
-4. Select **Create new tag: v12.1.0 on publish**
-5. Set the release title (e.g., `v12.1.0`)
-6. Optionally add release notes describing the changes
-7. Select **Publish release**
-
-The release workflow will automatically:
-- Update version in Chart.yaml and kustomization.yaml
-- Regenerate Helm chart and manifests
-- Commit changes to main
-- Move the tag to include version updates
-- Trigger container image builds (multi-arch)
+3. Select **Choose a tag** and type the new version (e.g., `v13.0.2`)
+4. Set the **Target** to `main`
+5. Select **Create new tag: v13.0.2 on publish**
+6. Set the release title (e.g., `v13.0.2`)
+7. Optionally add release notes describing the changes
+8. Select **Publish release**
+
+The publish workflow will automatically:
+- Build multi-arch container images
 - Publish Helm chart to GitHub Pages and OCI registry
 - Update the GitHub release with manifest files
 
 ### Versioning
 
 Follow [semantic versioning](https://semver.org/):
-- **Patch** (12.0.X): Bug fixes, no breaking changes
-- **Minor** (12.X.0): New features, backwards compatible
+- **Patch** (13.0.X): Bug fixes, no breaking changes
+- **Minor** (13.X.0): New features, backwards compatible
 - **Major** (X.0.0): Breaking changes (see [upgrade docs](docs/operator-upgrades.md))
 
 ### Pre-Releases
 
 For alpha, beta, or release candidate versions:
 
 1. Follow the same release process above
-2. Use semver pre-release format: `v12.1.0-alpha.1`, `v12.1.0-rc.1`
+2. Use semver pre-release format: `v13.1.0-alpha.1`, `v13.1.0-rc.1`
 3. **Check the "Set as a pre-release" checkbox** in GitHub Release UI
 
 Pre-releases will:
@@ -44,7 +56,8 @@ Pre-releases will:
 - **NOT** update the "latest" Docker tag
 - **NOT** be marked as the latest GitHub release
 
-Users can deploy a specific pre-release by specifying the version explicitly.
+Note: The "Prepare Release" workflow skips pre-release versions (those containing `-`).
+For pre-releases, use the manual process below to bump versions if needed.
 
 ### Manual Release (Emergency)
 

charts/mondoo-operator/README.md

@@ -37,7 +37,7 @@ helm uninstall mondoo-operator --namespace mondoo-operator
 | `controllerManager.manager.args`                     | Command-line arguments passed to the operator manager container | `["operator","--health-probe-bind-address=:8081","--metrics-bind-address=:8080","--leader-elect"]` |
 | `controllerManager.manager.containerSecurityContext` | Security context for the manager container                      | `{}`                                                                                               |
 | `controllerManager.manager.image.repository`         | Container image repository for the operator                     | `ghcr.io/mondoohq/mondoo-operator`                                                                 |
-| `controllerManager.manager.image.tag`                | Container image tag for the operator                            | `v12.0.1`                                                                                          |
+| `controllerManager.manager.image.tag`                | Container image tag for the operator (defaults to .Chart.AppVersion) | `""`                                                                                          |
 | `controllerManager.manager.imagePullPolicy`          | Image pull policy for the operator container                    | `IfNotPresent`                                                                                     |
 | `controllerManager.manager.resources`                | Resource requests and limits for the manager container          | `{}`                                                                                               |
 | `controllerManager.podSecurityContext`               | Pod-level security context for the controller manager           | `{}`                                                                                               |

charts/mondoo-operator/templates/pre-delete-hook.yaml

@@ -83,7 +83,7 @@ spec:
           type: RuntimeDefault
       containers:
       - name: cleanup
-        image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag }}
+        image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag | default .Chart.AppVersion }}
         imagePullPolicy: {{ .Values.controllerManager.manager.imagePullPolicy }}
         args:
         - cleanup

charts/mondoo-operator/values.yaml

@@ -20,8 +20,8 @@ controllerManager:
     image:
       ## @param controllerManager.manager.image.repository Container image repository for the operator
       repository: ghcr.io/mondoohq/mondoo-operator
-      ## @param controllerManager.manager.image.tag Container image tag for the operator
-      tag: v12.0.1
+      ## @param controllerManager.manager.image.tag Container image tag for the operator (defaults to .Chart.AppVersion)
+      tag: ""
     ## @param controllerManager.manager.imagePullPolicy Image pull policy for the operator container
     imagePullPolicy: IfNotPresent
     ## @param controllerManager.manager.resources [object] Resource requests and limits for the manager container