⭐️ Automate release process via GitHub Release

.github/actions/spelling/expect.txt

@@ -8,6 +8,7 @@ eksctl
 fullname
 iamidentitymapping
 irsa
+kustomization
 mcr
 oidc
 openssl

.github/workflows/publish.yaml

@@ -96,6 +96,8 @@ jobs:
             type=ref,event=pr
           flavor: |
             suffix=-${{ matrix.arch }},onlatest=true
+            # Only apply 'latest' for non-prerelease version tags (no hyphen after version)
+            latest=${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '-') }}
 
       # Extract metadata (tags, labels) for Docker
       # https://github.com/docker/metadata-action
@@ -213,6 +215,9 @@ jobs:
             type=ref,event=branch
             type=ref,event=tag
             type=ref,event=pr
+          flavor: |
+            # Only apply 'latest' for non-prerelease version tags (no hyphen after version)
+            latest=${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '-') }}
 
       - name: Push multi-platform virtual tag and sign
         run: bash scripts/push-virtual-tag.sh

.github/workflows/release-manifests.yaml

@@ -29,4 +29,5 @@ jobs:
         with:
           files: mondoo-operator-manifests.yaml
           generate_release_notes: false
-          make_latest: true
+          # Only mark as latest if not a pre-release version (no hyphen after version)
+          make_latest: ${{ !contains(github.ref_name, '-') }}

.github/workflows/release.yaml

@@ -0,0 +1,94 @@
+# Copyright (c) Mondoo, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+name: Release
+
+on:
+  release:
+    types: [created]
+
+jobs:
+  prepare-release:
+    runs-on: ubuntu-latest
+    # Only run for version tags
+    if: startsWith(github.event.release.tag_name, 'v')
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout main branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: main
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Import environment variables from file
+        run: cat ".github/env" >> $GITHUB_ENV
+
+      - name: Setup Go
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
+        with:
+          go-version: "${{ env.golang-version }}"
+
+      - name: Install yq
+        run: |
+          sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
+          sudo chmod +x /usr/local/bin/yq
+
+      - name: Extract version from tag
+        id: version
+        run: |
+          TAG="${{ github.event.release.tag_name }}"
+          VERSION="${TAG#v}"
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          echo "tag=${TAG}" >> $GITHUB_OUTPUT
+
+      - name: Update version files
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+
+          # Update Chart.yaml
+          yq -i ".version = \"${VERSION}\"" charts/mondoo-operator/Chart.yaml
+          yq -i ".appVersion = \"${VERSION}\"" charts/mondoo-operator/Chart.yaml
+
+          # Update kustomization.yaml
+          yq -i ".images[0].newTag = \"v${VERSION}\"" config/manager/kustomization.yaml
+
+      - name: Generate manifests and Helm chart
+        run: |
+          make manifests
+          CHART_NAME=charts/mondoo-operator make helm
+
+      - name: Configure Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Commit version updates
+        id: commit
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+
+          git add -A
+          if git diff --staged --quiet; then
+            echo "No changes to commit"
+            echo "changed=false" >> $GITHUB_OUTPUT
+          else
+            git commit -m "🚀 Release v${VERSION}"
+            git push origin main
+            echo "changed=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Move tag to include version updates
+        if: steps.commit.outputs.changed == 'true'
+        run: |
+          TAG="${{ steps.version.outputs.tag }}"
+
+          # Delete the old tag (local and remote)
+          git tag -d "${TAG}" || true
+          git push origin ":refs/tags/${TAG}" || true
+
+          # Create new tag at current HEAD (which includes version updates)
+          git tag "${TAG}"
+          git push origin "${TAG}"

RELEASE.md

@@ -1,43 +1,65 @@
 # Operator Release
 
-This document describes the release process for the operator
+## Automated Release Process
 
-## Versioning
+Releases are fully automated via GitHub Actions.
 
-Always consider what is the suitable version number to be released based on the [Operator upgrade manual](docs/operator-upgrades.md).
+### To Release a New Version:
 
-## Release script
+1. Go to the repository's **Releases** page
+2. Select **Draft a new release**
+3. Select **Choose a tag** and type the new version (e.g., `v12.1.0`)
+4. Select **Create new tag: v12.1.0 on publish**
+5. Set the release title (e.g., `v12.1.0`)
+6. Optionally add release notes describing the changes
+7. Select **Publish release**
 
-The `release.sh` script will generate/update the Helm chart files.
+The release workflow will automatically:
+- Update version in Chart.yaml and kustomization.yaml
+- Regenerate Helm chart and manifests
+- Commit changes to main
+- Move the tag to include version updates
+- Trigger container image builds (multi-arch)
+- Publish Helm chart to GitHub Pages and OCI registry
+- Update the GitHub release with manifest files
 
-Ensure the following software is installed before running the release script:
+### Versioning
 
-- `yq`
-- `operator-sdk`
+Follow [semantic versioning](https://semver.org/):
+- **Patch** (12.0.X): Bug fixes, no breaking changes
+- **Minor** (12.X.0): New features, backwards compatible
+- **Major** (X.0.0): Breaking changes (see [upgrade docs](docs/operator-upgrades.md))
 
-Run the release script:
+### Pre-Releases
 
-1. Run the `release.sh` script from the root of the mondoo-operator repo with the previous version of the operator as the first parameter and the new version of the operator as the second parameter (without any leading 'v' in the version string). For example:
+For alpha, beta, or release candidate versions:
 
-```bash
-$ ./release.sh 1.4.0 1.4.1
-```
+1. Follow the same release process above
+2. Use semver pre-release format: `v12.1.0-alpha.1`, `v12.1.0-rc.1`
+3. **Check the "Set as a pre-release" checkbox** in GitHub Release UI
 
-### Helm Chart and Operator bundle
+Pre-releases will:
+- Build and publish container images (tagged with the pre-release version)
+- Publish Helm chart (with pre-release version)
+- **NOT** update the "latest" Docker tag
+- **NOT** be marked as the latest GitHub release
 
-Mondoo Operator helm chart has been auto-generated using the [helmify](https://github.com/arttor/helmify) tool via the `release.sh` script. The CI uses [chart-releaser-action](https://github.com/helm/chart-releaser-action) to self host the charts using GitHub pages.
+Users can deploy a specific pre-release by specifying the version explicitly.
 
-The following steps need to be followed to release Helm chart.
+### Manual Release (Emergency)
 
-#### Helm Chart Release Workflow
+If the automated workflow fails, you can release manually:
 
-Helm chart release action is executed against release tags. It checks each chart in the charts folder, and whenever there's a new chart version, creates a corresponding GitHub release named for the chart version, adds Helm chart artifacts to the release, and creates or updates an index.yaml file with metadata about those releases, which is then hosted on GitHub Pages.
+1. Run the release script:
+   ```bash
+   ./release.sh <previous_version> <new_version>
+   ```
 
-### Committing the release
+2. Create a PR with the changes
 
-After running the `release.sh` script, you can create a pull request containing the changes made to the repo (mainly the files under ./charts and ./config. Once the pull request has merged, you need to tag the release.
-
-1. git checkout main
-2. git pull
-3. git tag v1.4.1
-4. git push origin v1.4.1
+3. After merge, tag and push:
+   ```bash
+   git checkout main && git pull
+   git tag v<new_version>
+   git push origin v<new_version>
+   ```