sapcc
diff --git a/‎.github/workflows/README.md‎
Lines changed: 107 additions & 106 deletions b/‎.github/workflows/README.md‎
Lines changed: 107 additions & 106 deletions
@@ -7,12 +7,10 @@ This directory contains GitHub Actions workflows for CI/CD automation of the `co
   - [TOC](#toc)
   - [Overview](#overview)
   - [Workflow Details](#workflow-details)
-    - [Validate Code Workflow](#validate-code-workflow)
-      - [Jobs and Steps](#jobs-and-steps)
     - [Build Image Workflow](#build-image-workflow)
-      - [Jobs and Steps](#jobs-and-steps-1)
+      - [Jobs and Steps](#jobs-and-steps)
     - [Publish Release Workflow](#publish-release-workflow)
-      - [Jobs and Steps](#jobs-and-steps-2)
+      - [Jobs and Steps](#jobs-and-steps-1)
   - [Environment Variables](#environment-variables)
   - [Container Images](#container-images)
   - [Workflow vizualization](#workflow-vizualization)
@@ -21,171 +19,174 @@ This directory contains GitHub Actions workflows for CI/CD automation of the `co
 
 ## Overview
 
-The project uses three main workflows that work together to ensure code quality and automate releases:
+The project uses two main workflows that work together to ensure code quality and automate releases:
 
 | | |
 | :--- | :--- |
-| [Validate Code workflow](#validate-code-workflow) | Validates code quality on feature branches |
-| [Build Image workflow](#build-image-workflow) | Builds draft releases when tags are pushed |
-| [Publish Release workflow](#publish-release-workflow) | Publishes final releases when merged to master |
+| [Build Image workflow](#build-image-workflow) | Validates code and builds draft images on feature branches |
+| [Publish Release workflow](#publish-release-workflow) | Builds images and publishes releases when merged to master |
 
 ## Workflow Details
 
-### Validate Code Workflow
-
-| | |
-| :--- | :--- |
-| **File** | [`validate-code.yaml`](./validate-code.yaml) |
-| **Trigger** | Push to any branch except `master` |
-| **Purpose** | Ensures code quality by running tests |
-
-#### Jobs and Steps
-- **validateCode:**
-  - Checks out code
-  - Populates environment variables (`GIT_COMMIT`, `GIT_TAG`, `BUILD_DATE`, `LDFLAGS`, `GO_VERSION`)
-  - Sets up Go using the version from [go.mod](../../go.mod)
-  - Runs [golangci-lint](https://github.com/golangci/golangci-lint) for static code analysis
-  - Runs [govulncheck](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck) for vulnerability scanning
-  - Executes unit tests and showing the coverage ratio
-  - Builds all three binaries (`check`, `in`, `out`)
-  - Validates that built binaries report correct version information
-
 ### Build Image Workflow
 
 | | |
 | :--- | :--- |
 | **File** | [`build-image.yaml`](./build-image.yaml) |
-| **Trigger** | Push to tags matching `v*` pattern |
-| **Purpose** | Creates a draft release pointing to the container image |
+| **Trigger** | Push to any branch except `master`, excluding `.github` paths |
+| **Purpose** | Validates code quality, builds draft container image, and ensures version consistency |
 
 #### Jobs and Steps
-- **validateCode:**
-  - same as in [Validate Code Workflow](#validate-code-workflow)
-  - Additional validation to ensure a valid git tag exists
-
 - **buildImage:**
-  - depends on the `validateCode` job
+  - Checks out code with full history (fetch-depth: 0)
+  - Installs [mdq](https://github.com/yshavit/mdq) tool for changelog parsing
+  - Populates environment variables:
+    - `BUILD_DATE` - Current UTC timestamp
+    - `GIT_COMMIT` - Current commit SHA
+    - `GIT_TAG` - Version extracted from CHANGELOG.md
+    - `LDFLAGS` - Go linker flags for version injection
+    - `GO_VERSION` - Go version from go.mod
+  - Validates environment variables:
+    - Verifies version format matches `X.Y.Z` pattern (e.g., `1.2.3`)
+    - Checks that the git tag doesn't already exist
+  - Sets up Go using version from go.mod
+  - Runs [golangci-lint](https://github.com/golangci/golangci-lint) v2.4.0 for static code analysis
+  - Runs [govulncheck](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck) for vulnerability scanning
+  - Executes unit tests with coverage reporting
+  - Builds the `check` binary with version information
+  - Validates that built binary reports correct version for all commands (`check`, `in`, `out`)
   - Logs into GitHub Container Registry (GHCR)
-  - Generates Docker metadata with multiple tag strategies:
-    - semantic versioning (`v1.2.3`, `v1.2`)
-    - draft tag
-    - date based
-  - Builds and pushes `linux/amd64` Docker image
-  - Injects build arguments (`GO_VERSION`, `GIT_COMMIT`, `GIT_TAG`, `BUILD_DATE`)
-
-- **createRelease:**
-  - depends on the `buildImage` job
-  - uses [mdq](https://github.com/yshavit/mdq) to extract the relevant changelog section for the tag
-  - Appends Docker pull command to changelog
-  - Creates a **draft** GitHub release with the processed changelog
+  - Generates Docker metadata with tags:
+    - Version tag (e.g., `1.2.3`)
+    - `draft` tag
+  - Builds and pushes `linux/amd64` Docker image with build arguments:
+    - `BUILDER_VERSION` - Go builder image version
+    - `GIT_COMMIT` - Current commit SHA
+    - `GIT_TAG` - Version from changelog
+    - `BUILD_DATE` - Build timestamp
 
 ### Publish Release Workflow
 
 | | |
 | :--- | :--- |
 | **File** | [`publish-release.yaml`](./publish-release.yaml) |
-| **Trigger** | Push to `master` branch |
-| **Purpose** | Publishes the release |
+| **Trigger** | Push to `master` branch, excluding `.github` paths |
+| **Purpose** | Builds the release container image, publishes a Github release and creates git tag |
 
 #### Jobs and Steps
-- **buildImage:**
-  - Similar to build-image workflow but with key differences:
-    - Uses `release` tag instead of `draft`
-    - Requires an existing git tag on the commit
-
 - **createRelease:**
-  - depends on the `buildImage` job
-  - Same changelog processing as in the [Build Image workflow](#build-image-workflow)
-  - Removes draft status from the release to publish it
-  - Updates existing releases only if they are unreleased
+  - Checks out code
+  - Installs [mdq](https://github.com/yshavit/mdq) tool for changelog parsing
+  - Populates environment variables:
+    - `GIT_TAG` - Version extracted from CHANGELOG.md
+    - `GIT_COMMIT` - Current commit SHA
+  - Validates environment variables:
+    - Verifies version format matches `X.Y.Z` pattern
+    - Checks that the git tag doesn't already exist
+  - Sets up Go using version from go.mod
+  - Logs into GitHub Container Registry (GHCR)
+  - Generates Docker metadata with tags:
+    - version tag (e.g., `1.2.3`)
+    - `release` tag
+    - `latest` tag
+  - Builds and pushes `linux/amd64` Docker image with build argument:
+    - `BUILDER_VERSION` - Go builder image version
+    - `GIT_COMMIT` - Current commit SHA
+    - `GIT_TAG` - Version from changelog
+    - `BUILD_DATE` - Build timestamp
+  - Processes changelog:
+    - Extracts changelog section for the current version using mdq
+    - Appends Docker pull command to changelog
+  - Creates GitHub release using [ncipollo/release-action](https://github.com/ncipollo/release-action):
+    - Uses processed changelog as release body
+    - Sets `makeLatest: "legacy"` for latest release handling
+    - Skips if release already exists
+    - Updates only unreleased releases
+  - Creates and pushes git tag:
+    - Configures git user
+    - Creates annotated tag with changelog content
+    - Pushes tag to origin
 
 ## Environment Variables
 
-All workflows populate and use these key environment variables:
+The workflows populate and use these key environment variables:
 
 | Variable | Description | Example |
 |----------|-------------|---------|
 | `GIT_COMMIT` | Current commit SHA | `abc123def456...` |
-| `GIT_TAG` | Git tag pointing to commit | `v1.2.3` or `undefined` |
+| `GIT_TAG` | Version extracted from CHANGELOG.md | `1.2.3` |
 | `BUILD_DATE` | UTC timestamp in RFC3339 format | `2024-01-15T10:30:00Z` |
 | `GO_VERSION` | Go version from go.mod | `1.25.1` |
-| `LDFLAGS` | Linker flags for version injection | `-X 'pkg/helper.gitCommit=...'` |
+| `LDFLAGS` | Linker flags for version injection | `-X 'github.com/sapcc/concourse-netbox-resource/internal/helper.gitCommit=...'` |
 
 ## Container Images
 
-Images are built and pushed to GitHub Container Registry (GHCR) with the following naming pattern:
+Images are built and pushed to GitHub Container Registry (GHCR) with the following tags:
 
-| | |
-| :--- | :--- |
-| **Draft release** | `ghcr.io/sapcc/concourse-netbox-resource:draft` |
-| **Published release** | `ghcr.io/sapcc/concourse-netbox-resource:release` |
-| **Semantic version** | `ghcr.io/sapcc/concourse-netbox-resource:v1.2.3` |
-| **Timestamp** | `ghcr.io/sapcc/concourse-netbox-resource:YYYYMMDD-hhmmss` |
-| **Latest** | `ghcr.io/sapcc/concourse-netbox-resource:latest` |
-| **Branch** | `ghcr.io/sapcc/concourse-netbox-resource:branch_name` |
+| Tag | Description | Workflow |
+| :--- | :--- | :--- |
+| `ghcr.io/sapcc/concourse-netbox-resource:draft` | Draft image from feature branches | Build Image |
+| `ghcr.io/sapcc/concourse-netbox-resource:release` | Released image from master | Publish Release |
+| `ghcr.io/sapcc/concourse-netbox-resource:1.2.3` | Semantic version tag | Both |
+
+All images are built for the `linux/amd64` platform.
 
 ## Workflow vizualization
 
 ```mermaid
 flowchart TB
-  subgraph "Workflows"
-        subgraph A[validate-code.yaml]
-          D
-        end
-
-        subgraph B[build-image.yaml]
-          E --> F  --> G
+    subgraph "Workflows"
+        subgraph A[build-image.yaml]
+            D
         end
 
-        subgraph C[publish-release.yaml]
-          H --> I
+        subgraph B[publish-release.yaml]
+            E
         end
     end
 
-    subgraph "Github Registry"
-        F --> CID
-        H --> CIR
+    subgraph "Github Container Registry"
+        D --> CID
+        E --> CIR
     end
 
-    subgraph "Github Releases"
-        G --> DR
-        I --> PR
+    subgraph "Github Releases & Tags"
+        E --> PR
+        E --> GT
     end
 
     U --Push to feature branch--> D
-    U --Push version tag--> E
-    U --Approve & Merge PR--> H
-
-    D([validateCode job])
-    E([validateCode job])
-    F([buildImage job])
-    G([createRelease job])
-    H([buildImage job])
-    I([createRelease job])
+    U --Merge PR to master--> E
+
+    D([buildImage job])
+    E([createRelease job])
     U(Developer)
-    CID@{ shape: div-rect, label: "Draft container image" }
-    CIR@{ shape: div-rect, label: "Published container image" }
-    DR@{ shape: lin-rect, label: "Draft Release" }
+    CID@{ shape: div-rect, label: "Draft container image\n(draft, X.Y.Z)" }
+    CIR@{ shape: div-rect, label: "Release container image\n(latest, release, X.Y.Z)" }
     PR@{ shape: lin-rect, label: "Published Release" }
+    GT@{ shape: lin-rect, label: "Git Tag" }
 ```
 
 ## Release Process
 
 The complete release process follows this flow:
 
 1. **Development:**
-   - Work on feature branches, all pushes trigger the [Validate Code workflow](#validate-code-workflow)
-2. **Tag Creation:**
-   - Create a version tag (e.g., `v1.2.3`) which triggers the [Build Image workflow](#build-image-workflow)
-     - Builds and pushes container image with draft tags
-     - Creates draft release
-3. **PR Review:**
+   - Work on feature branches
+   - All pushes to non-master branches trigger the [Build Image workflow](#build-image-workflow)
+   - This workflow validates code quality, runs tests, and builds a draft container image
+   - The version is extracted from CHANGELOG.md and validated
+
+2. **PR Review:**
+   - Create a pull request to merge changes into `master`
    - Review and approve the pull request
-4. **Merge:**
+
+3. **Merge & Release:**
    - Merge the approved changes to the `master` branch
-   -  this triggers the [Publish Release workflow](#publish-release-workflow)
-        - Builds and pushes container image with release tags
-        - Publishes the release (removes draft status)
+   - This triggers the [Publish Release workflow](#publish-release-workflow) which:
+     - Builds and pushes the release container image
+     - Creates a GitHub release with the changelog
+     - Creates and pushes a git tag for the version
 
 ## Dependencies