Automate release process (#269)

* Automatically publish Docker image on all pushes to main and tags, and create GitHub release on tags

* Update docs

* Make Zizmor happy: don't use the cache for release builds

* Fix more Zizmor warnings

Author: charleskorn

.github/workflows/ci.yaml

@@ -1,7 +1,8 @@
 name: ci
 on:
   push:
-    branches: [main]
+    branches: [ main ]
+    tags: [ '*' ]
   pull_request:
 
 permissions:
@@ -18,6 +19,7 @@ jobs:
         with:
           go-version: '1.25'
           check-latest: true
+          cache: ${{ github.event_name != 'push' }} # zizmor: ignore[cache-poisoning] Zizmor doesn't understand that this disables caching for release builds
       - run: make rollout-operator
 
   test:
@@ -30,6 +32,7 @@ jobs:
         with:
           go-version: '1.25'
           check-latest: true
+          cache: ${{ github.event_name != 'push' }} # zizmor: ignore[cache-poisoning] Zizmor doesn't understand that this disables caching for release builds
       - run: make test
       - run: make test-boringcrypto
 
@@ -43,6 +46,7 @@ jobs:
         with:
           go-version: '1.25'
           check-latest: true
+          cache: ${{ github.event_name != 'push' }} # zizmor: ignore[cache-poisoning] Zizmor doesn't understand that this disables caching for release builds
       - run: make build-image
       - run: make integration
 
@@ -56,6 +60,7 @@ jobs:
         with:
           go-version: '1.25'
           check-latest: true
+          cache: ${{ github.event_name != 'push' }} # zizmor: ignore[cache-poisoning] Zizmor doesn't understand that this disables caching for release builds
       - run: make build-image-boringcrypto
       - run: make integration
 
@@ -69,7 +74,53 @@ jobs:
         with:
           go-version: '1.25'
           check-latest: true
+          cache: ${{ github.event_name != 'push' }} # zizmor: ignore[cache-poisoning] Zizmor doesn't understand that this disables caching for release builds
       - uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8
         with:
           version: v2.4.0
           args: --timeout=5m
+
+  push-image:
+    runs-on: ubuntu-latest
+    needs:
+      - build
+      - test
+      - integration
+      - integration-boringcrypto
+      - lint
+    if: github.event_name == 'push' # We want this job to run for both pushes to main, as well as new tags.
+    permissions:
+      contents: write # Needed to be able to create releases.
+      id-token: write
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
+        with:
+          go-version: '1.25'
+          check-latest: true
+          cache: false
+      - name: Log in to Docker Hub
+        uses: grafana/shared-workflows/actions/dockerhub-login@c6d954f7cd9c0022018982e01268de6cb75b913c # dockerhub-login/v1.0.2
+      - name: Generate image tag
+        id: image_tag
+        run: |
+          if [[ "$REF_TYPE" == "tag" ]]; then
+            echo "tag=$REF_NAME" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=main-$SHA" >> "$GITHUB_OUTPUT"
+          fi
+        env:
+          REF_TYPE: ${{ github.ref_type }}
+          REF_NAME: ${{ github.ref_name }}
+          SHA: ${{ github.sha }}
+      - name: Build and push image
+        run: make publish-images
+        env:
+          IMAGE_TAG: ${{ steps.image_tag.outputs.tag }}
+      - name: Publish release
+        if: github.ref_type == 'tag'
+        run: make release-notes | gh release create "$IMAGE_TAG" --notes-file -
+        env:
+          IMAGE_TAG: ${{ steps.image_tag.outputs.tag }}

RELEASE.md

@@ -1,21 +1,18 @@
 # How to release a new version
 
-1. Update `CHANGELOG.md`
-  - Open PR and get it merged
+1. Update `CHANGELOG.md` as required:
+   - Open a PR and get it merged
+
 2. Create a new tag that follows semantic versioning:
     ```bash
     $ tag=v0.1.0
     $ git tag -s "${tag}" -m "${tag}"
     $ git push origin "${tag}"
     ```
-3. Publish the updated Docker image
-    ```bash
-    $ IMAGE_TAG="${tag}" make publish-images
-    ```
-4. Create a new GitHub release [here](https://github.com/grafana/rollout-operator/releases/new) based on the tag. The release notes can be generated with:
-    ```bash
-    $ IMAGE_TAG="${tag}" make release-notes
-    ```
-5. Update the Helm Chart
-  - Repository https://github.com/grafana/helm-charts/tree/main/charts/rollout-operator
-  - [Example PR](https://github.com/grafana/helm-charts/pull/3177/files)
+
+3. The [CI workflow](.github/workflows/ci.yaml) will run automatically.
+   It will build and push the image to [Docker Hub](https://hub.docker.com/r/grafana/rollout-operator), and create a [GitHub release](https://github.com/grafana/rollout-operator/releases) with release notes.
+
+4. Update the Helm Chart:
+   - Repository https://github.com/grafana/helm-charts/tree/main/charts/rollout-operator
+   - [Example PR](https://github.com/grafana/helm-charts/pull/3177/files)