chore(DATAGO-122087): WF PR 23 - review cleanup for Workflows featur…

.github/pull_request_template.md

@@ -0,0 +1,22 @@
+### What is the purpose of this change?
+
+    Brief summary - what problem does this solve?
+
+### How was this change implemented?
+
+    High-level approach - what files/components changed and why?
+
+### Key Design Decisions _(optional - delete if not applicable)_
+
+    Why did you choose this approach over alternatives?
+
+### How was this change tested?
+
+- [ ] Manual testing: [describe scenarios]
+- [ ] Unit tests: [new/modified tests]
+- [ ] Integration tests: [if applicable]
+- [ ] Known limitations: [what wasn't tested]
+
+### Is there anything the reviewers should focus on/be aware of?
+
+    Special attention areas, potential risks, or open questions

.github/workflows/ci.yaml

@@ -247,6 +247,12 @@ jobs:
           echo "AMD64 Tag: ${AMD_TAG}"
           echo "ARM64 Tag: ${ARM_TAG}"
 
+          # OCI annotations to ensure unique manifest digest per commit
+          # This allows Prisma Cloud and other tools to index each tag uniquely
+          # while still benefiting from layer caching
+          COMMIT_SHA="${{ needs.prepare-metadata.outputs.commit_hash }}"
+          BUILD_TIME="$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
+
           # Convert comma-separated tags string to array and create manifest for each
           IFS=',' read -ra TAGS <<< "${{ steps.image_tags.outputs.tags }}"
           for TAG in "${TAGS[@]}"; do
@@ -255,6 +261,9 @@ jobs:
             TAG=$(echo "$TAG" | xargs)
             echo "Creating manifest for tag: $TAG"
             docker buildx imagetools create \
+              --annotation "index:org.opencontainers.image.revision=${COMMIT_SHA}" \
+              --annotation "index:org.opencontainers.image.created=${BUILD_TIME}" \
+              --annotation "index:org.opencontainers.image.source=https://github.com/${{ github.repository }}" \
               --tag "$TAG" \
               "$AMD_TAG" \
               "$ARM_TAG"

.github/workflows/release.yml

@@ -2,6 +2,11 @@ name: Release (PyPI & Docker)
 on:
   workflow_dispatch:
     inputs:
+      ref:
+        type: string
+        required: true
+        description: "Git ref to release from"
+        default: "main"
       version:
         type: choice
         required: true
@@ -10,6 +15,12 @@ on:
           - patch
           - minor
           - major
+        default: patch
+      exact_version:
+        type: string
+        required: false
+        description: "Exact version to release (e.g., 1.13.2). Overrides 'version' input if provided."
+        default: ""
       skip_security_checks:
         type: boolean
         required: false
@@ -39,6 +50,7 @@ jobs:
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           fetch-depth: 0 # Need enough history to find last non-skip-ci commit
+          ref: ${{ github.event.inputs.ref }}
 
       - name: Find Last RC-Tested Commit
         id: find-commit
@@ -153,6 +165,7 @@ jobs:
         with:
           fetch-depth: 0
           ssh-key: ${{ secrets.COMMIT_KEY }}
+          ref: ${{ github.event.inputs.ref }}
 
       - name: Setup Node.js
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
@@ -171,7 +184,7 @@ jobs:
         id: prep
         uses: SolaceDev/solace-public-workflows/.github/actions/hatch-release-prep@main
         with:
-          version: ${{ github.event.inputs.version }}
+          version: ${{ github.event.inputs.exact_version || github.event.inputs.version }}
 
       # Publish using Trusted Publishing - must be directly in workflow, not in composite action
       # See: https://docs.pypi.org/trusted-publishers/using-a-publisher/
@@ -191,6 +204,7 @@ jobs:
   build_and_push_docker:
     name: Build and Push to DockerHub
     needs: release
+    if: always() && (needs.release.result == 'success')
     uses: SolaceLabs/solace-agent-mesh/.github/workflows/build-push-dockerhub.yml@main
     with:
       version: ${{ needs.release.outputs.new_version }}

.github/workflows/ui-ci.yml

@@ -5,14 +5,10 @@ on:
   push:
     branches:
       - "main"
-    paths:
-      - "client/webui/frontend/**"
   pull_request:
     types: [opened, synchronize]
     branches:
       - "main"
-    paths:
-      - "client/webui/frontend/**"
 
 permissions:
   contents: write
@@ -25,13 +21,30 @@ permissions:
   repository-projects: read
 
 jobs:
+  check-paths:
+    name: "Check if UI files changed"
+    runs-on: ubuntu-latest
+    outputs:
+      should-run: ${{ steps.filter.outputs.ui }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+
+      - name: Check for UI changes
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: filter
+        with:
+          filters: |
+            ui:
+              - 'client/webui/frontend/**'
+
   validate-conventional-commit:
     name: "Validate Conventional Commit"
     runs-on: ubuntu-latest
     if: github.event_name == 'pull_request'
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           fetch-depth: 0
 
@@ -63,13 +76,15 @@ jobs:
 
   ui-build-and-test:
     name: "Build and Test UI"
+    needs: check-paths
+    if: needs.check-paths.outputs.should-run == 'true'
     runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: client/webui/frontend
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           fetch-depth: 0
 
@@ -218,19 +233,38 @@ jobs:
             python whitesource_vulnerability_checker.py
             "
 
+  ui-ci-status:
+    name: "UI CI Status"
+    runs-on: ubuntu-latest
+    needs: [check-paths, ui-build-and-test]
+    if: always()
+    steps:
+      - name: Check build status
+        run: |
+          if [[ "${{ needs.check-paths.outputs.should-run }}" == "false" ]]; then
+            echo "UI files not changed, skipping UI build and tests"
+            exit 0
+          elif [[ "${{ needs.ui-build-and-test.result }}" == "success" ]]; then
+            echo "UI build/tests passed"
+            exit 0
+          else
+            echo "UI build/tests failed"
+            exit 1
+          fi
+
   bump-version:
-    needs: ui-build-and-test
+    needs: [check-paths, ui-build-and-test]
     name: "Bump UI Version"
     runs-on: ubuntu-latest
-    if: github.event_name == 'push' && github.ref_name == github.event.repository.default_branch
+    if: github.event_name == 'push' && github.ref_name == github.event.repository.default_branch && needs.check-paths.outputs.should-run == 'true'
     outputs:
       new-tag: ${{ steps.bump.outputs.newTag }}
     defaults:
       run:
         working-directory: client/webui/frontend
     steps:
       - name: "Checkout source code"
-        uses: "actions/checkout@v4"
+        uses: "actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd" # v5.0.1
         with:
           ref: ${{ github.ref }}
           token: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -146,7 +146,8 @@ cython_debug/
 # PyPI configuration file
 .pypirc
 tmp
-.sam 
+.sam
+*.key
 playground.py
 
 # VS Code
@@ -168,3 +169,4 @@ client/webui/frontend/static/ui-version.json
 # workaround requirements.txt not working in ci
 requirements.txt
 data/artifacts/
+CLAUDE.md