fix: move semantic release after successful build to prevent orphaned releases

Co-authored-by: darthkali <46423967+darthkali@users.noreply.github.com>

Author: Copilot

.github/workflows/frontend-build-and-push.yaml

@@ -5,46 +5,54 @@ name: Frontend Build & Push
 "on":
   workflow_dispatch:
   workflow_call:
-    inputs:
-      semantic-version:
-        description: 'Semantic version from semantic-release'
-        required: false
-        type: string
-      use-semantic-version:
-        description: 'Whether to use semantic version for tagging'
-        required: false
-        type: boolean
-        default: false
 
 permissions:
-  contents: read
+  contents: write
+  issues: write
+  pull-requests: write
   packages: write
 
 jobs:
   # Build and push frontend container - migrated from build-container-ui
   build-and-push-frontend:
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      contents: write
+      issues: write
+      pull-requests: write
       packages: write
     steps:
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: frontend/package-lock.json
 
-      - name: Set version
-        id: version
+      - name: Install dependencies
+        run: |
+          cd frontend
+          npm ci
+
+      - name: Set initial version (pre-build)
+        id: pre-version
         run: |
-          if [ "${{ inputs.use-semantic-version }}" == "true" ] && [ -n "${{ inputs.semantic-version }}" ]; then
-            echo "VERSION=${{ inputs.semantic-version }}" >> $GITHUB_ENV
-            echo "Using semantic version: ${{ inputs.semantic-version }}"
-          elif [ "${{ github.ref_type }}" == "tag" ]; then
-            echo "VERSION=${{ github.ref_name }}" >> $GITHUB_ENV
-          else
-            echo "VERSION=${{ github.sha }}" >> $GITHUB_ENV
-          fi
           echo "SHORT_SHA=${GITHUB_SHA:0:8}" >> $GITHUB_ENV
           # Set image name for frontend
           RAG_EVAL_UI_IMAGE="ghcr.io/${{ github.repository }}/rag-eval-ui"
           echo "RAG_EVAL_UI_IMAGE=${RAG_EVAL_UI_IMAGE}" >> $GITHUB_ENV
+          
+          # Set initial version for build
+          if [ "${{ github.ref_type }}" == "tag" ]; then
+            echo "VERSION=${{ github.ref_name }}" >> $GITHUB_ENV
+          else
+            echo "VERSION=${{ github.sha }}" >> $GITHUB_ENV
+          fi
 
       - uses: docker/setup-buildx-action@v3
 
@@ -65,10 +73,36 @@ jobs:
           push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
           tags: |
             ${{ env.RAG_EVAL_UI_IMAGE }}:${{ env.SHORT_SHA }}
-            ${{ inputs.use-semantic-version == 'true' && 
-                format('{0}:{1}', env.RAG_EVAL_UI_IMAGE, env.VERSION) || '' }}
             ${{ github.ref_type == 'tag' &&
                 format('{0}:{1}', env.RAG_EVAL_UI_IMAGE,
                        github.ref_name) || '' }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+
+      # Only run semantic release after successful build on main branch
+      - name: Run semantic-release
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        id: semantic
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cd frontend
+          npm run semantic-release
+
+      # If semantic release created a new version, tag and push the Docker image with semantic version
+      - name: Tag and push semantic version
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push' && steps.semantic.outcome == 'success'
+        run: |
+          cd frontend
+          # Get the version from package.json after semantic-release
+          NEW_VERSION=$(node -p "require('./package.json').version")
+          if [ -n "$NEW_VERSION" ] && [ "$NEW_VERSION" != "null" ]; then
+            echo "Semantic release created version: $NEW_VERSION"
+            # Tag the existing image with the semantic version
+            docker pull ${{ env.RAG_EVAL_UI_IMAGE }}:${{ env.SHORT_SHA }}
+            docker tag ${{ env.RAG_EVAL_UI_IMAGE }}:${{ env.SHORT_SHA }} ${{ env.RAG_EVAL_UI_IMAGE }}:$NEW_VERSION
+            docker push ${{ env.RAG_EVAL_UI_IMAGE }}:$NEW_VERSION
+            echo "Tagged and pushed image with semantic version: $NEW_VERSION"
+          else
+            echo "No new version was created by semantic-release"
+          fi

.github/workflows/frontend-semantic-release.yaml

@@ -13,10 +13,12 @@ name: Frontend Pipeline
       - 'frontend/**'
 
 permissions:
-  contents: read
+  contents: write
   security-events: write
   actions: read
   packages: write
+  issues: write
+  pull-requests: write
 
 jobs:
   # Parallel execution of lint, security-scan, and test workflows
@@ -32,19 +34,10 @@ jobs:
     name: Run Test
     uses: ./.github/workflows/frontend-test.yaml
 
-  # Semantic release - only on main branch pushes
-  semantic-release:
-    name: Semantic Release
-    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
-    needs: [lint, security-scan, test]
-    uses: ./.github/workflows/frontend-semantic-release.yaml
-
   # Sequential build stage - runs only after parallel jobs succeed
+  # Semantic release is integrated into build process to ensure release only happens after successful build
   build-and-push:
     name: Build and Push
-    needs: [lint, security-scan, test, semantic-release]
+    needs: [lint, security-scan, test]
     if: always() && !cancelled() && !failure() && (needs.lint.result == 'success' && needs.security-scan.result == 'success' && needs.test.result == 'success')
     uses: ./.github/workflows/frontend-build-and-push.yaml
-    with:
-      semantic-version: ${{ needs.semantic-release.outputs.new-release-version || '' }}
-      use-semantic-version: ${{ needs.semantic-release.outputs.new-release-published == 'true' }}