ci: add release workflow and docs

Author: haasonsaas

.github/workflows/release-chart.yml

@@ -26,6 +26,12 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Install yq
+        run: |
+          YQ_VERSION=v4.44.3
+          sudo wget https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64 -O /usr/local/bin/yq
+          sudo chmod +x /usr/local/bin/yq
+
       - name: Set chart version
         if: ${{ inputs.version != '' }}
         run: |

.github/workflows/release.yml

@@ -0,0 +1,96 @@
+name: Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Application version (used for tag/release, e.g. 1.2.3)"
+        required: true
+      chart_version:
+        description: "Expected Helm chart version (default: read from Chart.yaml)"
+        required: false
+
+permissions:
+  contents: write
+  packages: write
+
+env:
+  CHART_DIR: charts/provenance
+  CHART_NAME: provenance
+  OCI_REGISTRY: ghcr.io/${{ github.repository_owner }}/charts
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install dependencies (uv)
+        uses: astral-sh/setup-uv@v1
+
+      - name: Sync Python dependencies
+        run: uv sync --extra dev --extra dashboard --extra warehouse --extra client
+
+      - name: Run tests
+        run: uv run -- pytest
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v3
+
+      - name: Install yq
+        run: |
+          YQ_VERSION=v4.44.3
+          sudo wget https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64 -O /usr/local/bin/yq
+          sudo chmod +x /usr/local/bin/yq
+
+      - name: Validate chart version
+        run: |
+          CHART_VERSION=$(yq '.version' $CHART_DIR/Chart.yaml)
+          EXPECTED="${{ inputs.chart_version }}"
+          if [ -n "$EXPECTED" ] && [ "$EXPECTED" != "$CHART_VERSION" ]; then
+            echo "Chart version mismatch. Expected $EXPECTED, found $CHART_VERSION"
+            exit 1
+          fi
+          echo "CHART_VERSION=$CHART_VERSION" >> $GITHUB_ENV
+
+      - name: Helm lint
+        run: make helm-lint
+
+      - name: Helm template
+        run: make helm-template
+
+      - name: Package chart
+        run: |
+          mkdir -p dist/charts
+          helm package $CHART_DIR --destination dist/charts
+
+      - name: Login to GitHub Container Registry
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Push chart to OCI
+        run: |
+          CHART_PACKAGE="dist/charts/${CHART_NAME}-${CHART_VERSION}.tgz"
+          helm push "$CHART_PACKAGE" oci://$OCI_REGISTRY
+
+      - name: Create GitHub Release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: v${{ inputs.version }}
+          release_name: v${{ inputs.version }}
+          draft: false
+          prerelease: false
+          generate_release_notes: true
+
+      - name: Upload chart artifact to release
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: dist/charts/${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz
+          asset_name: ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}.tgz
+          asset_content_type: application/gzip

README.md

@@ -229,6 +229,7 @@ The same process works against forks or sandboxes—helpful when validating new
 - [Deployment & Operations Guide](docs/deployment-guide.md) – Deploy with Docker/Kubernetes, scale detectors, and instrument observability.
 - [SARIF Reporting](docs/sarif-reporting.md) – Understand the SARIF 2.1.0 output, severity mapping, and customization hooks.
 - [DSSE Decision Bundles](docs/dsse-decision-bundles.md) – Inspect the envelope schema, verify signatures, and integrate with transparency logs.
+- [Release Process](docs/release-process.md) – Publish application releases and Helm charts with the bundled workflows.
 
 ## Data Persistence Model
 

docs/README.md

@@ -10,3 +10,4 @@ This directory contains task-focused guides that go deeper than the root `README
 - [Deployment & Operations Guide](deployment-guide.md) — Deploy the API with Docker or Kubernetes and operate it in production.
 - [SARIF Reporting](sarif-reporting.md) — Understand the SARIF 2.1.0 output and tailor it for downstream scanners.
 - [DSSE Decision Bundles](dsse-decision-bundles.md) — Inspect the DSSE envelope, verify signatures, and extend transparency workflows.
+- [Release Process](release-process.md) — Run end-to-end release workflows for the app and Helm chart.

docs/release-process.md

@@ -0,0 +1,68 @@
+# Release Process
+
+This guide summarizes how to publish Provenance application releases and Helm chart updates using the bundled automation.
+
+## Prerequisites
+
+- Write access to the repository and GitHub Container Registry (`ghcr.io/<org>/charts`).
+- Updated `charts/provenance/Chart.yaml` and application version metadata committed to `main`.
+- Successful CI run on the commit you plan to release.
+
+## 1. Run Tests & Lint Locally (optional)
+
+Although the release workflow repeats these steps, you can pre-flight locally:
+
+```bash
+uv sync --all-extras
+uv run -- pytest
+make helm-lint
+make helm-template
+```
+
+## 2. Publish a Release (app + chart)
+
+Trigger the **Release** workflow (`.github/workflows/release.yml`) from the GitHub Actions tab or via the CLI:
+
+```bash
+gh workflow run Release \
+  --ref main \
+  --field version=1.2.3 \
+  --field chart_version=0.3.0
+```
+
+The workflow:
+
+1. Checks out `main` and installs dependencies.
+2. Runs the Python test suite and Helm lint/template checks.
+3. Packages the Helm chart and pushes it to `ghcr.io/<org>/charts`.
+4. Creates a GitHub release tagged `v<version>` with automatically generated notes.
+5. Uploads the packaged chart (`provenance-<chart_version>.tgz`) as a release asset.
+
+## 3. Publish the Chart Only (optional)
+
+If you need to republish the chart without cutting a full app release, use the **Release Helm Chart** workflow (`.github/workflows/release-chart.yml`). It packages the chart and pushes it to the OCI registry without creating a Git tag or release entry.
+
+```bash
+gh workflow run "Release Helm Chart" \
+  --ref main \
+  --field version=0.3.0 \
+  --field app_version=1.0.0
+```
+
+## 4. Verify Artifacts
+
+- Check the GitHub release page for the new tag, autogenerated notes, and the chart `.tgz` asset.
+- Confirm the OCI package exists: `helm pull oci://ghcr.io/<org>/charts/provenance --version 0.3.0`.
+
+## 5. Announce / Deploy
+
+- Notify stakeholders or trigger downstream deployment pipelines as required.
+- Update changelogs or internal docs if you maintain long-form release notes beyond the generated summary.
+
+## Troubleshooting
+
+- **Helm push failures** – Ensure `packages: write` permission is granted and the registry path matches your org or user.
+- **Version mismatch** – The release workflow will stop if `chart_version` input does not match `Chart.yaml`. Keep `Chart.yaml` in sync before starting the workflow.
+- **Existing tag** – The GitHub release step fails if `v<version>` already exists. Delete the tag or choose a new version.
+
+For additional deployment details, see the [Deployment & Operations Guide](deployment-guide.md) and [Helm chart README](../charts/provenance/README.md).