chore: refactor workflows and scripts for improved version management and clean semver enforcement

Author: a-klos

.github/workflows/bump-chart-version.yml

@@ -0,0 +1,58 @@
+name: bump-chart-version
+on:
+  workflow_dispatch:
+    inputs:
+      chart_version:
+        description: "Chart version to set (does not touch appVersion)"
+        required: true
+        type: string
+      ref:
+        description: "Git ref to bump (default: main)"
+        required: false
+        type: string
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  bump:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.ref || 'main' }}
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+
+      - name: Install deps
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install "pyyaml==6.0.2" "packaging==25.0"
+
+      - name: Bump chart version only
+        env:
+          CHART_VERSION: ${{ inputs.chart_version }}
+        run: |
+          if [ -z "${CHART_VERSION}" ]; then
+            echo "chart_version input is required" >&2
+            exit 1
+          fi
+          python tools/bump_chart_versions.py --mode chart-only --chart-version "$CHART_VERSION"
+
+      - name: Open PR for chart version bump
+        uses: peter-evans/create-pull-request@v6
+        with:
+          base: main
+          branch: chore/chart-bump-${{ inputs.chart_version }}
+          title: "chore(release): bump chart version to ${{ inputs.chart_version }}"
+          body: |
+            Bump Chart.yaml version to ${{ inputs.chart_version }} (appVersion unchanged).
+          commit-message: "chore(release): bump chart version to ${{ inputs.chart_version }}"
+          add-paths: |
+            infrastructure/**/Chart.yaml
+          labels: chart-bump

.github/workflows/create-release.yml

@@ -31,6 +31,24 @@ jobs:
           fi
           echo "version=$VERSION" >> $GITHUB_OUTPUT
 
+      - name: Verify appVersion matches release version (clean semver)
+        env:
+          RELEASE_VERSION: ${{ steps.ver.outputs.version }}
+        run: |
+          if echo "$RELEASE_VERSION" | grep -q '\.post'; then
+            echo "Release version must be clean semver (no .post): $RELEASE_VERSION" >&2
+            exit 1
+          fi
+          APP_VERSION=$(awk '/^appVersion:/ {print $2}' infrastructure/rag/Chart.yaml | tr -d "\"'")
+          if [ -z "$APP_VERSION" ]; then
+            echo "Could not read appVersion from infrastructure/rag/Chart.yaml" >&2
+            exit 1
+          fi
+          if [ "$APP_VERSION" != "$RELEASE_VERSION" ]; then
+            echo "Chart appVersion ($APP_VERSION) does not match release version ($RELEASE_VERSION)" >&2
+            exit 1
+          fi
+
       - name: Create Git tag
         run: |
           git config user.name "github-actions"

.github/workflows/prepare-release.yml

@@ -10,15 +10,36 @@ permissions:
   pull-requests: write
 
 jobs:
-  prepare:
+  changes:
     if: >-
       ${{
         github.event.pull_request.merged &&
         !contains(github.event.pull_request.labels.*.name, 'prepare-release') &&
         !contains(github.event.pull_request.labels.*.name, 'refresh-locks') &&
         !contains(github.event.pull_request.labels.*.name, 'chart-bump')
       }}
+    name: Detect release-relevant changes
+    runs-on: ubuntu-latest
+    outputs:
+      releasable: ${{ steps.filter.outputs.releasable }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Filter paths
+        id: filter
+        uses: dorny/paths-filter@v2
+        with:
+          filters: |
+            releasable:
+              - 'services/**'
+              - 'libs/**'
+
+  prepare:
+    if: ${{ needs.changes.outputs.releasable == 'true' }}
     runs-on: ubuntu-latest
+    needs: [changes]
     steps:
       - uses: actions/checkout@v4
         with:

.github/workflows/promote-clean-semver.yml

@@ -0,0 +1,161 @@
+name: promote-clean-semver
+on:
+  workflow_run:
+    workflows: ["publish-pre-and-qa"]
+    types: [completed]
+  workflow_dispatch:
+    inputs:
+      clean_version:
+        description: "Clean semver to promote (no .post)"
+        required: true
+        type: string
+
+permissions:
+  contents: write
+  pull-requests: write
+  packages: write
+
+jobs:
+  promote:
+    name: Publish clean semver, refresh locks, bump appVersion
+    if: |
+      github.event_name == 'workflow_dispatch' ||
+      (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success')
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.ref || 'main' }}
+
+      - name: Load version metadata (workflow_run)
+        if: ${{ github.event_name == 'workflow_run' }}
+        uses: actions/download-artifact@v4
+        with:
+          name: pre-release-meta
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ github.event.workflow_run.id }}
+          path: meta
+
+      - name: Determine versions
+        id: versions
+        run: |
+          set -euo pipefail
+          CLEAN_VERSION_INPUT="${{ inputs.clean_version || '' }}"
+          if [ -f meta/version.env ]; then
+            source meta/version.env
+          fi
+          CLEAN_VERSION="${CLEAN_VERSION_INPUT:-${CLEAN_VERSION:-}}"
+          if [ -z "${CLEAN_VERSION:-}" ]; then
+            echo "CLEAN_VERSION is required (input or artifact)" >&2
+            exit 1
+          fi
+          if echo "$CLEAN_VERSION" | grep -q '\.post'; then
+            echo "CLEAN_VERSION must be clean semver (no .post): $CLEAN_VERSION" >&2
+            exit 1
+          fi
+          echo "clean_version=$CLEAN_VERSION" >> $GITHUB_OUTPUT
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+
+      - name: Install Poetry and deps
+        run: |
+          pip install poetry==2.1.3
+          python -m pip install --upgrade pip
+          python -m pip install "tomlkit==0.13.3" "pyyaml==6.0.2" "packaging==25.0"
+
+      - name: Configure TestPyPI repository
+        run: |
+          poetry config repositories.testpypi https://test.pypi.org/legacy/
+
+      - name: Install jq
+        run: sudo apt-get update && sudo apt-get install -y jq
+
+      - name: Update internal libs and service pins to clean version
+        env:
+          VERSION: ${{ steps.versions.outputs.clean_version }}
+        run: |
+          python tools/bump_pyproject_deps.py --version "$VERSION" --bump-libs --bump-service-pins
+
+      - name: Publish clean semver to TestPyPI and PyPI (core-first)
+        env:
+          CLEAN_VERSION: ${{ steps.versions.outputs.clean_version }}
+          POETRY_HTTP_BASIC_TESTPYPI_USERNAME: __token__
+          POETRY_HTTP_BASIC_TESTPYPI_PASSWORD: ${{ secrets.TEST_PYPI_TOKEN }}
+          POETRY_PYPI_TOKEN_PYPI: ${{ secrets.PYPI_TOKEN }}
+        run: |
+          set -euo pipefail
+          if [ -z "${POETRY_HTTP_BASIC_TESTPYPI_PASSWORD:-}" ]; then
+            echo "Missing TEST_PYPI_TOKEN secret" >&2
+            exit 1
+          fi
+          if [ -z "${POETRY_PYPI_TOKEN_PYPI:-}" ]; then
+            echo "Missing PYPI_TOKEN secret" >&2
+            exit 1
+          fi
+
+          source tools/publish_libs.sh
+
+          echo "Publishing clean version $CLEAN_VERSION (core-first) to TestPyPI..."
+          publish_lib "rag-core-lib" "-r testpypi" "$CLEAN_VERSION"
+          wait_for_index "rag-core-lib" "$CLEAN_VERSION" "https://test.pypi.org" "TestPyPI"
+          for lib in rag-core-api admin-api-lib extractor-api-lib; do
+            publish_lib "$lib" "-r testpypi" "$CLEAN_VERSION"
+          done
+
+          echo "Publishing clean version $CLEAN_VERSION (core-first) to PyPI..."
+          publish_lib "rag-core-lib" "" "$CLEAN_VERSION"
+          wait_for_index "rag-core-lib" "$CLEAN_VERSION" "https://pypi.org" "PyPI"
+          for lib in rag-core-api admin-api-lib extractor-api-lib; do
+            publish_lib "$lib" "" "$CLEAN_VERSION"
+          done
+
+      - name: Clear poetry caches
+        run: |
+          poetry cache clear --all pypi -n || true
+          poetry cache clear --all testpypi -n || true
+
+      - name: Refresh service lockfiles
+        env:
+          VERSION: ${{ steps.versions.outputs.clean_version }}
+        run: |
+          for svc in services/rag-backend services/admin-backend services/document-extractor services/mcp-server; do
+            if [ -f "$svc/pyproject.toml" ]; then
+              echo "Locking $svc"
+              (
+                cd "$svc"
+                poetry lock -v || (
+                  echo "Lock failed, clearing caches and retrying...";
+                  poetry cache clear --all pypi -n || true;
+                  poetry cache clear --all testpypi -n || true;
+                  sleep 10;
+                  poetry lock -v
+                )
+              )
+            fi
+          done
+
+      - name: Bump Chart appVersion to clean version (leave chart version for manual chart publish)
+        env:
+          APP_VERSION: ${{ steps.versions.outputs.clean_version }}
+        run: |
+          python tools/bump_chart_versions.py --app-version "$APP_VERSION" --mode app-only
+
+      - name: Open PR with updated locks, pins, and Chart appVersion
+        id: cpr
+        uses: peter-evans/create-pull-request@v6
+        with:
+          branch: chore/refresh-locks-${{ steps.versions.outputs.clean_version }}-${{ github.run_number }}
+          title: "chore(release): refresh service lockfiles for ${{ steps.versions.outputs.clean_version }}"
+          body: |
+            Refresh service poetry.lock files, dependency pins, and Chart appVersion for version ${{ steps.versions.outputs.clean_version }}.
+          commit-message: "chore(release): refresh service lockfiles, pins, and Chart appVersion"
+          add-paths: |
+            services/**/pyproject.toml
+            services/**/poetry.lock
+            infrastructure/**/Chart.yaml
+            libs/**/pyproject.toml
+          labels: refresh-locks

.github/workflows/publish-chart-packages.yml

@@ -0,0 +1,113 @@
+name: publish-chart-packages
+on:
+  pull_request:
+    branches: [main]
+    types: [closed]
+  workflow_dispatch:
+    inputs:
+      chart_version:
+        description: "Chart version to publish (default: read from Chart.yaml)"
+        required: false
+        type: string
+      ref:
+        description: "Git ref to package from (default: main)"
+        required: false
+        type: string
+
+permissions:
+  contents: write
+  packages: write
+  pages: write
+  id-token: write
+
+env:
+  OCI_REGISTRY: ghcr.io
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    if: |
+      (github.event_name == 'pull_request' && github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'chart-bump'))
+      || github.event_name == 'workflow_dispatch'
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.ref || 'main' }}
+
+      - name: Setup Helm
+        uses: azure/setup-helm@v4
+
+      - name: Login to GHCR for Helm OCI
+        run: echo ${{ secrets.GHCR_PAT }} | helm registry login ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Determine chart version
+        id: meta
+        run: |
+          set -euo pipefail
+          INPUT_VER="${{ inputs.chart_version }}"
+          FILE_VER=$(awk '/^version:/ {print $2}' infrastructure/rag/Chart.yaml | tr -d "\"'")
+          CHART_VERSION="${INPUT_VER:-$FILE_VER}"
+          if [ -z "$CHART_VERSION" ]; then
+            echo "Could not determine chart version" >&2
+            exit 1
+          fi
+          echo "chart_version=$CHART_VERSION" >> $GITHUB_OUTPUT
+
+      - name: Verify chart version matches input (if provided)
+        env:
+          INPUT_VER: ${{ inputs.chart_version }}
+          FILE_VER: ${{ steps.meta.outputs.chart_version }}
+        run: |
+          if [ -n "$INPUT_VER" ] && [ "$INPUT_VER" != "$FILE_VER" ]; then
+            echo "Chart.yaml version ($FILE_VER) does not match input $INPUT_VER" >&2
+            exit 1
+          fi
+
+      - name: Package chart
+        run: |
+          set -euo pipefail
+          CHART_DIR="infrastructure/rag"
+          mkdir -p dist
+          helm dependency update "$CHART_DIR" || true
+          helm package "$CHART_DIR" --destination dist
+          ls -la dist
+
+      - name: Push chart to GHCR (OCI)
+        env:
+          CHART_VERSION: ${{ steps.meta.outputs.chart_version }}
+        run: |
+          set -euo pipefail
+          PKG=$(ls dist/*.tgz)
+          helm show chart "$PKG" | grep -E "^version: "
+          helm push "$PKG" oci://$OCI_REGISTRY/${{ github.repository_owner }}/charts
+
+      - name: Build Helm repo index for Pages
+        env:
+          CHART_VERSION: ${{ steps.meta.outputs.chart_version }}
+        run: |
+          set -euo pipefail
+          PKG=$(ls dist/*.tgz)
+          REPO="${GITHUB_REPOSITORY#*/}"
+          BASE_URL="https://${GITHUB_REPOSITORY_OWNER}.github.io/${REPO}"
+          helm repo index dist --url "$BASE_URL"
+          echo "Index generated for $BASE_URL"
+
+      - name: Upload Pages artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: dist
+
+  deploy-pages:
+    needs: publish
+    runs-on: ubuntu-latest
+    permissions:
+      pages: write
+      id-token: write
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4