feat: implement unified release system for Helm chart synchronization

- Fix release-please configuration contradictions
- Remove charts from exclude-paths, add structured extra-files
- Disable separate-pull-requests for unified releases
- Create unified-release.yaml workflow with version validation
- Disable legacy helm.yaml and release-please.yaml workflows
- Update chart version to sync with app version (0.39.0-rc.2)
- Remove manual chart updates from prepare-release.yaml
- Add comprehensive documentation for new release system

Resolves Helm chart release synchronization issues:
- Eliminates version misalignment between app and chart
- Supports prerelease versions (RC) automatically
- Provides single source of truth for all releases
- Includes validation and error handling

Scope: CI/CD workflows and release configuration only
No application code changes

Author: casibbald

.github/workflows/helm.yaml renamed to .github/workflows/helm.yaml.disabled

@@ -47,16 +47,16 @@ jobs:
           yarn test -u
           git commit -am "Update javascript library version to $GITOPS_VERSION"
 
-      - name: Update Chart
+      # NOTE: Chart updates are now handled automatically by release-please
+      # in the unified-release.yaml workflow. This manual step is no longer needed.
+      - name: Chart Update Notice
         run: |
-          # Increment the micro chart version
-          NEW_CHART_VERSION=$(yq e '.version' charts/gitops-server/Chart.yaml | awk -F. -v OFS=. '{ $3++; print }')
-          yq e '.appVersion = "${{ github.event.inputs.version }}"' -i charts/gitops-server/Chart.yaml
-          yq e '.version = "'$NEW_CHART_VERSION'"' -i charts/gitops-server/Chart.yaml
-          yq e '.image.tag = "${{ github.event.inputs.version }}"' -i charts/gitops-server/values.yaml
-
-          git commit -am "Update helm chart to $NEW_CHART_VERSION to use gitops $GITOPS_VERSION"
-        if: ${{ !contains(github.event.inputs.version, '-') }}
+          echo "ℹ️  Chart version updates are now handled automatically by release-please"
+          echo "📋 The unified-release.yaml workflow will update:"
+          echo "   - Chart appVersion to match application version"
+          echo "   - Chart version to match application version (without 'v' prefix)"
+          echo "   - Image tag in values.yaml"
+          echo "✅ No manual chart updates required"
       - name: Generate updated helm reference
         # Needs to run after chart update, before docs update
         run: |

.github/workflows/prepare-release.yaml

@@ -1,21 +1,45 @@
 ---
-name: release-please
+name: release-please-legacy
 
+# DISABLED: This workflow has been replaced by unified-release.yaml
+# The unified workflow handles both application and Helm chart releases synchronously
 on:
-  push:
-    branches:
-      - main
+  workflow_dispatch:
+    inputs:
+      force_run:
+        description: 'Force run legacy workflow (for emergency use only)'
+        required: true
+        default: 'false'
+        type: choice
+        options:
+          - 'false'
+          - 'true'
 
 permissions:
   contents: read
 
 jobs:
+  legacy-workflow-notice:
+    runs-on: ubuntu-latest
+    if: "${{ github.event.inputs.force_run != 'true' }}"
+    steps:
+      - name: Legacy workflow notice
+        run: |
+          echo "❌ This legacy workflow has been disabled"
+          echo "✅ Use the unified-release.yaml workflow instead"
+          echo "🔄 The unified workflow synchronizes both app and Helm chart releases"
+          echo ""
+          echo "If you need to run this legacy workflow for emergency purposes:"
+          echo "1. Re-run this workflow"
+          echo "2. Set 'force_run' input to 'true'"
+          exit 1
+
   release-please:
     runs-on: ubuntu-latest
     permissions:
       contents: write
       pull-requests: write
-    if: "${{ github.repository_owner == 'weaveworks' && github.ref_name == 'main' }}"
+    if: "${{ github.repository_owner == 'weaveworks' && github.event.inputs.force_run == 'true' }}"
     outputs:
       release_created: ${{ steps.release-please.outputs.release_created }}
       tag_name: ${{ steps.release-please.outputs.tag_name }}

.github/workflows/release-please.yaml

@@ -0,0 +1,240 @@
+---
+name: Unified Release
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    if: "${{ github.repository_owner == 'weaveworks' && github.ref_name == 'main' }}"
+    outputs:
+      release_created: ${{ steps.release-please.outputs.release_created }}
+      tag_name: ${{ steps.release-please.outputs.tag_name }}
+      version: ${{ steps.release-please.outputs.version }}
+      major: ${{ steps.release-please.outputs.major }}
+      minor: ${{ steps.release-please.outputs.minor }}
+      patch: ${{ steps.release-please.outputs.patch }}
+    steps:
+      - name: Release Please
+        id: release-please
+        uses: googleapis/release-please-action@a02a34c4d625f9be7cb89156071d8567266a2445 # v4.2.0
+        with:
+          token: ${{ secrets.WEAVE_GITOPS_BOT_ACCESS_TOKEN }}
+
+  validate-versions:
+    needs: release-please
+    runs-on: ubuntu-latest
+    if: "${{ needs.release-please.outputs.release_created }}"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      
+      - name: Validate chart version synchronization
+        run: |
+          APP_VERSION="${{ needs.release-please.outputs.version }}"
+          CHART_APP_VERSION=$(yq e '.appVersion' charts/gitops-server/Chart.yaml)
+          CHART_VERSION=$(yq e '.version' charts/gitops-server/Chart.yaml)
+          IMAGE_TAG=$(yq e '.image.tag' charts/gitops-server/values.yaml)
+          
+          echo "Application Version: $APP_VERSION"
+          echo "Chart AppVersion: $CHART_APP_VERSION"
+          echo "Chart Version: $CHART_VERSION"
+          echo "Image Tag: $IMAGE_TAG"
+          
+          # Validate that chart appVersion matches application version
+          if [[ "$CHART_APP_VERSION" != "$APP_VERSION" ]]; then
+            echo "❌ Error: Chart appVersion ($CHART_APP_VERSION) does not match application version ($APP_VERSION)"
+            exit 1
+          fi
+          
+          # Validate that image tag matches application version
+          if [[ "$IMAGE_TAG" != "$APP_VERSION" ]]; then
+            echo "❌ Error: Image tag ($IMAGE_TAG) does not match application version ($APP_VERSION)"
+            exit 1
+          fi
+          
+          # Validate that chart version follows expected pattern (remove 'v' prefix from app version)
+          EXPECTED_CHART_VERSION=$(echo "$APP_VERSION" | sed 's/^v//')
+          if [[ "$CHART_VERSION" != "$EXPECTED_CHART_VERSION" ]]; then
+            echo "❌ Error: Chart version ($CHART_VERSION) does not match expected version ($EXPECTED_CHART_VERSION)"
+            exit 1
+          fi
+          
+          echo "✅ All versions are synchronized correctly"
+
+  publish-npm-package:
+    needs: [release-please, validate-versions]
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write # needed for GitHub Packages registry access
+    if: "${{ needs.release-please.outputs.release_created }}"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version-file: package.json
+          registry-url: "https://npm.pkg.github.com"
+          scope: "@weaveworks"
+      - run: yarn
+      - run: make ui-lib && cd dist && npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  build-and-push-image:
+    needs: [release-please, validate-versions]
+    uses: ./.github/workflows/build-push-image.yaml
+    with:
+      file: gitops-server.dockerfile
+      flavor: |
+        latest=true
+      image: ghcr.io/weaveworks/wego-app
+      platforms: linux/amd64,linux/arm64
+      push: true
+      tags: |
+        type=raw,value=${{ needs.release-please.outputs.tag_name }}
+        type=semver,pattern={{version}},value=${{ needs.release-please.outputs.version }}
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      id-token: write # for Cosign to be able to sign images with GHA token
+      packages: write # for docker/build-push-action to push images
+    if: "${{ needs.release-please.outputs.release_created }}"
+
+  build-and-push-chart:
+    needs: [release-please, validate-versions, build-and-push-image]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      id-token: write # for Cosign to be able to sign chart with GHA token
+      packages: write # for helm to push OCI chart
+    if: "${{ needs.release-please.outputs.release_created }}"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      
+      - name: Validate chart before packaging
+        run: |
+          APP_VERSION="${{ needs.release-please.outputs.version }}"
+          CHART_VERSION=$(yq e '.version' charts/gitops-server/Chart.yaml)
+          
+          echo "Packaging chart version: $CHART_VERSION for app version: $APP_VERSION"
+          
+          # Validate chart syntax
+          helm lint charts/gitops-server/
+          
+      - name: Package chart
+        run: |
+          mkdir helm-release
+          helm package charts/gitops-server/ -d helm-release
+          
+          # List packaged chart for verification
+          ls -la helm-release/
+          
+      - name: Log in to the Container registry
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          
+      - name: Publish chart
+        id: publish-chart
+        run: |
+          CHART_VERSION=$(yq e '.version' charts/gitops-server/Chart.yaml)
+          CHART_FILE="helm-release/weave-gitops-${CHART_VERSION}.tgz"
+          
+          if [[ ! -f "$CHART_FILE" ]]; then
+            echo "❌ Error: Chart file $CHART_FILE not found"
+            ls -la helm-release/
+            exit 1
+          fi
+          
+          echo "Publishing chart: $CHART_FILE"
+          helm push "$CHART_FILE" oci://ghcr.io/weaveworks/charts &> helm-release/push-metadata.txt
+          
+          # Extract digest for signing
+          CHART_DIGEST=$(awk '/Digest: /{print $2}' helm-release/push-metadata.txt)
+          echo "Chart digest: $CHART_DIGEST"
+          echo "digest=$CHART_DIGEST" >> $GITHUB_OUTPUT
+          
+          # Display push metadata for debugging
+          echo "Push metadata:"
+          cat helm-release/push-metadata.txt
+          
+      - name: Install cosign
+        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
+        
+      - name: Keyless signing of chart
+        run: |
+          cosign sign --yes ghcr.io/weaveworks/charts@${{ steps.publish-chart.outputs.digest }}
+          
+      - name: Verify the chart signing
+        run: |
+          cosign verify ghcr.io/weaveworks/charts@${{ steps.publish-chart.outputs.digest }} \
+            --certificate-identity "https://github.com/${{ github.workflow_ref }}" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | jq .
+
+  goreleaser:
+    needs: [release-please, validate-versions]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      id-token: write # for Cosign to be able to sign release artifacts with GHA token
+    if: "${{ needs.release-please.outputs.release_created }}"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: go.mod
+      - name: Include brew publishing
+        run: cat .goreleaser.brew.yml >> .goreleaser.yml
+        if: ${{ !contains(needs.release-please.outputs.version, '-') }}
+      - name: Install cosign
+        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
+        with:
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.WEAVE_GITOPS_BOT_ACCESS_TOKEN }}
+          BOT_TOKEN: ${{ secrets.WEAVE_GITOPS_BOT_ACCESS_TOKEN }}
+
+  create-release-summary:
+    needs: [release-please, validate-versions, publish-npm-package, build-and-push-image, build-and-push-chart, goreleaser]
+    runs-on: ubuntu-latest
+    if: "${{ needs.release-please.outputs.release_created }}"
+    steps:
+      - name: Create release summary
+        run: |
+          echo "# 🚀 Release Summary" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Version:** ${{ needs.release-please.outputs.version }}" >> $GITHUB_STEP_SUMMARY
+          echo "**Tag:** ${{ needs.release-please.outputs.tag_name }}" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "## 📦 Components Released" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ Application binaries (GoReleaser)" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ Container images (ghcr.io/weaveworks/wego-app)" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ Helm chart (ghcr.io/weaveworks/charts)" >> $GITHUB_STEP_SUMMARY
+          echo "- ✅ NPM package (@weaveworks scope)" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "## 🔄 Version Synchronization" >> $GITHUB_STEP_SUMMARY
+          echo "All components have been released with synchronized versions:" >> $GITHUB_STEP_SUMMARY
+          echo "- Application: ${{ needs.release-please.outputs.version }}" >> $GITHUB_STEP_SUMMARY
+          echo "- Chart AppVersion: ${{ needs.release-please.outputs.version }}" >> $GITHUB_STEP_SUMMARY
+          echo "- Chart Version: $(echo '${{ needs.release-please.outputs.version }}' | sed 's/^v//')" >> $GITHUB_STEP_SUMMARY
+          echo "- Image Tag: ${{ needs.release-please.outputs.version }}" >> $GITHUB_STEP_SUMMARY

.github/workflows/unified-release.yaml

@@ -1,4 +1,3 @@
 {
-  ".": "0.39.0-rc.2",
-  "charts/gitops-server": "4.0.36"
+  ".": "0.39.0-rc.2"
 }

.release-please-manifest.json

@@ -13,7 +13,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 4.0.36
+version: 0.39.0-rc.2 # x-release-please-version
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.