refactor: update GitHub workflows for release management and image build

.github/workflows/build-images.yml

@@ -0,0 +1,110 @@
+name: build-images
+run-name: build-images ${{ github.event.release.tag_name }}
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  prepare:
+    if: ${{ github.event_name == 'release' }}
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.release_tag.outputs.tag }}
+      version: ${{ steps.release_tag.outputs.version }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Resolve release tag & version
+        id: release_tag
+        run: |
+          git fetch --tags --force
+          TAG="${{ github.event.release.tag_name }}"
+          if [ -z "$TAG" ]; then
+            echo "No Git tag found to check out" >&2
+            exit 1
+          fi
+          VER_NO_V="${TAG#v}"
+          echo "tag=$TAG" >> $GITHUB_OUTPUT
+          echo "version=$VER_NO_V" >> $GITHUB_OUTPUT
+
+  build-image:
+    needs: prepare
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: rag-backend
+            dockerfile: services/rag-backend/Dockerfile
+          - name: admin-backend
+            dockerfile: services/admin-backend/Dockerfile
+          - name: document-extractor
+            dockerfile: services/document-extractor/Dockerfile
+          - name: mcp-server
+            dockerfile: services/mcp-server/Dockerfile
+          - name: frontend
+            dockerfile: services/frontend/apps/chat-app/Dockerfile
+          - name: admin-frontend
+            dockerfile: services/frontend/apps/admin-app/Dockerfile
+    env:
+      REGISTRY: ghcr.io
+      IMAGE_NS: ${{ github.repository }}
+      VERSION: ${{ needs.prepare.outputs.version }}
+      TAG: ${{ needs.prepare.outputs.tag }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Checkout release tag
+        run: git checkout "$TAG"
+      - name: Normalize IMAGE_NS to lowercase
+        run: echo "IMAGE_NS=$(echo '${{ env.IMAGE_NS }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.PR_AUTOMATION_TOKEN }}
+      - name: Set up Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build & push ${{ matrix.name }}
+        run: |
+          docker buildx build --push \
+            -t "$REGISTRY/$IMAGE_NS/${{ matrix.name }}:${VERSION}" \
+            -t "$REGISTRY/$IMAGE_NS/${{ matrix.name }}:latest" \
+            -f "${{ matrix.dockerfile }}" .
+      - name: Capture digest
+        run: |
+          sudo apt-get update && sudo apt-get install -y jq
+          ref="$REGISTRY/$IMAGE_NS/${{ matrix.name }}:${VERSION}"
+          digest=$(docker buildx imagetools inspect "$ref" --format '{{json .Manifest.Digest}}' | jq -r . || true)
+          jq -n --arg name "${{ matrix.name }}" --arg tag "$VERSION" --arg digest "$digest" '{($name): {tag: $tag, digest: $digest}}' > digest.json
+      - name: Upload digest artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: image-digest-${{ matrix.name }}
+          path: digest.json
+
+  collect-digests:
+    needs: [build-image]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download digest artifacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: image-digest-*
+          merge-multiple: false
+      - name: Merge digests
+        run: |
+          sudo apt-get update && sudo apt-get install -y jq
+          jq -s 'reduce .[] as $item ({}; . * $item)' image-digest-*/digest.json > image-digests.json
+      - name: Upload merged digests
+        uses: actions/upload-artifact@v4
+        with:
+          name: image-digests
+          path: image-digests.json

.github/workflows/bump-chart-version.yml

@@ -0,0 +1,59 @@
+name: bump-chart-version
+on:
+  workflow_dispatch:
+    inputs:
+      chart_version:
+        description: "Chart version to set (does not touch appVersion)"
+        required: true
+        type: string
+      ref:
+        description: "Git ref to bump (default: main)"
+        required: false
+        type: string
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  bump:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.ref || 'main' }}
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+
+      - name: Install deps
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install "packaging==25.0" "ruamel.yaml==0.18.6"
+
+      - name: Bump chart version only
+        env:
+          CHART_VERSION: ${{ inputs.chart_version }}
+        run: |
+          if [ -z "${CHART_VERSION}" ]; then
+            echo "chart_version input is required" >&2
+            exit 1
+          fi
+          python tools/bump_chart_versions.py --mode chart-only --chart-version "$CHART_VERSION"
+
+      - name: Open PR for chart version bump
+        uses: peter-evans/create-pull-request@v6
+        with:
+          base: main
+          branch: chore/chart-bump-${{ inputs.chart_version }}
+          title: "chore(release): bump chart version to ${{ inputs.chart_version }}"
+          body: |
+            Bump Chart.yaml version to ${{ inputs.chart_version }} (appVersion unchanged).
+          commit-message: "chore(release): bump chart version to ${{ inputs.chart_version }}"
+          add-paths: |
+            infrastructure/**/Chart.yaml
+          token: ${{ secrets.PR_AUTOMATION_TOKEN }}
+          labels: chart-bump

.github/workflows/create-release.yml

@@ -0,0 +1,68 @@
+name: create-release
+on:
+  pull_request_target:
+    types: [closed]
+    branches: [main]
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    if: >-
+      ${{
+        github.event.pull_request.merged == true &&
+        contains(github.event.pull_request.labels.*.name, 'refresh-locks')
+      }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.PR_AUTOMATION_TOKEN }}
+
+      - name: Derive version from PR title
+        id: ver
+        run: |
+          TITLE="${{ github.event.pull_request.title }}"
+          VERSION=$(echo "$TITLE" | sed -nE 's/.*([0-9]+\.[0-9]+\.[0-9]+(\.post[0-9]+)?).*/\1/p' || true)
+          if [ -z "$VERSION" ]; then
+            echo "Could not extract version from PR title: $TITLE" >&2
+            exit 1
+          fi
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+      - name: Verify appVersion matches release version (clean semver)
+        env:
+          RELEASE_VERSION: ${{ steps.ver.outputs.version }}
+        run: |
+          if echo "$RELEASE_VERSION" | grep -q '\.post'; then
+            echo "Release version must be clean semver (no .post): $RELEASE_VERSION" >&2
+            exit 1
+          fi
+          APP_VERSION=$(awk '/^appVersion:/ {print $2}' infrastructure/rag/Chart.yaml | tr -d "\"'")
+          if [ -z "$APP_VERSION" ]; then
+            echo "Could not read appVersion from infrastructure/rag/Chart.yaml" >&2
+            exit 1
+          fi
+          NORMALIZED_APP_VERSION="${APP_VERSION#v}"
+          NORMALIZED_APP_VERSION="${NORMALIZED_APP_VERSION#V}"
+          if [ "$NORMALIZED_APP_VERSION" != "$RELEASE_VERSION" ]; then
+            echo "Chart appVersion ($APP_VERSION) does not match release version ($RELEASE_VERSION)" >&2
+            exit 1
+          fi
+
+      - name: Create Git tag
+        run: |
+          git config user.name "github-actions"
+          git config user.email "github-actions@github.com"
+          git tag -a "v${{ steps.ver.outputs.version }}" -m "Release v${{ steps.ver.outputs.version }}"
+          git push origin "v${{ steps.ver.outputs.version }}"
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: v${{ steps.ver.outputs.version }}
+          name: v${{ steps.ver.outputs.version }}
+          generate_release_notes: true
+          token: ${{ secrets.PR_AUTOMATION_TOKEN }}

.github/workflows/lint-and-test.yml

@@ -12,6 +12,12 @@ env:
 
 jobs:
   changes:
+    if: >-
+      ${{
+        !contains(github.event.pull_request.labels.*.name, 'prepare-release') &&
+        !contains(github.event.pull_request.labels.*.name, 'refresh-locks') &&
+        !contains(github.event.pull_request.labels.*.name, 'chart-bump')
+      }}
     name: Detect Changes
     runs-on: ubuntu-latest
     outputs:

.github/workflows/prepare-release.yml

@@ -0,0 +1,116 @@
+name: prepare-release
+on:
+  pull_request:
+    types: [closed]
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Override release version (e.g., 3.5.0.postYYYYMMDDHHMMSS). If empty, semantic-release dry-run is used."
+        required: false
+        type: string
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  changes:
+    if: >-
+      ${{
+        github.event_name == 'workflow_dispatch' ||
+        (
+          github.event.pull_request.merged &&
+          !contains(github.event.pull_request.labels.*.name, 'prepare-release') &&
+          !contains(github.event.pull_request.labels.*.name, 'refresh-locks') &&
+          !contains(github.event.pull_request.labels.*.name, 'chart-bump')
+        )
+      }}
+    name: Detect release-relevant changes
+    runs-on: ubuntu-latest
+    outputs:
+      releasable: ${{ steps.manual.outputs.releasable || steps.filter.outputs.releasable }}
+    steps:
+      - name: Allow manual run
+        id: manual
+        if: ${{ github.event_name == 'workflow_dispatch' }}
+        run: echo "releasable=true" >> "$GITHUB_OUTPUT"
+
+      - uses: actions/checkout@v4
+        if: ${{ github.event_name == 'pull_request' }}
+        with:
+          fetch-depth: 0
+
+      - name: Filter paths
+        id: filter
+        if: ${{ github.event_name == 'pull_request' }}
+        uses: dorny/paths-filter@v2
+        with:
+          filters: |
+            releasable:
+              - 'services/**'
+              - 'libs/**'
+
+  prepare:
+    if: ${{ needs.changes.outputs.releasable == 'true' }}
+    runs-on: ubuntu-latest
+    needs: [changes]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: '25'
+
+      - name: Install semantic-release deps
+        run: npm ci
+
+      - name: verify-dependencies-integrity
+        run: npm audit signatures
+
+      - name: Compute next version (dry-run)
+        id: semrel
+        env:
+          GITHUB_TOKEN: ${{ secrets.PR_AUTOMATION_TOKEN }}
+        run: |
+          if [ -n "${{ github.event.inputs.version }}" ]; then
+            echo "version=${{ github.event.inputs.version }}" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+          npx semantic-release --dry-run --no-ci | tee semrel.log
+          BASE_VERSION=$(grep -Eo "next release version is [0-9]+\.[0-9]+\.[0-9]+" semrel.log | awk '{print $5}')
+          if [ -z "$BASE_VERSION" ]; then echo "No new release required"; exit 1; fi
+          VERSION="${BASE_VERSION}.post$(date +%Y%m%d%H%M%S)"
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+
+      - name: Install bump script deps
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install "tomlkit==0.13.3" "pyyaml==6.0.2" "packaging==25.0"
+
+      - name: Bump internal libs only (no service pins)
+        run: |
+          python tools/bump_pyproject_deps.py --version "${{ steps.semrel.outputs.version }}" --bump-libs
+
+      - name: Commit and open PR
+        uses: peter-evans/create-pull-request@v6
+        with:
+          branch: chore/release-${{ steps.semrel.outputs.version }}
+          title: "chore(release): prepare ${{ steps.semrel.outputs.version }}"
+          body: |
+            Prepare release ${{ steps.semrel.outputs.version }}
+            - bump internal libs versions only
+          commit-message: "chore(release): prepare ${{ steps.semrel.outputs.version }}"
+          add-paths: |
+            libs/**/pyproject.toml
+          labels: prepare-release
+          token: ${{ secrets.PR_AUTOMATION_TOKEN }}