ci: ensure image is published once

[arealmaas]

Description

This change streamlines our Docker image management by building and publishing images only once when a release is created, rather than rebuilding for each environment. These published images are then reused across staging, yt01 and production deployments.

Technical Changes

1. Get the previous release SHA before creating a new release
2. Only trigger Docker image builds when there are backend changes since the previous release
3. Trigger staging/yt01 deployment via repository dispatch after successful release

Next up:

• Trigger a dry-run of deployment to production
• Notify dry-run of production is complete in Slack
• Add deploy-to-production workflow without dry-run and environment gating

Related Issue(s)

• Investigate better production deployment workflow #1692

Verification

• Your code builds clean without any errors or warnings
• Manual testing done (required)
• Relevant automated test added (if you find this hard, leave it and we'll help out)

Documentation

• Documentation is updated (either in docs-directory, Altinnpedia or a separate linked PR in altinn-studio-docs., if applicable)

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request introduces significant changes to the GitHub Actions workflows, primarily focusing on restructuring the release and deployment processes. The main modifications include removing the release-please job from the main CI/CD workflow, creating a new dedicated release workflow, and updating staging and specific environment workflows to use repository dispatch triggers instead of push events. The changes simplify the release management approach by separating release creation from deployment and removing direct Docker image publishing steps.

Changes

File	Change Summary
.github/workflows/ci-cd-main.yml	Removed release-please job from the workflow
.github/workflows/ci-cd-release-please.yml	New workflow added for managing release process with jobs for release creation, change detection, publishing, and notifications
.github/workflows/ci-cd-staging.yml	Removed push trigger, added repository_dispatch trigger, removed publish job, updated job dependencies
.github/workflows/ci-cd-yt01.yml	Removed push trigger, added repository_dispatch trigger, removed publish job, updated job dependencies
.github/workflows/workflow-send-ci-cd-status-slack-message.yml	Added new input parameters release_please_status and notify_release_created_status, updated status emoji logic

Possibly related PRs

• chore: Include chores in the changelog #1525: Configuring release process using release-please, directly related to release management workflow modifications

Suggested reviewers

• oskogstad

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 86e71b8 and a26bc99.

📒 Files selected for processing (2)

• .github/workflows/ci-cd-release-please.yml (1 hunks)
• .github/workflows/ci-cd-staging.yml (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/ci-cd-release-please.yml

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Dry run deploy infrastructure / Deploy to test

🔇 Additional comments (2)

.github/workflows/ci-cd-staging.yml (2)

5-6: LGTM! Trigger changes align with deployment strategy.

The addition of the repository_dispatch trigger for release_created events aligns with the PR objective of deploying to staging after a successful release.

---

65-65: LGTM! Job dependencies updated correctly.

The removal of the publish job dependency aligns with the strategy of reusing pre-built Docker images from the release process instead of rebuilding them during deployment.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/ci-cd-release-please.yml (1)

27-33: Consider caching the previous release SHA.

The workflow fetches the previous release SHA on every run. Consider caching this value to reduce API calls.

 - name: Get previous release SHA
   id: get-previous-release
+  env:
+    GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    CACHE_KEY: previous-release-sha
   run: |
-    sha=$(gh api repos/${{ github.repository }}/releases/latest --jq '.target_commitish')
-    echo "sha=${sha}" >> $GITHUB_OUTPUT
-  env:
-    GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    if ! sha=$(gh variable list --json name,value | jq -r '.[] | select(.name=="'$CACHE_KEY'") | .value'); then
+      sha=$(gh api repos/${{ github.repository }}/releases/latest --jq '.target_commitish')
+      gh variable set "$CACHE_KEY" --body "$sha"
+    fi
+    echo "sha=${sha}" >> $GITHUB_OUTPUT

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 14ff138 and 86e71b8.

📒 Files selected for processing (5)

• .github/workflows/ci-cd-main.yml (0 hunks)
• .github/workflows/ci-cd-release-please.yml (1 hunks)
• .github/workflows/ci-cd-staging.yml (3 hunks)
• .github/workflows/ci-cd-yt01.yml (3 hunks)
• .github/workflows/workflow-send-ci-cd-status-slack-message.yml (3 hunks)

💤 Files with no reviewable changes (1)

• .github/workflows/ci-cd-main.yml

🔇 Additional comments (7)

.github/workflows/ci-cd-release-please.yml (3)

13-16: LGTM! Required permissions are correctly configured.

The workflow has the necessary permissions for release management:

• contents: write for creating releases
• pull-requests: write for release PRs
• packages: write for publishing Docker images

---

71-84: LGTM! Comprehensive failure notification setup.

The Slack notification job:

• Runs on any failure (always() && failure())
• Includes status of all critical jobs
• Uses appropriate secrets for Slack integration

---

35-39: Verify the release-please token permissions.

The workflow uses a custom PAT (RELEASE_PLEASE_PAT) instead of the default GITHUB_TOKEN. Ensure this token has the minimum required permissions.

✅ Verification successful

Custom PAT with minimum required permissions is a security best practice ✅

The use of RELEASE_PLEASE_PAT with specific scopes is actually recommended over using the default GITHUB_TOKEN. The token only needs these permissions:

• contents:write - for releases and commits
• pull_requests:write - for release PRs
• repository_dispatch:write - for deployment triggers

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check if the RELEASE_PLEASE_PAT token has excessive permissions

# Test: List repository variables to check token permissions
gh api \
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  /repos/$GITHUB_REPOSITORY/actions/variables

Length of output: 227

---

Script:

#!/bin/bash
# Search for documentation and configuration related to release-please permissions
echo "=== Searching for documentation files ==="
fd -e md -e txt | xargs rg -i "release.?please|token|permission" || true

echo -e "\n=== Searching workflow files for release-please configurations ==="
fd "^.*\.ya?ml$" .github/workflows/ | xargs rg -i "release.?please" -C 3 || true

echo -e "\n=== Searching for security-related comments ==="
rg -i "PAT|token|permission|scope" .github/workflows/ || true

Length of output: 34053

.github/workflows/workflow-send-ci-cd-status-slack-message.yml (1)

37-44: LGTM! New status inputs are well-documented.

The new inputs for tracking release statuses:

• release_please_status
• notify_release_created_status
  are properly defined with clear descriptions and default values.

.github/workflows/ci-cd-staging.yml (1)

5-6: LGTM! Deployment trigger changed to repository dispatch.

The workflow now triggers on release_created events instead of push, aligning with the new release-driven deployment strategy.

.github/workflows/ci-cd-yt01.yml (2)

5-6: LGTM! Deployment trigger matches staging workflow.

The workflow consistently uses the same release_created trigger as the staging workflow.

---

65-65: LGTM! Job dependencies properly updated.

The removal of the publish job is properly reflected in the job dependencies:

• deploy-apps now depends on [get-current-version, check-for-changes, deploy-infra]
• send-slack-message-on-failure correctly includes all remaining jobs

Also applies to: 145-145