🚀 ci: improve release workflow with version synchronization

Add version check job and release automation scripts to ensure Git tag,
Chart version, appVersion, and Docker image tag stay consistent.

Changes:
- Add version-check job in CI to validate version sync before release
- Add scripts/check-version.sh to validate version consistency
- Add scripts/release.sh to automate Chart.yaml version updates
- Update Helm chart to use appVersion as default image tag
- Update documentation with release workflow instructions
- Bump chart version to 0.1.4

Author: crazygit

.github/workflows/ci.yaml

@@ -68,9 +68,20 @@ jobs:
         run: |
           helm lint deploy/cert-manager-alidns-webhook
 
+  version-check:
+    if: startsWith(github.ref, 'refs/tags/v')
+    runs-on: ubuntu-latest
+    timeout-minutes: 2
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Check release version sync
+        run: ./scripts/check-version.sh
+
   docker-release:
     if: startsWith(github.ref, 'refs/tags/v')
-    needs: [test, helm-lint]
+    needs: [test, helm-lint, version-check]
     uses: ./.github/workflows/docker-release.yaml
     secrets: inherit
     permissions:
@@ -80,7 +91,7 @@ jobs:
 
   helm-release:
     if: startsWith(github.ref, 'refs/tags/v')
-    needs: [test, helm-lint]
+    needs: [test, helm-lint, version-check]
     uses: ./.github/workflows/helm-release.yaml
     secrets: inherit
     permissions:

.github/workflows/helm-release.yaml

@@ -33,7 +33,8 @@ jobs:
       - name: Package Helm Chart
         run: |
           cd deploy/cert-manager-alidns-webhook
-          helm package .
+          VERSION=${GITHUB_REF_NAME#v}
+          helm package . --version "${VERSION}" --app-version "${VERSION}"
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3

DEVELOPMENT.md

@@ -13,6 +13,7 @@
 - [开发环境](#开发环境)
 - [故障排查](#故障排查)
 - [测试指南](#测试指南)
+- [发布流程](#发布流程)
 - [参考资源](#参考资源)
 
 ---
@@ -351,6 +352,39 @@ make test-all
 
 ---
 
+## 发布流程
+
+发布使用 Git tag 作为唯一版本源，Chart 版本、appVersion 和镜像标签保持一致。
+
+### 版本约定
+
+- Git tag: `vX.Y.Z`
+- Helm chart: `version: X.Y.Z`
+- Helm chart: `appVersion: X.Y.Z`
+- Docker image tag: `X.Y.Z`
+
+### 发布步骤
+
+```bash
+# 1. 更新 Chart.yaml version/appVersion
+make release VERSION=0.1.3
+
+# 2. 提交变更
+git add deploy/cert-manager-alidns-webhook/Chart.yaml
+git commit -m "release: v0.1.3"
+
+# 3. 打 tag 并推送
+git tag -a v0.1.3 -m "release: v0.1.3"
+git push --follow-tags
+```
+
+### 校验说明
+
+- `scripts/check-version.sh` 会确保 tag 与 `Chart.yaml` 的 `version/appVersion` 完全一致
+- CI 在 tag 触发时强制执行校验，不一致会阻止发布
+
+---
+
 ## 参考资源
 
 ### 阿里云官方文档

Makefile

@@ -50,6 +50,10 @@ clean:
 build:
 	docker build -t "$(IMAGE_NAME):$(IMAGE_TAG)" .
 
+.PHONY: release
+release:
+	./scripts/release.sh $(VERSION)
+
 .PHONY: rendered-manifest.yaml
 rendered-manifest.yaml: $(OUT)/rendered-manifest.yaml
 

README.md

@@ -270,7 +270,7 @@ kubectl delete configmap aliyun-config
 | :------------------------------------ | :------------------------- | :------------------------------------- |
 | `groupName`                           | API group name             | `alidns.crazygit.github.io`            |
 | `image.repository`                    | Image repository           | `crazygit/cert-manager-alidns-webhook` |
-| `image.tag`                           | Image tag                  | `latest`                               |
+| `image.tag`                           | Image tag                  | `""` (defaults to chart appVersion)   |
 | `replicaCount`                        | Replica count              | `1`                                    |
 | `aliyunAuth.regionID`                 | Alibaba Cloud region ID    | `""`                                   |
 | `aliyunAuth.accessKeyID`              | AccessKey ID               | `""`                                   |

README.zh-CN.md

@@ -269,7 +269,7 @@ kubectl delete configmap aliyun-config
 | :------------------------------------ | :---------------------------- | :------------------------------------- |
 | `groupName`                           | API 组名                      | `alidns.crazygit.github.io`            |
 | `image.repository`                    | 镜像仓库                      | `crazygit/cert-manager-alidns-webhook` |
-| `image.tag`                           | 镜像标签                      | `latest`                               |
+| `image.tag`                           | 镜像标签                      | `""`（默认使用 chart 的 appVersion） |
 | `replicaCount`                        | 副本数                        | `1`                                    |
 | `aliyunAuth.regionID`                 | 阿里云区域 ID                 | `""`                                   |
 | `aliyunAuth.accessKeyID`              | AccessKey ID                  | `""`                                   |

deploy/cert-manager-alidns-webhook/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
-appVersion: "v0.1.2"
+appVersion: "0.1.4"
 description: |
   AliDNS Webhook for cert-manager - A cert-manager webhook solver for Alibaba Cloud DNS.
 
@@ -8,7 +8,7 @@ description: |
   ECS instance RAM role, and more via the Alibaba Cloud credentials-go default credential chain.
 
 name: cert-manager-alidns-webhook
-version: 0.1.2
+version: 0.1.4
 keywords:
   - cert-manager
   - alidns

deploy/cert-manager-alidns-webhook/templates/deployment.yaml

@@ -23,7 +23,7 @@ spec:
       serviceAccountName: {{ include "cert-manager-alidns-webhook.fullname" . }}
       containers:
         - name: {{ .Chart.Name }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          image: "{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
             - --tls-cert-file=/tls/tls.crt

deploy/cert-manager-alidns-webhook/values.yaml

@@ -16,7 +16,7 @@ certManager:
 
 image:
   repository: ghcr.io/crazygit/cert-manager-alidns-webhook
-  tag: latest
+  tag: ""
   pullPolicy: IfNotPresent
 
 nameOverride: ""

scripts/check-version.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+CHART_PATH="deploy/cert-manager-alidns-webhook/Chart.yaml"
+
+version_input="${1:-}"
+
+if [[ -n "${version_input}" ]]; then
+  version="${version_input#v}"
+elif [[ -n "${GITHUB_REF_NAME:-}" ]]; then
+  version="${GITHUB_REF_NAME#v}"
+else
+  tag="$(git describe --tags --exact-match 2>/dev/null || true)"
+  if [[ -z "${tag}" ]]; then
+    echo "ERROR: no version provided and no exact git tag found." >&2
+    exit 1
+  fi
+  version="${tag#v}"
+fi
+
+chart_version="$(awk -F: '/^version:/{gsub(/[ "]/,"",$2); print $2; exit}' "${CHART_PATH}")"
+app_version="$(awk -F: '/^appVersion:/{gsub(/[ "]/,"",$2); print $2; exit}' "${CHART_PATH}")"
+
+if [[ "${chart_version}" != "${version}" ]]; then
+  echo "ERROR: Chart version (${chart_version}) != release version (${version})." >&2
+  exit 1
+fi
+
+if [[ "${app_version}" != "${version}" ]]; then
+  echo "ERROR: Chart appVersion (${app_version}) != release version (${version})." >&2
+  exit 1
+fi
+
+echo "OK: version=${version}, chart.version=${chart_version}, chart.appVersion=${app_version}"