feat: add release pipeline and harden Dockerfile

[vrdc-sap]

Description

Changes proposed in this pull request:

• add release pipeline
• harden Dockerfile

Related issue(s)
add release pipeline

[hyperspace-insights]

Summary

The following content is AI-generated and provides a summary of the pull request:

⚠️ Warnings:

• Could not get issue kyma-project/gpu#123. Status: 404 - UnknownObjectException

---

Add Release Pipeline and Harden Dockerfile

New Feature

🚀 Introduces an automated release pipeline and hardens the Dockerfile with security and build improvements. This enables versioned releases of the GPU operator with auto-generated release notes and install manifests.

Changes

• .github/workflows/release.yml: New workflow (manual workflow_dispatch) that validates the semver version, creates an annotated git tag, renders install.yaml via make build-installer, generates release notes with changelog and installation instructions, and publishes a GitHub Release with install.yaml and instance.yaml as assets.

• .github/workflows/image-build-main.yaml: New workflow replacing the removed pr-build-image.yml that builds and pushes the Docker image on pushes to main and on version tags using the shared kyma-project/test-infra image builder.

• .github/workflows/image-build-pr.yaml: New PR image build workflow with a two-path approach — PRs labeled pr-build-image go through an approval gate before publishing, while unlabeled PRs do a local cache-only build for validation.

• .github/workflows/pr-build-image.yml: Removed and replaced by the new split workflows above.

• Dockerfile: Multiple hardening changes:

  • Updated Go builder from golang:1.25 to golang:1.26.3 with explicit --platform=$BUILDPLATFORM.
  • Replaced broad COPY . . with explicit COPY cmd/ api/ internal/ to minimize build context.
  • Enabled FIPS mode via GOFIPS140=v1.0.0 and added -ldflags="-s -w" to strip debug symbols.
  • Added --chown=65532:65532 to the binary copy step.
  • Added ENV GODEBUG=fips140=only,tlsmlkem=0 to enforce FIPS-only TLS at runtime.

• Makefile: build-installer target now also copies the sample CR to dist/instance.yaml for inclusion in releases.

• config/default/kustomization.yaml: Uncommented the ../crd resource so CRDs are included in the generated install.yaml.

• go.mod: Updated Go version from 1.25.3 to 1.26.3.

• sec-scanners-config.yaml: Added **/test/** exclusion pattern to both mend and checkmarx-one scanner configurations.

---

• 🔄 Regenerate and Update Summary
• ✏️ Insert as PR Description (deletes this comment)
• 🗑️ Delete comment

PR Bot Information

Version: 1.21.0

• File Content Strategy: Full file content
• LLM: anthropic--claude-4.6-sonnet
• Output Template: Default Template
• Summary Prompt: Default Prompt
• Correlation ID: ef7c93bb-f27b-41fe-82f8-e07551557334
• GithubContextProvider: fix: remove namespace field from cluster-scoped Gpu sample CR #43
• GithubContextProvider: feat: add helm sdk installer with install, upgrade, and uninstall #33
• Event Trigger: pull_request.opened

[hyperspace-insights]

⚠️ Warnings:

• Could not get issue kyma-project/gpu#123. Status: 404 - UnknownObjectException

---

The PR introduces a release pipeline and Dockerfile hardening, but has several significant issues: a shell-injection risk from unquoted workflow_dispatch inputs used throughout the release workflow, a pull_request_target + head-SHA checkout pattern that exposes secrets to untrusted fork code, a race condition where the GitHub Release is published before the container image is guaranteed to be available, heredoc indentation that will corrupt the release notes Markdown, and a potentially unstable FIPS-only runtime configuration on a distroless/static base image that has not been validated for that mode.

PR Bot Information

Version: 1.21.0

• File Content Strategy: Full file content
• LLM: anthropic--claude-4.6-sonnet
• Agent Instructions:
  • CLAUDE.md
• Correlation ID: ef7c93bb-f27b-41fe-82f8-e07551557334
• Event Trigger: pull_request.opened