feat: Enhance CI/CD workflows with frontend setup and TestPyPI publishing

Author: a-klos

.github/workflows/build-images.yml

@@ -20,6 +20,16 @@ jobs:
         run: |
           echo "version=$(cat .version)" >> $GITHUB_OUTPUT
 
+      - name: Setup Node (for frontend context)
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install frontend deps (workspace cache for Docker layer cache)
+        working-directory: services/frontend
+        run: |
+          npm ci || true
+
       - name: Login to GHCR
         uses: docker/login-action@v3
         with:
@@ -38,19 +48,32 @@ jobs:
           docker buildx build --push -t ghcr.io/stackitcloud/rag-template/admin-backend:${VERSION} -f services/admin-backend/Dockerfile .
           docker buildx build --push -t ghcr.io/stackitcloud/rag-template/document-extractor:${VERSION} -f services/document-extractor/Dockerfile .
           docker buildx build --push -t ghcr.io/stackitcloud/rag-template/mcp-server:${VERSION} -f services/mcp-server/Dockerfile .
+          # Frontend apps (chat-app and admin-app)
+          docker buildx build --push -t ghcr.io/stackitcloud/rag-template/frontend:${VERSION} -f services/frontend/apps/chat-app/Dockerfile .
+          docker buildx build --push -t ghcr.io/stackitcloud/rag-template/admin-frontend:${VERSION} -f services/frontend/apps/admin-app/Dockerfile .
+
+      - name: Install jq
+        run: sudo apt-get update && sudo apt-get install -y jq
 
       - name: Capture image digests
         run: |
           VERSION="${{ steps.ver.outputs.version }}"
           : > image-digests.json
-          for svc in rag-backend admin-backend document-extractor mcp-server; do
-            ref="ghcr.io/stackitcloud/rag-template/${svc}:${VERSION}"
-            digest=$(docker buildx imagetools inspect "$ref" --format '{{json .Manifest.Digest}}' | jq -r .)
+          for ref in \
+            ghcr.io/stackitcloud/rag-template/rag-backend:${VERSION} \
+            ghcr.io/stackitcloud/rag-template/admin-backend:${VERSION} \
+            ghcr.io/stackitcloud/rag-template/document-extractor:${VERSION} \
+            ghcr.io/stackitcloud/rag-template/mcp-server:${VERSION} \
+            ghcr.io/stackitcloud/rag-template/frontend:${VERSION} \
+            ghcr.io/stackitcloud/rag-template/admin-frontend:${VERSION}
+          do
+            svc=$(basename "${ref%:*}")
+            digest=$(docker buildx imagetools inspect "$ref" --format '{{json .Manifest.Digest}}' | jq -r . || true)
             tmp=$(mktemp)
             jq --arg s "$svc" --arg t "$VERSION" --arg d "$digest" \
                '.[$s] = {"tag": $t, "digest": $d}' \
-               image-digests.json > "$tmp"
-            mv "$tmp" image-digests.json
+               image-digests.json > "$tmp" || echo '{}' > image-digests.json
+            mv "$tmp" image-digests.json || true
           done
 
       - name: Upload digests

.github/workflows/prepare-release.yml

@@ -53,14 +53,6 @@ jobs:
         run: |
           pip install poetry==2.1.3
 
-      - name: Re-lock services
-        run: |
-          set -e
-          for svc in services/rag-backend services/admin-backend services/document-extractor; do
-            echo "Locking $svc"
-            (cd "$svc" && poetry lock)
-          done
-
       - name: Update Helm chart versions
         run: |
           pip install pyyaml packaging
@@ -74,13 +66,11 @@ jobs:
           body: |
             Prepare release ${{ steps.semrel.outputs.version }}
             - bump libs and service pins
-            - update poetry.lock
             - update Helm chart appVersion and bump patch
             - add .version
           commit-message: "chore(release): prepare ${{ steps.semrel.outputs.version }}"
           add-paths: |
             .version
             libs/**/pyproject.toml
             services/**/pyproject.toml
-            services/**/poetry.lock
             infrastructure/**/Chart.yaml

.github/workflows/publish-libs-on-merge.yml

@@ -32,14 +32,18 @@ jobs:
         run: |
           pip install poetry==2.1.3
 
-      - name: Build and publish libs to PyPI
+      - name: Configure TestPyPI repository
+        run: |
+          poetry config repositories.testpypi https://test.pypi.org/legacy/
+
+      - name: Build and publish libs to TestPyPI
         env:
-          POETRY_HTTP_BASIC_PYPI_USERNAME: __token__
-          POETRY_HTTP_BASIC_PYPI_PASSWORD: ${{ secrets.PYPI_TOKEN }}
+          POETRY_HTTP_BASIC_TESTPYPI_USERNAME: __token__
+          POETRY_HTTP_BASIC_TESTPYPI_PASSWORD: ${{ secrets.TEST_PYPI_TOKEN }}
         run: |
           set -e
           for lib in libs/*; do
             [ -d "$lib" ] || continue
             echo "Publishing $lib"
-            (cd "$lib" && poetry version "${{ steps.ver.outputs.version }}" && poetry build && poetry publish)
+            (cd "$lib" && poetry version "${{ steps.ver.outputs.version }}" && poetry build && poetry publish -r testpypi)
           done

infrastructure/rag/templates/_admin_frontend_helpers.tpl

@@ -1,7 +1,14 @@
 {{- define "adminFrontend.fullImageName" -}}
 {{- if .Values.adminFrontend.image -}}
     {{- if .Values.adminFrontend.image.repository -}}
-        {{- printf "%s:%s" .Values.adminFrontend.image.repository .Values.adminFrontend.image.tag | trimSuffix ":" }}
+        {{- $repo := .Values.adminFrontend.image.repository -}}
+        {{- $tag := default .Chart.AppVersion .Values.adminFrontend.image.tag -}}
+        {{- $digest := default "" .Values.adminFrontend.image.digest -}}
+        {{- if $digest -}}
+            {{- printf "%s@%s" $repo $digest -}}
+        {{- else -}}
+            {{- printf "%s:%s" $repo $tag -}}
+        {{- end -}}
     {{- else -}}
         {{ required "A valid .Values.adminFrontend.image.repository entry required!" . }}
     {{- end -}}

scripts/bump_chart_versions.py

@@ -0,0 +1,33 @@
+#!/usr/bin/env python3
+import argparse
+import pathlib
+import sys
+
+import yaml
+from packaging.version import Version
+
+ROOT = pathlib.Path(__file__).resolve().parents[1]
+
+
+def bump_chart(chart_path: pathlib.Path, app_version: str):
+    data = yaml.safe_load(chart_path.read_text())
+    data['appVersion'] = str(app_version)
+    cv = Version(str(data['version']))
+    # bump patch
+    bumped = Version(f"{cv.major}.{cv.minor}.{cv.micro + 1}")
+    data['version'] = str(bumped)
+    chart_path.write_text(yaml.safe_dump(data, sort_keys=False))
+
+
+def main():
+    p = argparse.ArgumentParser()
+    p.add_argument('--app-version', required=True)
+    args = p.parse_args()
+
+    charts = list((ROOT / 'infrastructure').glob('*/Chart.yaml'))
+    for ch in charts:
+        bump_chart(ch, args.app_version)
+
+
+if __name__ == '__main__':
+    sys.exit(main())

scripts/bump_pyproject_deps.py

@@ -0,0 +1,68 @@
+#!/usr/bin/env python3
+import argparse
+import pathlib
+import sys
+from typing import Dict, Any
+
+import tomlkit
+
+ROOT = pathlib.Path(__file__).resolve().parents[1]
+
+LIBS = [
+    (ROOT / 'libs' / 'rag-core-lib' / 'pyproject.toml', 'tool.poetry.version'),
+    (ROOT / 'libs' / 'rag-core-api' / 'pyproject.toml', 'tool.poetry.version'),
+    (ROOT / 'libs' / 'admin-api-lib' / 'pyproject.toml', 'tool.poetry.version'),
+    (ROOT / 'libs' / 'extractor-api-lib' / 'pyproject.toml', 'tool.poetry.version'),
+]
+
+SERVICE_PINS = {
+    ROOT / 'services' / 'rag-backend' / 'pyproject.toml': {
+        'tool.poetry.group.prod.dependencies.rag-core-api': '=={v}',
+        'tool.poetry.group.prod.dependencies.rag-core-lib': '=={v}',
+    },
+    ROOT / 'services' / 'admin-backend' / 'pyproject.toml': {
+        'tool.poetry.group.prod.dependencies.admin-api-lib': '=={v}',
+        'tool.poetry.group.prod.dependencies.rag-core-lib': '=={v}',
+    },
+    ROOT / 'services' / 'document-extractor' / 'pyproject.toml': {
+        'tool.poetry.group.prod.dependencies.extractor-api-lib': '=={v}',
+    },
+}
+
+
+def set_value(doc: tomlkit.TOMLDocument, dotted_path: str, value: Any):
+    parts = dotted_path.split('.')
+    ref: Dict[str, Any] = doc
+    for p in parts[:-1]:
+        if p not in ref or not isinstance(ref[p], dict):
+            ref[p] = tomlkit.table()
+        ref = ref[p]
+    ref[parts[-1]] = value
+
+
+def bump(version: str):
+    # 1) bump libs versions
+    for file, dotted in LIBS:
+        txt = file.read_text()
+        doc = tomlkit.parse(txt)
+        set_value(doc, dotted, version)
+        file.write_text(tomlkit.dumps(doc))
+
+    # 2) bump service pins
+    for file, mapping in SERVICE_PINS.items():
+        txt = file.read_text()
+        doc = tomlkit.parse(txt)
+        for dotted, template in mapping.items():
+            set_value(doc, dotted, template.format(v=version))
+        file.write_text(tomlkit.dumps(doc))
+
+
+def main():
+    ap = argparse.ArgumentParser()
+    ap.add_argument('--version', required=True)
+    args = ap.parse_args()
+    bump(args.version)
+
+
+if __name__ == '__main__':
+    sys.exit(main())

services/admin-backend/Dockerfile

@@ -1,39 +1,26 @@
-FROM --platform=linux/amd64 python:3.13-bookworm AS build
+FROM python:3.13-bookworm AS build
 
-ARG dev=0
 ENV POETRY_VIRTUALENVS_PATH=/app/services/admin-backend/.venv
 ENV VIRTUAL_ENV="${POETRY_VIRTUALENVS_PATH}"
 ENV POETRY_VERSION=2.1.3
 
 RUN DEBIAN_FRONTEND=noninteractive apt-get update \
-    && DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential --no-install-recommends make && \
-    python3 -m venv "${POETRY_VIRTUALENVS_PATH}" \
-      && $POETRY_VIRTUALENVS_PATH/bin/pip install "poetry==${POETRY_VERSION}"
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential --no-install-recommends make \
+    && python3 -m venv "${POETRY_VIRTUALENVS_PATH}" \
+      && ${POETRY_VIRTUALENVS_PATH}/bin/pip install "poetry==${POETRY_VERSION}"
 ENV PATH="${POETRY_VIRTUALENVS_PATH}/bin:$PATH"
 
-COPY libs/admin-api-lib/pyproject.toml libs/admin-api-lib/poetry.lock /app/libs/admin-api-lib/
-COPY libs/rag-core-lib/pyproject.toml libs/rag-core-lib/poetry.lock /app/libs/rag-core-lib/
-
 WORKDIR /app/services/admin-backend
 COPY services/admin-backend/pyproject.toml services/admin-backend/poetry.lock ./
 
-RUN mkdir log && chmod 700 log
-RUN touch /app/services/admin-backend/log/logfile.log && chmod 600 /app/services/admin-backend/log/logfile.log
+RUN mkdir -p log && chmod 700 log \
+    && touch /app/services/admin-backend/log/logfile.log && chmod 600 /app/services/admin-backend/log/logfile.log
 
-RUN poetry config virtualenvs.create false && \
-    cd /app/services/admin-backend && \
-    if [ "$dev" = "1" ]; then \
-        poetry install --no-interaction --no-ansi --no-root --with dev && \
-        cd /app/libs/rag-core-lib && poetry install --no-interaction --no-ansi --no-root --with dev && \
-        cd /app/libs/admin-api-lib && poetry install --no-interaction --no-ansi --no-root --with dev; \
-    else \
-        poetry install --no-interaction --no-ansi --no-root && \
-        cd /app/libs/rag-core-lib && poetry install --no-interaction --no-ansi --no-root && \
-        cd /app/libs/admin-api-lib && poetry install --no-interaction --no-ansi --no-root; \
-    fi
+RUN poetry config virtualenvs.create false \
+    && cd /app/services/admin-backend \
+    && poetry install --no-interaction --no-ansi --no-root --with prod
 
-FROM --platform=linux/amd64 python:3.13-bookworm
-ARG dev=0
+FROM python:3.13-bookworm
 
 WORKDIR /app/services/admin-backend
 
@@ -46,23 +33,14 @@ COPY --from=build /usr/bin/make /usr/bin/make
 COPY --from=build /usr/local/lib/ /usr/local/lib/
 
 # cleanup
-RUN apt-get clean autoclean
-RUN apt-get autoremove --yes
-
-RUN if [ "$dev" = "0" ]; then \
-        while read -r shell; do rm -f "$shell"; done < /etc/shells; \
-        rm -rf /var/lib/{apt,dpkg,cache,log}/; \
-    fi
-
+RUN apt-get clean autoclean && apt-get autoremove --yes \
+    && while read -r shell; do rm -f "$shell"; done < /etc/shells || true \
+    && rm -rf /var/lib/{apt,dpkg,cache,log}/ || true
 
 ENV VIRTUAL_ENV="${POETRY_VIRTUALENVS_PATH}"
 ENV PATH="${POETRY_VIRTUALENVS_PATH}/bin:${PATH}"
-# Ensure libs are importable at runtime without installing them as packages
-ENV PYTHONPATH="/app/services/admin-backend/src:/app/libs/admin-api-lib/src:/app/libs/rag-core-lib/src"
 
 USER nonroot
 
 COPY --chown=nonroot:nonroot services/admin-backend .
 COPY --from=build --chown=nonroot:nonroot  /app/services/admin-backend/log /app/services/admin-backend/log
-COPY --chown=nonroot:nonroot libs/admin-api-lib /app/libs/admin-api-lib
-COPY --chown=nonroot:nonroot libs/rag-core-lib /app/libs/rag-core-lib

services/admin-backend/Dockerfile.dev

@@ -0,0 +1,46 @@
+FROM python:3.13-bookworm
+
+# Dev image: source-based, fast iteration
+ENV POETRY_VIRTUALENVS_PATH=/app/services/admin-backend/.venv
+ENV VIRTUAL_ENV="${POETRY_VIRTUALENVS_PATH}"
+ENV POETRY_VERSION=2.1.3
+
+WORKDIR /app
+
+RUN DEBIAN_FRONTEND=noninteractive apt-get update \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+       build-essential make \
+    && python3 -m venv "${POETRY_VIRTUALENVS_PATH}" \
+    && ${POETRY_VIRTUALENVS_PATH}/bin/pip install "poetry==${POETRY_VERSION}" \
+    && rm -rf /var/lib/apt/lists/*
+ENV PATH="${POETRY_VIRTUALENVS_PATH}/bin:$PATH"
+
+# Copy lockfiles first for caching
+COPY services/admin-backend/pyproject.toml services/admin-backend/poetry.lock /app/services/admin-backend/
+COPY libs/rag-core-lib/pyproject.toml libs/rag-core-lib/poetry.lock /app/libs/rag-core-lib/
+COPY libs/admin-api-lib/pyproject.toml libs/admin-api-lib/poetry.lock /app/libs/admin-api-lib/
+
+# Install deps (with dev extras) without packaging
+RUN poetry config virtualenvs.create false \
+    && cd /app/services/admin-backend && poetry install --no-interaction --no-ansi --no-root --with dev --without prod \
+    && cd /app/libs/rag-core-lib && poetry install --no-interaction --no-ansi --no-root --with dev \
+    && cd /app/libs/admin-api-lib && poetry install --no-interaction --no-ansi --no-root --with dev
+
+# Create non-root user
+RUN adduser --disabled-password --gecos "" --uid 65532 nonroot
+
+WORKDIR /app/services/admin-backend
+RUN mkdir -p log && chmod 700 log \
+    && touch /app/services/admin-backend/log/logfile.log && chmod 600 /app/services/admin-backend/log/logfile.log
+
+# Ensure importability via PYTHONPATH
+ENV PYTHONPATH="/app/services/admin-backend/src:/app/libs/admin-api-lib/src:/app/libs/rag-core-lib/src"
+
+# Copy sources last
+COPY --chown=nonroot:nonroot services/admin-backend /app/services/admin-backend
+COPY --chown=nonroot:nonroot libs/rag-core-lib /app/libs/rag-core-lib
+COPY --chown=nonroot:nonroot libs/admin-api-lib /app/libs/admin-api-lib
+
+USER nonroot
+
+# Entrypoint handled externally

services/admin-backend/pyproject.toml

@@ -90,3 +90,13 @@ build-backend = "poetry.core.masonry.api"
 
 [tool.poetry.dependencies]
 python = "^3.13"
+
+# Prefer PyPI, but allow resolving from TestPyPI for internal libs
+[[tool.poetry.source]]
+name = "testpypi"
+url = "https://test.pypi.org/simple/"
+priority = "supplemental"
+
+[tool.poetry.group.prod.dependencies]
+admin-api-lib = "==2.2.0"
+rag-core-lib = "==2.2.0"