feat: Implement CI/CD workflows for release automation

- Add build-images.yml to build and push Docker images after library publishing.
- Create create-release.yml to tag and release new versions on GitHub.
- Introduce deploy-prod.yml for deploying applications to production using Helm.
- Add prepare-release.yml for preparing release PRs and version bumps.
- Implement publish-chart.yml to package and publish Helm charts on release.
- Add publish-libs-on-merge.yml to publish libraries to PyPI on main branch merges.
- Update Tiltfile to support separate Dockerfiles for development and production.
- Document migration plan for Dockerfile split in dev-prod-docker-split-plan.md.
- Enhance release automation documentation in release-automation.md.
- Update Helm templates to support image digest pinning and environment variable configuration.
- Modify values.yaml to allow empty tags and optional digests for image pinning.

Author: a-klos

.github/workflows/build-images.yml

@@ -0,0 +1,60 @@
+name: build-images
+on:
+  workflow_run:
+    workflows: [publish-libs-on-merge]
+    types: [completed]
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build:
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Read version
+        id: ver
+        run: |
+          echo "version=$(cat .version)" >> $GITHUB_OUTPUT
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push images
+        run: |
+          set -e
+          VERSION="${{ steps.ver.outputs.version }}"
+          docker buildx build --push -t ghcr.io/stackitcloud/rag-template/rag-backend:${VERSION} -f services/rag-backend/Dockerfile .
+          docker buildx build --push -t ghcr.io/stackitcloud/rag-template/admin-backend:${VERSION} -f services/admin-backend/Dockerfile .
+          docker buildx build --push -t ghcr.io/stackitcloud/rag-template/document-extractor:${VERSION} -f services/document-extractor/Dockerfile .
+          docker buildx build --push -t ghcr.io/stackitcloud/rag-template/mcp-server:${VERSION} -f services/mcp-server/Dockerfile .
+
+      - name: Capture image digests
+        run: |
+          VERSION="${{ steps.ver.outputs.version }}"
+          : > image-digests.json
+          for svc in rag-backend admin-backend document-extractor mcp-server; do
+            ref="ghcr.io/stackitcloud/rag-template/${svc}:${VERSION}"
+            digest=$(docker buildx imagetools inspect "$ref" --format '{{json .Manifest.Digest}}' | jq -r .)
+            tmp=$(mktemp)
+            jq --arg s "$svc" --arg t "$VERSION" --arg d "$digest" \
+               '.[$s] = {"tag": $t, "digest": $d}' \
+               image-digests.json > "$tmp"
+            mv "$tmp" image-digests.json
+          done
+
+      - name: Upload digests
+        uses: actions/upload-artifact@v4
+        with:
+          name: image-digests
+          path: image-digests.json

.github/workflows/create-release.yml

@@ -0,0 +1,34 @@
+name: create-release
+on:
+  workflow_run:
+    workflows: [build-images]
+    types: [completed]
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Read version
+        id: ver
+        run: |
+          echo "version=$(cat .version)" >> $GITHUB_OUTPUT
+
+      - name: Create Git tag
+        run: |
+          git config user.name "github-actions"
+          git config user.email "github-actions@github.com"
+          git tag -a "v${{ steps.ver.outputs.version }}" -m "Release v${{ steps.ver.outputs.version }}"
+          git push origin "v${{ steps.ver.outputs.version }}"
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+            tag_name: v${{ steps.ver.outputs.version }}
+            name: v${{ steps.ver.outputs.version }}
+            generate_release_notes: true

.github/workflows/deploy-prod.yml

@@ -0,0 +1,90 @@
+name: deploy-prod
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "App version to deploy (e.g. 2.2.0)"
+        required: true
+        type: string
+      release_name:
+        description: "Helm release name"
+        required: true
+        default: "rag"
+        type: string
+      namespace:
+        description: "Kubernetes namespace"
+        required: true
+        default: "rag"
+        type: string
+      chart_path:
+        description: "Path to Helm chart"
+        required: true
+        default: "infrastructure/rag"
+        type: string
+
+permissions:
+  contents: read
+  packages: read
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: production
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Helm
+        uses: azure/setup-helm@v4
+
+      - name: Set kubeconfig
+        env:
+          KUBE_CONFIG: ${{ secrets.KUBE_CONFIG }}
+        run: |
+          test -n "$KUBE_CONFIG" || { echo "KUBE_CONFIG secret is required"; exit 1; }
+          mkdir -p "$HOME/.kube"
+          echo "$KUBE_CONFIG" > "$HOME/.kube/config"
+          chmod 600 "$HOME/.kube/config"
+
+      - name: Login to GHCR (for image inspect)
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Buildx (for imagetools)
+        uses: docker/setup-buildx-action@v3
+
+      - name: Resolve image digests
+        id: digests
+        env:
+          VERSION: ${{ inputs.version }}
+        run: |
+          set -euo pipefail
+          backend_ref="ghcr.io/stackitcloud/rag-template/rag-backend:${VERSION}"
+          admin_ref="ghcr.io/stackitcloud/rag-template/admin-backend:${VERSION}"
+          extractor_ref="ghcr.io/stackitcloud/rag-template/document-extractor:${VERSION}"
+          mcp_ref="ghcr.io/stackitcloud/rag-template/mcp-server:${VERSION}"
+          frontend_ref="ghcr.io/stackitcloud/rag-template/frontend:${VERSION}"
+
+          echo "backend=$(docker buildx imagetools inspect "$backend_ref" --format '{{.Manifest.Digest}}')" >> "$GITHUB_OUTPUT"
+          echo "admin=$(docker buildx imagetools inspect "$admin_ref" --format '{{.Manifest.Digest}}')" >> "$GITHUB_OUTPUT"
+          echo "extractor=$(docker buildx imagetools inspect "$extractor_ref" --format '{{.Manifest.Digest}}')" >> "$GITHUB_OUTPUT"
+          echo "mcp=$(docker buildx imagetools inspect "$mcp_ref" --format '{{.Manifest.Digest}}')" >> "$GITHUB_OUTPUT"
+          echo "frontend=$(docker buildx imagetools inspect "$frontend_ref" --format '{{.Manifest.Digest}}')" >> "$GITHUB_OUTPUT"
+
+      - name: Helm upgrade
+        env:
+          RELEASE: ${{ inputs.release_name }}
+          NAMESPACE: ${{ inputs.namespace }}
+          CHART_PATH: ${{ inputs.chart_path }}
+        run: |
+          set -euo pipefail
+          helm upgrade --install "$RELEASE" "$CHART_PATH" \
+            --namespace "$NAMESPACE" --create-namespace \
+            --set backend.image.digest='${{ steps.digests.outputs.backend }}' \
+            --set adminBackend.image.digest='${{ steps.digests.outputs.admin }}' \
+            --set extractor.image.digest='${{ steps.digests.outputs.extractor }}' \
+            --set backend.mcp.image.digest='${{ steps.digests.outputs.mcp }}' \
+            --set frontend.image.digest='${{ steps.digests.outputs.frontend }}'

.github/workflows/prepare-release.yml

@@ -0,0 +1,86 @@
+name: prepare-release
+on:
+  workflow_dispatch: {}
+
+permissions:
+  contents: write
+  pull-requests: write
+
+concurrency:
+  group: release
+  cancel-in-progress: true
+
+jobs:
+  prepare:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install semantic-release deps
+        run: |
+          npm ci
+
+      - name: Compute next version (dry-run)
+        id: semrel
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          npx semantic-release --dry-run --no-ci | tee semrel.log
+          VERSION=$(grep -Eo "next release version is [0-9]+\.[0-9]+\.[0-9]+" semrel.log | awk '{print $5}')
+          if [ -z "$VERSION" ]; then echo "No new release required"; exit 1; fi
+          echo "$VERSION" > .version
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+      - name: Bump libs and service pins
+        run: |
+          python -m pip install --upgrade pip
+          pip install tomlkit
+          python scripts/bump_pyproject_deps.py --version "${{ steps.semrel.outputs.version }}"
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+
+      - name: Install Poetry
+        run: |
+          pip install poetry==2.1.3
+
+      - name: Re-lock services
+        run: |
+          set -e
+          for svc in services/rag-backend services/admin-backend services/document-extractor; do
+            echo "Locking $svc"
+            (cd "$svc" && poetry lock)
+          done
+
+      - name: Update Helm chart versions
+        run: |
+          pip install pyyaml packaging
+          python scripts/bump_chart_versions.py --app-version "${{ steps.semrel.outputs.version }}"
+
+      - name: Commit and open PR
+        uses: peter-evans/create-pull-request@v6
+        with:
+          branch: chore/release-${{ steps.semrel.outputs.version }}
+          title: "chore(release): prepare ${{ steps.semrel.outputs.version }}"
+          body: |
+            Prepare release ${{ steps.semrel.outputs.version }}
+            - bump libs and service pins
+            - update poetry.lock
+            - update Helm chart appVersion and bump patch
+            - add .version
+          commit-message: "chore(release): prepare ${{ steps.semrel.outputs.version }}"
+          add-paths: |
+            .version
+            libs/**/pyproject.toml
+            services/**/pyproject.toml
+            services/**/poetry.lock
+            infrastructure/**/Chart.yaml

.github/workflows/publish-chart.yml

@@ -0,0 +1,33 @@
+name: publish-chart
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  chart:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Helm
+        uses: azure/setup-helm@v4
+
+      - name: Login to GHCR for Helm OCI
+        run: echo ${{ secrets.GITHUB_TOKEN }} | helm registry login ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Package and push chart(s)
+        run: |
+          set -e
+          for chart in infrastructure/*/Chart.yaml; do
+            chart_dir=$(dirname "$chart")
+            helm dependency update "$chart_dir" || true
+            helm package "$chart_dir" --destination .
+          done
+          for tgz in *.tgz; do
+            name=$(basename "$tgz" .tgz)
+            helm push "$tgz" oci://ghcr.io/${{ github.repository_owner }}/charts
+          done

.github/workflows/publish-libs-on-merge.yml

@@ -0,0 +1,45 @@
+name: publish-libs-on-merge
+on:
+  push:
+    branches: [main]
+    paths:
+      - '.version'
+      - 'libs/**'
+      - 'services/**/pyproject.toml'
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Read version
+        id: ver
+        run: |
+          VERSION=$(cat .version)
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+
+      - name: Install Poetry
+        run: |
+          pip install poetry==2.1.3
+
+      - name: Build and publish libs to PyPI
+        env:
+          POETRY_HTTP_BASIC_PYPI_USERNAME: __token__
+          POETRY_HTTP_BASIC_PYPI_PASSWORD: ${{ secrets.PYPI_TOKEN }}
+        run: |
+          set -e
+          for lib in libs/*; do
+            [ -d "$lib" ] || continue
+            echo "Publishing $lib"
+            (cd "$lib" && poetry version "${{ steps.ver.outputs.version }}" && poetry build && poetry publish)
+          done