feat!: upgrade frontends and helm chart; automate release & image workflows

### Adjusted PR summary (Release/v4 / #209)

This PR is primarily a **release-automation & deployment refactor**, but it also contains **real runtime-facing breaking changes** (Helm chart + local env + frontend deps).

#### What changed

* **CI/CD & release automation was split into multiple dedicated GitHub Actions workflows**

  * Adds workflows for *prepare release*, *create release/tag*, *publish libs*, *build/push images*, and *publish/bump Helm chart*, plus **label-based gating** to avoid running the “normal” CI during automated release PRs. ([GitHub][1])

* **Helm chart: secret handling was refactored (breaking for chart consumers)**

  * Secrets are now modeled more granularly (separate user/pass or API key fields) and can be referenced via `secretKeyRef` in values/templates; helper logic resolves secret names differently than before. This affects backend/admin deployments and ingress auth. ([GitHub][1])

* **Local/dev config: `.env.template` auth variables were reorganized**

  * Auth envs were split/clarified between frontend vs backend and redundant frontend auth vars were removed → local setups (and any automation that reads `.env`) may need updates. ([GitHub][1])

* **Frontend: major dependency upgrades + branding/theming guidance**

  * The PR includes a commit explicitly doing **major version updates of the frontends**. ([GitHub][1])
  * The repo docs now point readers to a **UI Customization Guide** for “branding, theming, and logo configuration,” which is a strong signal that the frontend update impacts branding/theming workflows. ([GitHub][2])
  * If this upgrade includes daisyUI v5 / Tailwind v4 (as you noted), that’s commonly associated with **config/theming approach changes** (daisyUI 5 is Tailwind 4–aligned and moves plugin usage into CSS via `@plugin`). ([daisyui.com][3])

* **Feature carried through backend + admin frontend: `continue_on_failure` for sitemap uploads**

  * Adds an option (incl. an admin UI checkbox) to continue crawling even if some pages fail. ([GitHub][1])

#### Breaking changes (callout)

* **Breaking for Helm chart consumers**: values/schema for secrets and how they’re wired into templates changed (expect `values.yaml` updates). ([GitHub][1])
* **Breaking for local env / deployments using `.env.template`**: renamed/restructured auth variables. ([GitHub][1])
* **Breaking for the frontend service**: major dependency upgrades can change UI appearance and theming/branding integration; the repo now explicitly documents branding/theming/logo customization, and daisyUI 5 / Tailwind 4 upgrades commonly imply theming/config changes. ([GitHub][1])

[1]: #209 "Release/v4 by a-klos · Pull Request #209 · stackitcloud/rag-template · GitHub"
[2]: https://github.com/stackitcloud/rag-template "GitHub - stackitcloud/rag-template: Template for AI chatbots & document management using Retrieval-Augmented Generation with vector search and FastAPI."
[3]: https://daisyui.com/docs/upgrade/?lang=en&utm_source=chatgpt.com "daisyUI 5 upgrade guide"

Author: a-klos

.dockerignore

@@ -1,23 +1,20 @@
 */.gitignore
-# Ignore node_modules directory
-frontend/node_modules/
 
-frontend/.nx/cache/
+# Node/Nx artifacts (keep build contexts small)
+**/node_modules
+**/.nx
 
-# Ignore package-lock.json or yarn.lock file
-frontend/package-lock.json
-frontend/yarn.lock
+# Frontend build outputs and logs
+services/frontend/dist
+services/frontend/tmp
+services/frontend/coverage
+services/frontend/apps/*/dist
+services/frontend/*.log
 
-# Ignore any build artifacts or compiled files
-frontend/dist/
-frontend/build/
-frontend/*.log
-
-# Ignore python envs and compiled python files
+# Python envs and compiled python files
 */venv
 */.venv
 */.env
 */*.pyc
 
-
 **/.notebooks

.env.template

@@ -10,7 +10,9 @@ S3_SECRET_ACCESS_KEY=your_s3_secret_key_here
 # =============================================================================
 # Basic Authentication (Required)
 # =============================================================================
-BASIC_AUTH="foo:$apr1$ryE0iE7H$F2SlPDNoFdGoaHrcla2HL/"
+# Used for backend/admin endpoints and reused by the frontend's auth prompt.
+BASIC_AUTH_USER=foo
+BASIC_AUTH_PASSWORD=bar
 
 # =============================================================================
 # Langfuse Configuration (Required for observability)
@@ -27,12 +29,6 @@ LANGFUSE_INIT_USER_EMAIL="user@stackit.cloud"
 LANGFUSE_INIT_USER_NAME="stackiteer"
 LANGFUSE_INIT_USER_PASSWORD="stackit123"
 
-# =============================================================================
-# Frontend Authentication (Required)
-# =============================================================================
-VITE_AUTH_USERNAME=foo
-VITE_AUTH_PASSWORD=bar
-
 # =============================================================================
 # LLM Provider API Keys (Choose one or more)
 # =============================================================================

.github/workflows/build-images.yml

@@ -0,0 +1,110 @@
+name: build-images
+run-name: build-images ${{ github.event.release.tag_name }}
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  prepare:
+    if: ${{ github.event_name == 'release' }}
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.release_tag.outputs.tag }}
+      version: ${{ steps.release_tag.outputs.version }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Resolve release tag & version
+        id: release_tag
+        run: |
+          git fetch --tags --force
+          TAG="${{ github.event.release.tag_name }}"
+          if [ -z "$TAG" ]; then
+            echo "No Git tag found to check out" >&2
+            exit 1
+          fi
+          VER_NO_V="${TAG#v}"
+          echo "tag=$TAG" >> $GITHUB_OUTPUT
+          echo "version=$VER_NO_V" >> $GITHUB_OUTPUT
+
+  build-image:
+    needs: prepare
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: rag-backend
+            dockerfile: services/rag-backend/Dockerfile
+          - name: admin-backend
+            dockerfile: services/admin-backend/Dockerfile
+          - name: document-extractor
+            dockerfile: services/document-extractor/Dockerfile
+          - name: mcp-server
+            dockerfile: services/mcp-server/Dockerfile
+          - name: frontend
+            dockerfile: services/frontend/apps/chat-app/Dockerfile
+          - name: admin-frontend
+            dockerfile: services/frontend/apps/admin-app/Dockerfile
+    env:
+      REGISTRY: ghcr.io
+      IMAGE_NS: ${{ github.repository }}
+      VERSION: ${{ needs.prepare.outputs.version }}
+      TAG: ${{ needs.prepare.outputs.tag }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Checkout release tag
+        run: git checkout "$TAG"
+      - name: Normalize IMAGE_NS to lowercase
+        run: echo "IMAGE_NS=$(echo '${{ env.IMAGE_NS }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.PR_AUTOMATION_TOKEN }}
+      - name: Set up Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build & push ${{ matrix.name }}
+        run: |
+          docker buildx build --push \
+            -t "$REGISTRY/$IMAGE_NS/${{ matrix.name }}:${VERSION}" \
+            -t "$REGISTRY/$IMAGE_NS/${{ matrix.name }}:latest" \
+            -f "${{ matrix.dockerfile }}" .
+      - name: Capture digest
+        run: |
+          sudo apt-get update && sudo apt-get install -y jq
+          ref="$REGISTRY/$IMAGE_NS/${{ matrix.name }}:${VERSION}"
+          digest=$(docker buildx imagetools inspect "$ref" --format '{{json .Manifest.Digest}}' | jq -r . || true)
+          jq -n --arg name "${{ matrix.name }}" --arg tag "$VERSION" --arg digest "$digest" '{($name): {tag: $tag, digest: $digest}}' > digest.json
+      - name: Upload digest artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: image-digest-${{ matrix.name }}
+          path: digest.json
+
+  collect-digests:
+    needs: [build-image]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download digest artifacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: image-digest-*
+          merge-multiple: false
+      - name: Merge digests
+        run: |
+          sudo apt-get update && sudo apt-get install -y jq
+          jq -s 'reduce .[] as $item ({}; . * $item)' image-digest-*/digest.json > image-digests.json
+      - name: Upload merged digests
+        uses: actions/upload-artifact@v4
+        with:
+          name: image-digests
+          path: image-digests.json

.github/workflows/bump-chart-version.yml

@@ -0,0 +1,59 @@
+name: bump-chart-version
+on:
+  workflow_dispatch:
+    inputs:
+      chart_version:
+        description: "Chart version to set (does not touch appVersion)"
+        required: true
+        type: string
+      ref:
+        description: "Git ref to bump (default: main)"
+        required: false
+        type: string
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  bump:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.ref || 'main' }}
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+
+      - name: Install deps
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install "packaging==25.0" "ruamel.yaml==0.18.6"
+
+      - name: Bump chart version only
+        env:
+          CHART_VERSION: ${{ inputs.chart_version }}
+        run: |
+          if [ -z "${CHART_VERSION}" ]; then
+            echo "chart_version input is required" >&2
+            exit 1
+          fi
+          python tools/bump_chart_versions.py --mode chart-only --chart-version "$CHART_VERSION"
+
+      - name: Open PR for chart version bump
+        uses: peter-evans/create-pull-request@v6
+        with:
+          base: main
+          branch: chore/chart-bump-${{ inputs.chart_version }}
+          title: "chore(release): bump chart version to ${{ inputs.chart_version }}"
+          body: |
+            Bump Chart.yaml version to ${{ inputs.chart_version }} (appVersion unchanged).
+          commit-message: "chore(release): bump chart version to ${{ inputs.chart_version }}"
+          add-paths: |
+            infrastructure/**/Chart.yaml
+          token: ${{ secrets.PR_AUTOMATION_TOKEN }}
+          labels: chart-bump

.github/workflows/create-release.yml

@@ -0,0 +1,68 @@
+name: create-release
+on:
+  pull_request_target:
+    types: [closed]
+    branches: [main]
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    if: >-
+      ${{
+        github.event.pull_request.merged == true &&
+        contains(github.event.pull_request.labels.*.name, 'refresh-locks')
+      }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.PR_AUTOMATION_TOKEN }}
+
+      - name: Derive version from PR title
+        id: ver
+        run: |
+          TITLE="${{ github.event.pull_request.title }}"
+          VERSION=$(echo "$TITLE" | sed -nE 's/.*([0-9]+\.[0-9]+\.[0-9]+(\.post[0-9]+)?).*/\1/p' || true)
+          if [ -z "$VERSION" ]; then
+            echo "Could not extract version from PR title: $TITLE" >&2
+            exit 1
+          fi
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+      - name: Verify appVersion matches release version (clean semver)
+        env:
+          RELEASE_VERSION: ${{ steps.ver.outputs.version }}
+        run: |
+          if echo "$RELEASE_VERSION" | grep -q '\.post'; then
+            echo "Release version must be clean semver (no .post): $RELEASE_VERSION" >&2
+            exit 1
+          fi
+          APP_VERSION=$(awk '/^appVersion:/ {print $2}' infrastructure/rag/Chart.yaml | tr -d "\"'")
+          if [ -z "$APP_VERSION" ]; then
+            echo "Could not read appVersion from infrastructure/rag/Chart.yaml" >&2
+            exit 1
+          fi
+          NORMALIZED_APP_VERSION="${APP_VERSION#v}"
+          NORMALIZED_APP_VERSION="${NORMALIZED_APP_VERSION#V}"
+          if [ "$NORMALIZED_APP_VERSION" != "$RELEASE_VERSION" ]; then
+            echo "Chart appVersion ($APP_VERSION) does not match release version ($RELEASE_VERSION)" >&2
+            exit 1
+          fi
+
+      - name: Create Git tag
+        run: |
+          git config user.name "github-actions"
+          git config user.email "github-actions@github.com"
+          git tag -a "v${{ steps.ver.outputs.version }}" -m "Release v${{ steps.ver.outputs.version }}"
+          git push origin "v${{ steps.ver.outputs.version }}"
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: v${{ steps.ver.outputs.version }}
+          name: v${{ steps.ver.outputs.version }}
+          generate_release_notes: true
+          token: ${{ secrets.PR_AUTOMATION_TOKEN }}

.github/workflows/lint-and-test.yml

@@ -12,6 +12,12 @@ env:
 
 jobs:
   changes:
+    if: >-
+      ${{
+        !contains(github.event.pull_request.labels.*.name, 'prepare-release') &&
+        !contains(github.event.pull_request.labels.*.name, 'refresh-locks') &&
+        !contains(github.event.pull_request.labels.*.name, 'chart-bump')
+      }}
     name: Detect Changes
     runs-on: ubuntu-latest
     outputs:
@@ -27,7 +33,7 @@ jobs:
 
       - name: Detect changes
         id: changes
-        uses: dorny/paths-filter@v2
+        uses: dorny/paths-filter@v3
         with:
           filters: |
             services:
@@ -81,7 +87,7 @@ jobs:
 
       - name: Build Docker image
         run: |
-          docker build -t $IMAGE_NAME --build-arg dev=1 -f services/${{ matrix.service }}/Dockerfile .
+          docker build -t $IMAGE_NAME -f services/${{ matrix.service }}/Dockerfile.dev .
 
       - name: Run linting
         run: |
@@ -104,15 +110,16 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Set Docker Image Names
+      - name: Set Docker Image Name
         run: |
           echo "LINT_IMAGE_NAME=${{ matrix.library }}-lint:${{ needs.sanitize-branch-name.outputs.sanitized_ref }}-${{ github.run_number }}" >> $GITHUB_ENV
           echo "TEST_IMAGE_NAME=${{ matrix.library }}-test:${{ needs.sanitize-branch-name.outputs.sanitized_ref }}-${{ github.run_number }}" >> $GITHUB_ENV
         shell: bash
 
       - name: Build lint image
         run: |
-          docker build -t $LINT_IMAGE_NAME --build-arg TEST=0 -f libs/Dockerfile libs
+          docker build -t $LINT_IMAGE_NAME --build-arg DIRECTORY=${{ matrix.library }} --build-arg TEST=0 -f libs/Dockerfile libs
+
 
       - name: Run linting
         run: |