feat: update GitHub workflows for Cohere release process

yousef-cohere · yousef-cohere · commit 25ef22d0d29e · 2026-04-17T14:39:50.000-04:00
- Removed GCP authentication steps from the peerpods-chart_image.yaml workflow.
- Added new workflows: publish-cohere-release.yaml for handling semver-tagged releases and publish-cohere.yaml for publishing artifacts on pushes to the cohere branch.
- Updated values.yaml to reflect new image repository and tag for the cloud-api-adaptor and peerpod-ctrl, aligning with the new release strategy.
diff --git a/.github/workflows/peerpods-chart_image.yaml b/.github/workflows/peerpods-chart_image.yaml
@@ -155,25 +155,6 @@ jobs:
             --password-stdin
           echo "Helm authenticated with ghcr.io"
 
-      - name: Authenticate to GCP
-        if: ${{ contains(steps.registry.outputs.registry, 'docker.pkg.dev') }}
-        uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2.1.13
-        with:
-          workload_identity_provider: ${{ vars.GCP_WORKLOAD_IDENTITY_PROVIDER }}
-          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
-
-      - name: Authenticate Helm with Artifact Registry
-        if: ${{ contains(steps.registry.outputs.registry, 'docker.pkg.dev') }}
-        env:
-          REGISTRY: ${{ steps.registry.outputs.registry }}
-        run: |
-          AR_HOST=$(echo "${REGISTRY}" | cut -d'/' -f1)
-          echo "Authenticating Helm with ${AR_HOST}..."
-          gcloud auth print-access-token | helm registry login "${AR_HOST}" \
-            --username oauth2accesstoken \
-            --password-stdin
-          echo "Helm authenticated with ${AR_HOST}"
-
       - name: Update Helm dependencies
         run: |
           echo "Updating Helm dependencies..."
diff --git a/.github/workflows/publish-cohere-release.yaml b/.github/workflows/publish-cohere-release.yaml
@@ -0,0 +1,151 @@
+---
+# Publish semver-tagged Cohere-fork release artifacts to GHCR.
+#
+# Triggered by GitHub Releases targeting the `cohere` branch. The release tag
+# becomes the image/chart tag verbatim, with one normalisation: a leading "v"
+# is stripped for the chart (Helm/OCI requires SemVer with no prefix).
+#
+# Release process:
+#   1. Bump src/cloud-api-adaptor/install/charts/peerpods/Chart.yaml `version`
+#      to the new SemVer (e.g. 0.1.4-cohere.2). Merge to cohere.
+#   2. Create a GitHub Release on the cohere branch with tag `v0.1.4-cohere.2`
+#      (or `0.1.4-cohere.2` — both work). Publishing the release fires this.
+#
+# Tags produced (release `v0.1.4-cohere.2`):
+#   ghcr.io/cohere-ai/cloud-api-adaptor/cloud-api-adaptor:v0.1.4-cohere.2
+#   ghcr.io/cohere-ai/cloud-api-adaptor/peerpod-ctrl:v0.1.4-cohere.2
+#   ghcr.io/cohere-ai/cloud-api-adaptor/charts/peerpods:0.1.4-cohere.2
+#
+# `latest-cohere` is NOT touched — that floats with the cohere branch tip via
+# publish-cohere.yaml. Consumers pin to the semver tag for stable releases.
+name: Publish (cohere release)
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Release tag to (re)publish (e.g. v0.1.4-cohere.2). Must already exist as a git tag on cohere.'
+        required: true
+        type: string
+
+concurrency:
+  group: publish-cohere-release-${{ github.event.release.tag_name || inputs.tag }}
+  cancel-in-progress: false
+
+permissions: {}
+
+env:
+  REGISTRY: ghcr.io/cohere-ai/cloud-api-adaptor
+
+jobs:
+  tags:
+    name: Compute tags
+    runs-on: ubuntu-24.04
+    # Only fire for releases cut from the cohere branch. Manual dispatch always runs.
+    if: >-
+      github.event_name == 'workflow_dispatch' ||
+      github.event.release.target_commitish == 'cohere'
+    outputs:
+      git_ref: ${{ steps.t.outputs.git_ref }}
+      image_tag: ${{ steps.t.outputs.image_tag }}
+      chart_version: ${{ steps.t.outputs.chart_version }}
+    steps:
+      - name: Derive tags from release
+        id: t
+        env:
+          RAW_TAG: ${{ github.event.release.tag_name || inputs.tag }}
+        run: |
+          # Image tags keep the v prefix verbatim; chart strips it (OCI SemVer).
+          chart_version="${RAW_TAG#v}"
+          echo "git_ref=${RAW_TAG}" >> "$GITHUB_OUTPUT"
+          echo "image_tag=${RAW_TAG}" >> "$GITHUB_OUTPUT"
+          echo "chart_version=${chart_version}" >> "$GITHUB_OUTPUT"
+
+  caa:
+    name: Build CAA image (release, amd64)
+    needs: tags
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read   # checkout the release tag
+      packages: write  # push image manifests to GHCR
+    defaults:
+      run:
+        working-directory: src/cloud-api-adaptor
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+          ref: ${{ needs.tags.outputs.git_ref }}
+
+      - name: Read Go version from versions.yaml
+        run: |
+          command -v yq || sudo snap install yq
+          go_version="$(yq '.tools.golang' versions.yaml)"
+          [ -n "$go_version" ]
+          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
+
+      - name: Setup Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache-dependency-path: "**/go.sum"
+          cache: false
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+      - name: Login to GHCR
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push release image
+        uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
+        env:
+          REGISTRY: ${{ env.REGISTRY }}
+          RELEASE_TAGS: ${{ needs.tags.outputs.image_tag }}
+        with:
+          timeout_minutes: 60
+          retry_wait_seconds: 120
+          max_attempts: 3
+          command: |
+            cd src/cloud-api-adaptor && \
+              ARCHES=linux/amd64 \
+              RELEASE_BUILD=true \
+              RELEASE_TAGS="${RELEASE_TAGS}" \
+              make image registry="${REGISTRY}"
+
+  peerpod-ctrl:
+    name: Build peerpod-ctrl image
+    needs: tags
+    uses: ./.github/workflows/peerpod-ctrl_image.yaml
+    with:
+      registry: ghcr.io/cohere-ai/cloud-api-adaptor
+      git_ref: ${{ needs.tags.outputs.git_ref }}
+      image_tags: ${{ needs.tags.outputs.image_tag }}
+    permissions:
+      contents: read   # passed to reusable workflow for checkout
+      packages: write  # passed to reusable workflow for GHCR push
+    secrets:
+      # See publish-cohere.yaml for why we pass GITHUB_TOKEN to QUAY_PASSWORD.
+      QUAY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+
+  chart:
+    name: Publish peerpods Helm chart
+    needs: tags
+    uses: ./.github/workflows/peerpods-chart_image.yaml
+    with:
+      git_ref: ${{ needs.tags.outputs.git_ref }}
+      chart_version: ${{ needs.tags.outputs.chart_version }}
+    permissions:
+      contents: read           # checkout the release tag
+      packages: write          # push chart artifact to GHCR
+      id-token: write          # OIDC token for actions/attest sigstore signing
+      attestations: write      # write build provenance attestations
+      artifact-metadata: write # actions/attest writes attestation metadata
diff --git a/.github/workflows/publish-cohere.yaml b/.github/workflows/publish-cohere.yaml
@@ -0,0 +1,143 @@
+---
+# Publish Cohere-fork artifacts to GHCR on every push to `cohere`.
+#
+# Builds the *release* CAA image only (no libvirt); upstream's reusable
+# caa_build_and_push.yaml has a hardcoded matrix that builds dev+release in
+# parallel, so we inline the release path here to avoid wasting an hour of CI
+# on a libvirt build we don't ship. peerpod-ctrl and the chart still call the
+# upstream reusables — they're single-build with no dev variant.
+#
+# Tags produced (push to cohere):
+#   ghcr.io/cohere-ai/cloud-api-adaptor/cloud-api-adaptor:latest-cohere
+#   ghcr.io/cohere-ai/cloud-api-adaptor/cloud-api-adaptor:<12-char-sha>
+#   ghcr.io/cohere-ai/cloud-api-adaptor/peerpod-ctrl:latest-cohere
+#   ghcr.io/cohere-ai/cloud-api-adaptor/peerpod-ctrl:<12-char-sha>
+#   ghcr.io/cohere-ai/cloud-api-adaptor/charts/peerpods:0.0.0-dev-cohere
+#
+# The chart always publishes to the floating `0.0.0-dev-cohere` tag here —
+# mirroring upstream's `0.0.0-dev` convention for main-branch pushes — so we
+# never silently overwrite a real Chart.yaml version. Real SemVer chart tags
+# (e.g. 0.1.4-cohere.2) are produced by publish-cohere-release.yaml on release
+# events and match the GH Release tag, not Chart.yaml on disk at push time.
+name: Publish (cohere)
+
+on:
+  push:
+    branches: [cohere, cohere-release] # TODO: remove cohere-release before merge
+  workflow_dispatch:
+
+concurrency:
+  group: publish-cohere-${{ github.ref }}
+  cancel-in-progress: false
+
+permissions: {}
+
+env:
+  REGISTRY: ghcr.io/cohere-ai/cloud-api-adaptor
+
+jobs:
+  tags:
+    name: Compute tags
+    runs-on: ubuntu-24.04
+    outputs:
+      release_tags: ${{ steps.t.outputs.release_tags }}
+      image_tags: ${{ steps.t.outputs.image_tags }}
+    steps:
+      - name: Derive tag list from commit SHA
+        id: t
+        env:
+          SHA: ${{ github.sha }}
+        run: |
+          short="${SHA:0:12}"
+          echo "release_tags=latest-cohere,${short}" >> "$GITHUB_OUTPUT"
+          echo "image_tags=latest-cohere,${short}" >> "$GITHUB_OUTPUT"
+
+  caa:
+    name: Build CAA image (release, amd64)
+    needs: tags
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read   # checkout the cohere ref
+      packages: write  # push image manifests to GHCR
+    defaults:
+      run:
+        working-directory: src/cloud-api-adaptor
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+          ref: ${{ github.sha }}
+
+      - name: Read Go version from versions.yaml
+        run: |
+          command -v yq || sudo snap install yq
+          go_version="$(yq '.tools.golang' versions.yaml)"
+          [ -n "$go_version" ]
+          echo "GO_VERSION=${go_version}" >> "$GITHUB_ENV"
+
+      - name: Setup Go ${{ env.GO_VERSION }}
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache-dependency-path: "**/go.sum"
+          cache: false
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+
+      - name: Login to GHCR
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push release image
+        uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0
+        env:
+          REGISTRY: ${{ env.REGISTRY }}
+          RELEASE_TAGS: ${{ needs.tags.outputs.release_tags }}
+        with:
+          timeout_minutes: 60
+          retry_wait_seconds: 120
+          max_attempts: 3
+          command: |
+            cd src/cloud-api-adaptor && \
+              ARCHES=linux/amd64 \
+              RELEASE_BUILD=true \
+              RELEASE_TAGS="${RELEASE_TAGS}" \
+              make image registry="${REGISTRY}"
+
+  peerpod-ctrl:
+    name: Build peerpod-ctrl image
+    needs: tags
+    uses: ./.github/workflows/peerpod-ctrl_image.yaml
+    with:
+      registry: ghcr.io/cohere-ai/cloud-api-adaptor
+      git_ref: ${{ github.sha }}
+      image_tags: ${{ needs.tags.outputs.image_tags }}
+    permissions:
+      contents: read   # passed to reusable workflow for checkout
+      packages: write  # passed to reusable workflow for GHCR push
+    secrets:
+      # QUAY_PASSWORD is required by the reusable workflow's contract. The quay
+      # login step is gated on `startsWith(inputs.registry, 'quay.io')` so this
+      # token is never sent to quay; we pass GITHUB_TOKEN as a harmless dummy.
+      QUAY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+
+  chart:
+    name: Publish peerpods Helm chart
+    uses: ./.github/workflows/peerpods-chart_image.yaml
+    with:
+      git_ref: ${{ github.sha }}
+      # Floating dev tag — mirrors upstream's `0.0.0-dev` convention for
+      # main-branch pushes. Real SemVer is reserved for release events.
+      chart_version: "0.0.0-dev-cohere"
+    permissions:
+      contents: read           # checkout the cohere ref
+      packages: write          # push chart artifact to GHCR
+      id-token: write          # OIDC token for actions/attest sigstore signing
+      attestations: write      # write build provenance attestations
+      artifact-metadata: write # actions/attest writes attestation metadata
diff --git a/src/cloud-api-adaptor/install/charts/peerpods/values.yaml b/src/cloud-api-adaptor/install/charts/peerpods/values.yaml
