release: Publish main branch images and charts

[timflannagan]

Description

This modifies the release.yaml workflow and adds the main branch push trigger to publish main branch images and the latest helm chart to ghcr.io.

Related to #10510.

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works

[timflannagan]

I think I'm leaning towards using envsubst and setting the [changelog,release].enabled=false in a single goreleaser config file to avoid drift between the configs, but wanted to get consensus on either approach. See https://github.com/orgs/goreleaser/discussions/3042 for how to do the former.

[lgadban]

So the envsubst approach would be:

• keep a single ~.goreleaser.yaml.tmpl file
• nightly cron will envsubst in false for [changelog,release] -> .goreleaser.yaml
• kick off the release make target with newly build yaml file

is that accurate?

[timflannagan]

Pivoted away from the envsubst approach in favor of publishing a v0.0.0-main tag instead of dynamically setting the changelog and release enabled flags. The prerelease: auto flag treats the v0.0.0-main tag as a prerelease build, so I didn't see a need to maintain two different config files or dynamically render any YAML template files.

[timflannagan]

The alternative is cron schedule expression that fires daily if we're concerned with the free org limits for ghcr.io. In either case, we can figure out the best approach over time. This PR effectively tests whether the release pipeline is working without publishing a real tag.

[timflannagan]

Technically a no-op right now. I was exploring whether I could unset the helm package --version CLI flag, which has validation logic that checks whether --version is a valid semver (i.e. main or latest would fail that versioning), but the issue is that the default Chart.yaml version is hardcoded to v0.0.1 when you package a chart w/o this --version flag set.

[yuval-k]

i think it's ok to have the version be something like 0.0.0-<GIT HASH> given that this is a nightly release

[yuval-k]

nvm - that might mean that the oci storage will grow unbounded

[timflannagan]

i think we'd run into the same unbounded growth with this approach too as we're setting VERSION to be VERSION="${GIT_TAG}-${GIT_SHA}" anytime a new PR merges to main. one option that was discussed was using a third party action to periodically purge ghcr storage (e.g. https://github.com/snok/container-retention-policy).

[timflannagan]

just to clarify too -- we're still planning on mirroring quay's retention policy / auto-pruning images with a label as a follow-up once the release pipeline is fully built out and validated it works.

[timflannagan]

Ended up going with the v0.0.0-main tagging convention to appease helm validation. Seems a bit wonky but sufficient for now.

[timflannagan]

Needed as goreleaser will use the v1.18.x tag by default and we want the v0.0.0-main tag to be used for main branch triggers.

[timflannagan]

See https://goreleaser.com/cookbooks/set-a-custom-git-tag/ for that documentation.

[timflannagan]

Skip the v0.0.0-main tag that the main branch trigger will pump out to avoid running the release pipeline twice.