feat: release workflow refactor

[varonix0]

Refactored the release workflow; it now works like this:

1. A contributor PR is raised or changes are committed to the existing PR
2. The validation step will check if the helm changes on the PR match what make helm would generate. If there's a diff, it will fail.
3. When triggering a new release, it will trust that the helm in main is correct and do both the docker image release + helm release in one go.

Steps to release a new operator release is now:

1. Merge your PR
2. Create a new tag/release

That's it, much simpler :-)

[infisical-review-police]

💬 Discussion in Slack: #pr-review-kubernetes-operator-97-feat-release-workflow-refactor

Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel.

[greptile-apps]

Greptile Summary

This PR refactors the Kubernetes operator release workflow into a cleaner two-phase model: a PR-time validation step that enforces helm chart correctness, and a single tag-triggered workflow that sequentially publishes the Docker image, runs helm chart tests, and publishes to CloudSmith.

• New validate-k8-operator-helm.yml: Runs on PRs touching api/**, config/**, helm-charts/**, Makefile, or the helm generation script. It validates the Chart.yaml version (format, version > base branch, version == appVersion), regenerates the chart via make helm, and fails if the committed chart doesn't match the output — ensuring main always has a correct, up-to-date chart.
• Unified release_docker_k8_operator.yaml: Replaces the old two-step (generate-PR → manual dispatch) flow. On tag push it verifies the chart version matches the tag, pushes the Docker image, calls the reusable helm test workflow, then publishes to CloudSmith. The deprecated set-output command is replaced with $GITHUB_OUTPUT, and contents: write is narrowed to contents: read.
• run-helm-chart-tests-secret-operator.yml: Gains workflow_call: for reuse from the release workflow and a new full-permissions ct install step that runs before the existing CRD-pre-install + minimal-RBAC install sequence.

Confidence Score: 5/5

Safe to merge — the refactoring simplifies the release path and the new validate workflow correctly enforces chart consistency on PRs.

Both previously flagged issues (the workflow including itself in its own trigger paths, and the missing quote-strip on the release-time chart version check) are addressed. The new validate workflow logic is sound: version format, monotonic bump, and regeneration diff are all checked in the right order. The release workflow correctly sequences docker push → test → helm publish with narrowed permissions.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/validate-k8-operator-helm.yml	New PR-time validation workflow: checks Chart.yaml version format/bump, regenerates helm, and diffs output against committed chart. Trigger paths fixed — the file no longer includes itself.
.github/workflows/release_docker_k8_operator.yaml	Unified release workflow: docker push → helm test (reusable workflow) → helm publish. Deprecated set-output fixed, quote-stripping added to chart version check, permissions narrowed to contents:read.
.github/workflows/run-helm-chart-tests-secret-operator.yml	Added workflow_call trigger for reuse from release workflow, and a new ct install step with default permissions that runs before the existing CRD-pre-install + minimal-RBAC test sequence.
.github/workflows/release-k8-operator-helm.yml	Deleted — old standalone helm release workflow superseded by the unified release_docker_k8_operator.yaml.

_{Reviews (2): Last reviewed commit: "Update release_docker_k8_operator.yaml" | Re-trigger Greptile}

[varonix0]

@greptile re-review my PR with my latest commits in mind, as they address your previous comments. also update the summary you posted earlier when you're done with the re-review