freiheit-com · sven-urbanski-freiheit-com · Feb 6, 2026 · Feb 6, 2026 · Feb 6, 2026 · Feb 6, 2026
@@ -31,9 +31,9 @@ jobs:
     uses: ./.github/workflows/release.yml
     secrets: inherit
 
-  trivy-scan:
-    needs: [execution-plan]
-    uses: ./.github/workflows/trivy-scan.yml
-    with:
-      trigger: main
-    secrets: inherit
+#  trivy-scan:
+#    needs: [execution-plan]
+#    uses: ./.github/workflows/trivy-scan.yml
+#    with:
+#      trigger: main
+#    secrets: inherit
@@ -6,6 +6,10 @@ on:
         required: true
         type: string
         description: "The trigger which calls the workflow, one of [pull-request, main, tag]"
+      ref:
+        required: true
+        type: string
+        description: "with the starting 'v'"
 
 jobs:
   execution_plan:
@@ -15,6 +19,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          ref: "${{ inputs.ref }}"
       - uses: google-github-actions/auth@v2
         name: "Authenticate to Google Cloud"
         with:
@@ -79,6 +84,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          ref: "${{ inputs.ref }}"
       - name: Set version pr/main
         if: inputs.trigger == 'pull-request' || inputs.trigger == 'main'
         run: |
@@ -141,6 +147,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          ref: "${{ inputs.ref }}"
       - name: Install Buf
         uses: bufbuild/buf-action@v1
         with:

@@ -5,93 +5,67 @@ on:
       ref:
         required: true
         type: string
+        description: "omit the starting 'v'"
 
 jobs:
+#  execution-plan:
+#    uses: ./.github/workflows/execution-plan-snippet.yml
+#    with:
+#      trigger: main
+#      ref: "v${{ github.event.inputs.ref }}"
+#    secrets: inherit
+
+#  integration-tests:
+#    needs: [execution-plan]
+#    uses: ./.github/workflows/integration-tests.yml
+#    with:
+#      trigger: main
+#    secrets: inherit
+
   release:
+#    needs: [ execution-plan ]
     name: Release kuberpult with semantic versioning
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0 # needed for git describe/VERSION in Makefile
-          ref: "${{ github.event.inputs.ref }}"
+          ref: "v${{ github.event.inputs.ref }}"
 
       - name: Output the Ref Parameter
         run: |
-          echo "The provided ref is: ${{ github.event.inputs.ref }}"
+          echo "The provided ref is: v${{ github.event.inputs.ref }}"
           echo "The current checked-out SHA is: $(git rev-parse HEAD)"
 
-#      - name: Identify version to create
-#        uses: go-semantic-release/action@v1
-#        id: new-semrel-version
-#        with:
-#          dry: true
-#          ghr: true
-#          github-token: ${{ secrets.GITHUB_TOKEN }}
-#      - name: Run helm chart tests
-#        run: |
-#          make -C charts/kuberpult test-helm
-#      - name: Create helm chart for release
-#        run: |
-#          make -C charts/kuberpult release-tag VERSION=v${{ steps.new-semrel-version.outputs.version }}
-#      - name: Authenticate to Google Cloud
-#        uses: google-github-actions/auth@v2
-#        with:
-#            credentials_json: '${{ secrets.FDC_DEV_ENV_CI_IMAGE_READER }}'
-#            create_credentials_file: true
-#            export_environment_variables: true
-#      - name: Login to Google Artifact Registry
-#        uses: docker/login-action@v3
-#        with:
-#          registry: europe-west3-docker.pkg.dev
-#          username: _json_key
-#          password: ${{ secrets.GCP_ARTIFACT_REGISTRY_PUSH_JSON_KEY }}
-#      - name: Re-tag service images with release version for google docker registry
-#        run: |
-#          echo 'If this step fails, ensure that the main github action is done. We rely on it to get the docker images.'
-#          git fetch --tags # this should have been done by the checkout action before.
-#          make tag-release-images RELEASE_IMAGE_TAG=v$RELEASE_IMAGE_VERSION
-#        env:
-#          RELEASE_IMAGE_VERSION: ${{ steps.new-semrel-version.outputs.version }}
-#      - name: Re-tag CLI service image with release version for google docker registry
-#        run: |
-#          echo 'If this step fails, ensure that the main github action is done. We rely on it to get the docker images.'
-#          git fetch --tags # this should have been done by the checkout action before.
-#          make tag-cli-release-image RELEASE_IMAGE_TAG=v$RELEASE_IMAGE_VERSION
-#        env:
-#          RELEASE_IMAGE_VERSION: ${{ steps.new-semrel-version.outputs.version }}
-#      - name: Create release
-#        uses: go-semantic-release/action@v1
-#        id: semrel
-#        with:
-#          github-token: ${{ secrets.GITHUB_TOKEN }}
-#          changelog-generator-opt: "emojis=true"
-#          # By default, every release is a "pre-release" from now on.
-#          # Setting this flag to true will happen manually (after testing).
-#          prerelease: true
-#      - name: Append helm chart to release
-#        run: |
-#          echo $VERSION
-#          gh release upload v$VERSION charts/kuberpult/kuberpult-v$VERSION.tgz
-#        env:
-#          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-#          VERSION: ${{ steps.semrel.outputs.version }}
-#      - name: Append postgres migrations to release
-#        run: |
-#          cd database/migrations
-#          tar -czhf postgres_migrations.tar.gz postgres/
-#          gh release upload v$VERSION ./postgres_migrations.tar.gz
-#        env:
-#          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-#          VERSION: ${{ steps.semrel.outputs.version }}
-#      - name: Append vulnerability reports to release
-#        run: |
-#          echo $VERSION
-#          GCP_CREDENTIALS_PATH=$GOOGLE_APPLICATION_CREDENTIALS VERSION=v${VERSION} make -C trivy scan-all
-#          gh release upload v$VERSION trivy/kuberpult-v${VERSION}-reports.tar.gz
-#        env:
-#          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-#          VERSION: ${{ steps.semrel.outputs.version }}
-#      - name: Renovate standard-setup dev-env
-#        run: |
-#          curl -X POST -H "Content-type: application/json" "${{ format('https://cloudbuild.googleapis.com/v1/projects/fdc-standard-setup-dev-env/locations/europe-west1/triggers/fdc-standard-setup-dev-env-upgrade-dependencies-trigger:webhook?key={0}&secret={1}&trigger=fdc-standard-setup-dev-env-upgrade-dependencies-trigger&projectId=fdc-standard-setup-dev-env', secrets.DEV_ENV_CLOUD_BUILD_API_KEY, secrets.DEV_ENV_RENOVATE_WEBHOOK_KEY) }}" -d "{}"
+      - name: Run helm chart tests
+        run: |
+          make -C charts/kuberpult test-helm
+      - name: Create helm chart for release
+        run: |
+          make -C charts/kuberpult release-tag VERSION=v${{ github.event.inputs.ref }}
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v2
+        with:
+            credentials_json: '${{ secrets.FDC_DEV_ENV_CI_IMAGE_READER }}'
+            create_credentials_file: true
+            export_environment_variables: true
+      - name: Login to Google Artifact Registry
+        uses: docker/login-action@v3
+        with:
+          registry: europe-west3-docker.pkg.dev
+          username: _json_key
+          password: ${{ secrets.GCP_ARTIFACT_REGISTRY_PUSH_JSON_KEY }}
+      - name: Re-tag service images with release version for google docker registry
+        run: |
+          echo 'If this step fails, ensure that the main github action is done. We rely on it to get the docker images.'
+          git fetch --tags # this should have been done by the checkout action before.
+          make tag-release-images RELEASE_IMAGE_TAG=v$RELEASE_IMAGE_VERSION
+        env:
+          RELEASE_IMAGE_VERSION: "${{ github.event.inputs.ref }}"
+      - name: Re-tag CLI service image with release version for google docker registry
+        run: |
+          echo 'If this step fails, ensure that the main github action is done. We rely on it to get the docker images.'
+          git fetch --tags # this should have been done by the checkout action before.
+          make tag-cli-release-image RELEASE_IMAGE_TAG=v$RELEASE_IMAGE_VERSION
+        env:
+          RELEASE_IMAGE_VERSION: "${{ steps.new-semrel-version.outputs.version }}"