chore(ci): normalize and align CD pipeline (#314)

[nanotaboada]

Summary

Improve the CD pipeline: add multi-platform image support (amd64 + arm64), enable build provenance attestation, and tighten changelog generation and release metadata.

Changes

• id-token: write permission added to release job (required for attestation)
• Set image name step dropped; ${{ github.repository }} used directly throughout
• provenance: false → provenance: mode=max
• Attest build provenance step added after image push (actions/attest-build-provenance@v2)
• Changelog format: "- %s" → "- %s (%h)" (adds short hash)
• Empty changelog guard added (No new changes since $PREVIOUS_TAG)
• draft: false, prerelease: false, generate_release_notes: true made explicit

Test plan

• Workflow YAML is valid (no syntax errors)
• On next tag push, test job passes before release job starts
• Docker image published for both linux/amd64 and linux/arm64
• Build provenance attestation visible on the GitHub Release
• Changelog in release body excludes merge commits and includes short hashes

Closes #314

🤖 Generated with Claude Code

---

This change is 

Summary by CodeRabbit

• Chores
  • Strengthened supply chain security by enabling build provenance and publishing provenance attestations for released images
  • Standardized Docker image tagging and simplified release/body examples
  • Improved changelog entries to include short commit references and show a “No new changes” message when empty
  • Enabled non-draft, non-prerelease releases and automatic release note generation

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ba700078-68f5-4f44-b0e0-c41c076adb6e

📥 Commits

Reviewing files that changed from the base of the PR and between 34d27a9 and 5dc788e.

📒 Files selected for processing (1)

• .github/workflows/maven-cd.yml

---

Walkthrough

Updates the Maven CD GitHub Actions workflow to enable build provenance attestation, adjust Docker image tagging to use github.repository, change provenance to mode=max, add attest-step and required permissions, tighten changelog generation (short hashes and empty-guard), and set explicit GitHub Release options with generated release notes.

Changes

Cohort / File(s)

Summary

CI/CD Workflow .github/workflows/maven-cd.yml

Updated release job permissions (id-token: write, attestations: write); removed intermediate image-name step and switched tags to ghcr.io/${{ github.repository }}; changed Docker provenance to mode=max; added actions/attest-build-provenance step using push digest; adjusted changelog generation to append (%h) and add empty-changelog guard; simplified release body and set draft:false, prerelease:false, generate_release_notes:true.

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions
    participant OIDC as OIDC Provider
    participant GHCR as GHCR (Registry)
    participant Attest as Attestation Service

    GHA->>GHA: Build image (platforms: amd64, arm64) with provenance=mode=max
    GHA->>OIDC: Request id-token (id-token: write)
    OIDC-->>GHA: Return OIDC token
    GHA->>GHCR: Push image (ghcr.io/${{ github.repository }})
    GHCR-->>GHA: Return image digest
    GHA->>Attest: Publish provenance attestation (subject: push digest)
    Attest-->>GHA: Attestation recorded
    GHA->>GHA: Create GitHub Release (generate_release_notes: true, draft:false, prerelease:false) with changelog

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Add (%h) short hash to commit format and enable generated release notes [#314]	✅
Add empty changelog guard and set draft:false / prerelease:false [#314]	✅
Add id-token: write permission and actions/attest-build-provenance step [#314]	✅
Set provenance to mode=max and remove intermediate image-name step [#314]	✅
Add --no-merges flag to git log command [#314]	❓	Change log formatting was updated to include (%h) and an empty-guard was added, but the diff does not explicitly show --no-merges being added to the git log command.

Possibly related issues

• Normalize and align CD pipeline Dotnet.Samples.AspNetCore.WebApi#465 — Similar CD workflow edits (permissions, provenance, attest step, changelog guard).
• Normalize and align CD pipeline ts-node-samples-express-restful#581 — Same workflow-level changes for provenance and release handling.
• Normalize and align CD pipeline go-samples-gin-restful#249 — Overlapping edits to Maven CD workflow (image tagging, provenance, attestation).

Possibly related PRs

• ci(release): implement named releases with tag-based deployment (#252) #287 — Modifies the same .github/workflows/maven-cd.yml with related changes to image tagging, changelog, and release creation.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows Conventional Commits format (chore(ci):), is well under 80 characters (49 characters), and accurately describes the main changes: normalizing and aligning the CD pipeline to enable build provenance attestation and multi-platform Docker image support.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/normalize-cd-pipeline

• 🛠️ sync documentation: Commit on current branch
• 🛠️ sync documentation: Create PR
• 🛠️ enforce http error handling: Commit on current branch
• 🛠️ enforce http error handling: Create PR
• 🛠️ idiomatic review: Commit on current branch
• 🛠️ idiomatic review: Create PR
• 🛠️ verify api contract: Commit on current branch
• 🛠️ verify api contract: Create PR

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (79ed48d) to head (5dc788e).
⚠️ Report is 5 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff             @@
##              master      #315   +/-   ##
===========================================
  Coverage     100.00%   100.00%           
  Complexity        30        30           
===========================================
  Files              2         2           
  Lines             88        88           
  Branches           8         8           
===========================================
  Hits              88        88           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/maven-cd.yml:
- Around line 118-125: The fallback message for an empty CHANGELOG currently
always says "No new changes since $PREVIOUS_TAG", which becomes "No new changes
since " on the first release; update the conditional that checks if [ -z
"$CHANGELOG" ] to branch on whether PREVIOUS_TAG is set: if PREVIOUS_TAG is
non-empty emit "No new changes since $PREVIOUS_TAG", otherwise emit a clear
first-release message like "No changes (first release)". Change the logic that
sets CHANGELOG (and the subsequent if [ -z "$CHANGELOG" ]) to use PREVIOUS_TAG
to select the appropriate fallback text.
- Around line 36-39: The release job's permissions block is missing
attestations: write which is required by the actions/attest-build-provenance@v2
step to persist build provenance; update the permissions mapping in the release
job to include attestations: write alongside contents: write, packages: write,
and id-token: write so the attestation step can succeed.
- Around line 106-110: The Attest build provenance step using
actions/attest-build-provenance@v2 is missing the push-to-registry input; update
the workflow step that defines subject-name and subject-digest to include
push-to-registry: true so the attestation is pushed to the GHCR registry (i.e.,
add the push-to-registry: true input alongside subject-name: ghcr.io/${{
github.repository }} and subject-digest: ${{ steps.push.outputs.digest }}).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 90b5f1ed-cb81-4da7-9380-90d2e2a35ce5

📥 Commits

Reviewing files that changed from the base of the PR and between 79ed48d and 34d27a9.

📒 Files selected for processing (1)

• .github/workflows/maven-cd.yml

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud