Simplify workflow to main-only branching strategy

.github/dependabot.yml

@@ -8,9 +8,6 @@ updates:
       day: "monday"
       time: "09:00"
     open-pull-requests-limit: 10
-    labels:
-      - "dependencies"
-      - "go"
     commit-message:
       prefix: "chore(deps)"
       include: "scope"
@@ -23,9 +20,6 @@ updates:
       day: "monday"
       time: "09:00"
     open-pull-requests-limit: 10
-    labels:
-      - "dependencies"
-      - "github-actions"
     commit-message:
       prefix: "chore(deps)"
       include: "scope"
@@ -38,9 +32,6 @@ updates:
       day: "monday"
       time: "09:00"
     open-pull-requests-limit: 5
-    labels:
-      - "dependencies"
-      - "docker"
     commit-message:
       prefix: "chore(deps)"
       include: "scope"

.github/workflows/codeql-analysis.yml

@@ -17,9 +17,9 @@ name: "CodeQL Advanced"
 
 on:
   push:
-    branches: [ "main", "develop" ]
+    branches: [ "main", "simplify-workflow-to-main-only" ]
   pull_request:
-    branches: [ "main", "develop" ]
+    branches: [ "main" ]
   schedule:
     - cron: '30 1 * * 1'  # Run every Monday at 1:30 AM UTC
 
@@ -42,10 +42,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@08bc0cf022445eacafaa248bf48da20f26b8fd40 # v4
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
@@ -58,10 +58,8 @@ jobs:
           echo 'Manual build not required for Go with autobuild'
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@08bc0cf022445eacafaa248bf48da20f26b8fd40 # v4
         with:
           category: "/language:${{ matrix.language }}"
           output: sarif-results
-          upload: false  # Disabled: conflicts with default setup
-          # Set to 'true' after disabling GitHub's default CodeQL setup
-        continue-on-error: true  # Don't fail workflow if upload conflicts
+          upload: true  # Enabled to unblock PR merges

.github/workflows/create-release-tag.yml

@@ -0,0 +1,154 @@
+name: Create Release Tag
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Release version (e.g., 1.0.0 or v1.0.0)'
+        required: true
+        type: string
+      prerelease:
+        description: 'Mark as pre-release'
+        required: false
+        type: boolean
+        default: false
+
+permissions:
+  contents: write
+
+jobs:
+  create-tag:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: main
+
+      - name: Validate and normalize version
+        id: version
+        run: |
+          VERSION="${{ github.event.inputs.version }}"
+
+          # Remove 'v' prefix if present for validation
+          VERSION_NUMBER="${VERSION#v}"
+
+          # Validate semantic version format
+          if ! echo "$VERSION_NUMBER" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$'; then
+            echo "❌ Invalid version format: $VERSION_NUMBER"
+            echo "Expected format: X.Y.Z or X.Y.Z-prerelease or X.Y.Z+build"
+            echo "Examples: 1.0.0, 1.0.0-beta.1, 1.0.0+build.123"
+            exit 1
+          fi
+
+          # Always use 'v' prefix for git tag
+          TAG_NAME="v${VERSION_NUMBER}"
+
+          echo "version=$VERSION_NUMBER" >> $GITHUB_OUTPUT
+          echo "tag=$TAG_NAME" >> $GITHUB_OUTPUT
+          echo "✅ Validated version: $TAG_NAME"
+
+      - name: Check if tag already exists
+        run: |
+          TAG="${{ steps.version.outputs.tag }}"
+
+          # Check local tags
+          if git tag -l "$TAG" | grep -q "$TAG"; then
+            echo "❌ Tag $TAG already exists locally"
+            exit 1
+          fi
+
+          # Check remote tags
+          git fetch --tags
+          if git tag -l "$TAG" | grep -q "$TAG"; then
+            echo "❌ Tag $TAG already exists on remote"
+            exit 1
+          fi
+
+          echo "✅ Tag $TAG is available"
+
+      - name: Configure Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Get latest commit info
+        id: commit
+        run: |
+          COMMIT_SHA=$(git rev-parse HEAD)
+          COMMIT_SHORT=$(git rev-parse --short HEAD)
+          COMMIT_MSG=$(git log -1 --pretty=%B)
+
+          echo "sha=$COMMIT_SHA" >> $GITHUB_OUTPUT
+          echo "short=$COMMIT_SHORT" >> $GITHUB_OUTPUT
+
+          # Export commit message for tag annotation
+          {
+            echo 'message<<EOF'
+            echo "$COMMIT_MSG"
+            echo EOF
+          } >> $GITHUB_OUTPUT
+
+      - name: Create annotated tag
+        run: |
+          TAG="${{ steps.version.outputs.tag }}"
+          VERSION="${{ steps.version.outputs.version }}"
+          PRERELEASE="${{ github.event.inputs.prerelease }}"
+
+          # Create tag message
+          TAG_MESSAGE="Release $TAG
+
+Automated release created from GitHub Actions workflow.
+
+Commit: ${{ steps.commit.outputs.short }}
+Created: $(date -u +"%Y-%m-%d %H:%M:%S UTC")
+Created by: ${{ github.actor }}
+Pre-release: $PRERELEASE
+
+Release Notes:
+${{ steps.commit.outputs.message }}
+
+🤖 Generated with Claude Code
+"
+
+          # Create annotated tag
+          git tag -a "$TAG" -m "$TAG_MESSAGE"
+
+          echo "✅ Created tag: $TAG"
+
+      - name: Push tag to remote
+        run: |
+          TAG="${{ steps.version.outputs.tag }}"
+
+          git push origin "$TAG"
+
+          echo "✅ Pushed tag $TAG to remote"
+          echo "🚀 Release workflow will now be triggered automatically"
+
+      - name: Summary
+        run: |
+          TAG="${{ steps.version.outputs.tag }}"
+          VERSION="${{ steps.version.outputs.version }}"
+
+          echo "## ✅ Release Tag Created Successfully!" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "- **Tag**: \`$TAG\`" >> $GITHUB_STEP_SUMMARY
+          echo "- **Version**: \`$VERSION\`" >> $GITHUB_STEP_SUMMARY
+          echo "- **Commit**: \`${{ steps.commit.outputs.short }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- **Pre-release**: \`${{ github.event.inputs.prerelease }}\`" >> $GITHUB_STEP_SUMMARY
+          echo "- **Created by**: @${{ github.actor }}" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Next Steps:" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "The \`release-package-helm.yml\` workflow has been automatically triggered." >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Monitor progress:**" >> $GITHUB_STEP_SUMMARY
+          echo "- [View Release Workflow](https://github.com/${{ github.repository }}/actions/workflows/release-package-helm.yml)" >> $GITHUB_STEP_SUMMARY
+          echo "- [View All Actions](https://github.com/${{ github.repository }}/actions)" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**After workflow completes:**" >> $GITHUB_STEP_SUMMARY
+          echo "- [View Releases](https://github.com/${{ github.repository }}/releases)" >> $GITHUB_STEP_SUMMARY
+          echo "- Docker images will be available at:" >> $GITHUB_STEP_SUMMARY
+          echo "  - \`ghcr.io/${{ github.repository }}:$TAG\`" >> $GITHUB_STEP_SUMMARY
+          echo "  - \`splunk/splunk-ai-operator:$TAG\`" >> $GITHUB_STEP_SUMMARY

.github/workflows/helm-lint-test.yml

@@ -19,22 +19,22 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
           fetch-depth: 0
 
       - name: Set up Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@bf6a7d304bc2fdb57e0331155b7ebf2c504acf0a # v4
         with:
           version: 'v3.14.0'
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: '3.11'
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.6.1
+        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
 
       - name: Add Helm repositories
         run: |
@@ -139,7 +139,7 @@ jobs:
           echo "::endgroup::"
 
       - name: Create kind cluster for testing
-        uses: helm/kind-action@v1.10.0
+        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
         with:
           cluster_name: helm-test
           wait: 5m

.github/workflows/main-build-image.yml

@@ -16,7 +16,7 @@ jobs:
       IMAGE_NAME: ${{ github.repository }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
           fetch-depth: 0
 
@@ -35,7 +35,7 @@ jobs:
           fi
 
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
         with:
           go-version: ${{ steps.dotenv.outputs.GO_VERSION }}
           cache: true
@@ -44,7 +44,7 @@ jobs:
         run: make setup/ginkgo
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
 
       - name: Install Operator SDK
         run: |
@@ -56,17 +56,25 @@ jobs:
           sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk
 
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Log in to Docker Hub
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
       - name: Extract metadata (tags, labels)
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5
         with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          images: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+            splunk/splunk-ai-operator
           tags: |
             type=ref,event=branch
             type=ref,event=pr
@@ -77,7 +85,7 @@ jobs:
 
       - name: Build and push image
         id: build
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
         with:
           context: .
           push: true
@@ -91,7 +99,7 @@ jobs:
         # Only run attestation for non-fork PRs and direct pushes
         # Fork PRs don't have access to id-token which is required for attestations
         if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request'
-        uses: actions/attest-build-provenance@v1
+        uses: actions/attest-build-provenance@92c65d2898f1f53cfdc910b962cecff86e7f8fcc # v1
         with:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           subject-digest: ${{ steps.build.outputs.digest }}

.github/workflows/main-unit-tests.yml

@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
 
       - name: Read .env file
         id: dotenv
@@ -24,24 +24,23 @@ jobs:
           fi
 
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
         with:
           go-version: ${{ steps.dotenv.outputs.GO_VERSION }}
           cache: true
+
       - name: Run Unit Tests with Coverage
-        run: |
-          go install github.com/mattn/goveralls@latest
-          make test
-      #- run: goveralls -coverprofile=coverage.out -service=circle-ci -repotoken ${{ secrets.COVERALLS_TOKEN }}
-      #- uses: actions/upload-artifact@v4.4.0
-      #  with:
-      #    name: coverage.out
-      #    path: coverage.out
-      # - name: Run Unit Tests and E2E Tests with Coverage
-      #   run: go test $(go list ./... | grep -v '/tests') -coverprofile=coverage.out
+        run: make test
+
+      - name: Upload coverage to Coveralls
+        uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          path-to-lcov: cover.out
+          format: golang
 
-      - name: Upload coverage file
-        uses: actions/upload-artifact@v4
+      - name: Upload coverage artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: code-coverage
-          path: coverage.out
+          path: cover.out

.github/workflows/main.yml

@@ -1,11 +1,12 @@
 name: Build and Test
 
 on:
-  pull_request: {}
+  pull_request:
+    branches:
+      - main
   push:
     branches:
       - main
-      - develop
 permissions:
   actions: read
   contents: read