Add the two missing GitHub Actions build pipelines for the OpenovaFlow Go
binaries so prov #34 has real images to install. Both auto-bump their
chart's values.yaml `image.tag` on every main-branch push and dispatch
blueprint-release for chart re-publish.
Workflows shipped:
- .github/workflows/build-openova-flow-server.yaml
· Triggers on push to products/openova-flow/server/** or the chart
· `go vet` + `go test -race` + Buildx push to
ghcr.io/openova-io/openova/openova-flow-server:<sha> + :latest
· cosign keyless sign + SBOM attest
· awk-bumps platform/openova-flow-server/chart/values.yaml
flowServer.image.tag, commits to main with [skip ci]
· Dispatches blueprint-release.yaml for chart re-publish
- .github/workflows/build-openova-flow-adapter-flux.yaml
· Same shape; bumps platform/openova-flow-emitter/chart/values.yaml
flowEmitter.image.tag
Chart defaults (`tag: "latest"`) already shipped in PR #1397 — no
values.yaml changes needed in this PR.
Canonical patterns cited (ARCHITECT-FIRST):
- Build shape mirrors .github/workflows/build-application-controller.yaml
(Go vet + test + Buildx + cosign + SBOM + values.yaml awk-bump +
blueprint-release dispatch).
- awk-sed bump pattern mirrors catalystApi/catalystUi tag-bump in
.github/workflows/catalyst-build.yaml `deploy` job (with the
`[skip ci]` + explicit blueprint-release dispatch fix from #712).
Per docs/INVIOLABLE-PRINCIPLES.md:
- #4a (GitHub Actions is the only build path)
- event-driven (no cron triggers, only push/PR/workflow_dispatch)
MIRROR-EVERYTHING: image refs in chart values point at
harbor.openova.io/proxy-ghcr/...; CI pushes to ghcr.io directly and
Harbor proxy-pulls. No direct push to harbor.
Co-authored-by: hatiyildiz <269457768+hatiyildiz@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
0ac12970d8