From 34d27a98840750542a7f81710d8ac33f01465932 Mon Sep 17 00:00:00 2001
From: Nano Taboada <nanotaboada@users.noreply.github.com>
Date: Sat, 11 Apr 2026 09:52:58 -0300
Subject: [PATCH 1/3] chore(ci): normalize and align CD pipeline (#314)

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/maven-cd.yml | 41 +++++++++++++++++++++-------------
 1 file changed, 26 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/maven-cd.yml b/.github/workflows/maven-cd.yml
index 37b2483..1f3d2b2 100644
--- a/.github/workflows/maven-cd.yml
+++ b/.github/workflows/maven-cd.yml
@@ -36,6 +36,7 @@ jobs:
         permissions:
             contents: write
             packages: write
+            id-token: write
 
         steps:
             - name: Checkout repository
@@ -87,23 +88,26 @@ jobs:
             - name: Set up Docker Buildx
               uses: docker/setup-buildx-action@v4.0.0
 
-            - name: Set image name
-              id: image
-              run: echo "name=$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT"
-
             - name: Build and push Docker image to GitHub Container Registry
+              id: push
               uses: docker/build-push-action@v7.1.0
               with:
                   context: .
                   push: true
                   platforms: linux/amd64,linux/arm64
-                  provenance: false
+                  provenance: mode=max
                   cache-from: type=gha
                   cache-to: type=gha,mode=max
                   tags: |
-                      ghcr.io/${{ steps.image.outputs.name }}:latest
-                      ghcr.io/${{ steps.image.outputs.name }}:${{ steps.tag.outputs.semver }}
-                      ghcr.io/${{ steps.image.outputs.name }}:${{ steps.tag.outputs.club }}
+                      ghcr.io/${{ github.repository }}:latest
+                      ghcr.io/${{ github.repository }}:${{ steps.tag.outputs.semver }}
+                      ghcr.io/${{ github.repository }}:${{ steps.tag.outputs.club }}
+
+            - name: Attest build provenance
+              uses: actions/attest-build-provenance@v2
+              with:
+                  subject-name: ghcr.io/${{ github.repository }}
+                  subject-digest: ${{ steps.push.outputs.digest }}
 
             - name: Generate changelog
               id: changelog
@@ -111,10 +115,15 @@ jobs:
                   CURRENT_TAG="${GITHUB_REF#refs/tags/}"
                   PREVIOUS_TAG=$(git tag --sort=-version:refname | grep -Fxv "$CURRENT_TAG" | head -n 1)
                   if [ -n "$PREVIOUS_TAG" ]; then
-                    CHANGELOG=$(git log "$PREVIOUS_TAG"..HEAD --pretty=format:"- %s" --no-merges)
+                    CHANGELOG=$(git log "$PREVIOUS_TAG"..HEAD --pretty=format:"- %s (%h)" --no-merges)
                   else
-                    CHANGELOG=$(git log --pretty=format:"- %s" --no-merges)
+                    CHANGELOG=$(git log --pretty=format:"- %s (%h)" --no-merges)
                   fi
+
+                  if [ -z "$CHANGELOG" ]; then
+                    CHANGELOG="No new changes since $PREVIOUS_TAG"
+                  fi
+
                   {
                     echo "content<<EOF"
                     echo "$CHANGELOG"
@@ -134,20 +143,22 @@ jobs:
 
                       ```bash
                       # By semantic version (recommended)
-                      docker pull ghcr.io/${{ steps.image.outputs.name }}:${{ steps.tag.outputs.semver }}
+                      docker pull ghcr.io/${{ github.repository }}:${{ steps.tag.outputs.semver }}
 
                       # By club name
-                      docker pull ghcr.io/${{ steps.image.outputs.name }}:${{ steps.tag.outputs.club }}
+                      docker pull ghcr.io/${{ github.repository }}:${{ steps.tag.outputs.club }}
 
                       # Latest
-                      docker pull ghcr.io/${{ steps.image.outputs.name }}:latest
+                      docker pull ghcr.io/${{ github.repository }}:latest
                       ```
 
                       ## Quick Start
 
                       ```bash
-                      docker run -p 9000:9000 ghcr.io/${{ steps.image.outputs.name }}:${{ steps.tag.outputs.semver }}
+                      docker run -p 9000:9000 ghcr.io/${{ github.repository }}:${{ steps.tag.outputs.semver }}
                       ```
 
                       API available at `http://localhost:9000` · Swagger UI at `http://localhost:9000/swagger/index.html`
-                  generate_release_notes: false
+                  draft: false
+                  prerelease: false
+                  generate_release_notes: true

From b90e8b66c12664f9675dcaf8fac2495a711e552d Mon Sep 17 00:00:00 2001
From: Nano Taboada <nanotaboada@users.noreply.github.com>
Date: Sat, 11 Apr 2026 10:01:05 -0300
Subject: [PATCH 2/3] fix(ci): address review findings in CD pipeline

- Add attestations: write permission required by attest action
- Add push-to-registry: true to push attestation to GHCR
- Fix empty changelog fallback message when PREVIOUS_TAG is unset

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/maven-cd.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/maven-cd.yml b/.github/workflows/maven-cd.yml
index 1f3d2b2..636e758 100644
--- a/.github/workflows/maven-cd.yml
+++ b/.github/workflows/maven-cd.yml
@@ -37,6 +37,7 @@ jobs:
             contents: write
             packages: write
             id-token: write
+            attestations: write
 
         steps:
             - name: Checkout repository
@@ -108,6 +109,7 @@ jobs:
               with:
                   subject-name: ghcr.io/${{ github.repository }}
                   subject-digest: ${{ steps.push.outputs.digest }}
+                  push-to-registry: true
 
             - name: Generate changelog
               id: changelog
@@ -121,7 +123,11 @@ jobs:
                   fi
 
                   if [ -z "$CHANGELOG" ]; then
-                    CHANGELOG="No new changes since $PREVIOUS_TAG"
+                    if [ -n "$PREVIOUS_TAG" ]; then
+                      CHANGELOG="No new changes since $PREVIOUS_TAG"
+                    else
+                      CHANGELOG="No changes (first release)"
+                    fi
                   fi
 
                   {

From 5dc788eca0138d42fded2c9c0f92460819b77dff Mon Sep 17 00:00:00 2001
From: Nano Taboada <nanotaboada@users.noreply.github.com>
Date: Sat, 11 Apr 2026 10:11:26 -0300
Subject: [PATCH 3/3] chore(ci): update attest-build-provenance to v4.1.0

- Drop Quick Start section from release body (belongs in README)

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/maven-cd.yml | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/.github/workflows/maven-cd.yml b/.github/workflows/maven-cd.yml
index 636e758..aa2fa90 100644
--- a/.github/workflows/maven-cd.yml
+++ b/.github/workflows/maven-cd.yml
@@ -105,7 +105,7 @@ jobs:
                       ghcr.io/${{ github.repository }}:${{ steps.tag.outputs.club }}
 
             - name: Attest build provenance
-              uses: actions/attest-build-provenance@v2
+              uses: actions/attest-build-provenance@v4.1.0
               with:
                   subject-name: ghcr.io/${{ github.repository }}
                   subject-digest: ${{ steps.push.outputs.digest }}
@@ -158,13 +158,6 @@ jobs:
                       docker pull ghcr.io/${{ github.repository }}:latest
                       ```
 
-                      ## Quick Start
-
-                      ```bash
-                      docker run -p 9000:9000 ghcr.io/${{ github.repository }}:${{ steps.tag.outputs.semver }}
-                      ```
-
-                      API available at `http://localhost:9000` · Swagger UI at `http://localhost:9000/swagger/index.html`
                   draft: false
                   prerelease: false
                   generate_release_notes: true