ci: add pre-GA artifacts for GA releases

[rollandf]

On GA releases, generate hack/release-nvstaging.yaml (a copy of hack/release.yaml with repositories pointing to nvcr.io/nvstaging/mellanox) and commit it alongside release.yaml in the release PR, making it available at the GA tag for QA use.

Also add a pre-GA Helm chart build in the helm-package-publish job, triggered only on GA tags, that patches values.yaml to use nvstaging repositories and publishes the chart with version -pre-ga (e.g. 26.4.0-pre-ga).

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[greptile-apps]

Greptile Summary

This PR adds pre-GA artifact generation to both the CI and release workflows. On GA tags (no - suffix), release.yaml runs a sed substitution over hack/release.yaml to produce hack/release-nvstaging.yaml (pointing to nvcr.io/nvstaging/mellanox) and includes it in the release PR commit. In parallel, ci.yaml gains a new helm-package-publish step that patches values.yaml in-place, builds a Helm chart versioned <VERSION>-pre-ga, and restores the file afterwards.

• release.yaml: conditionally generates hack/release-nvstaging.yaml for GA tags and stages it alongside the existing release artifacts.
• ci.yaml: adds a GA-only Helm build step that substitutes nvstaging registry URLs, pushes the pre-GA chart, then reverts values.yaml.
• hack/release-nvstaging.yaml: a beta.9 placeholder file committed so the path is tracked by git from now on; it will be regenerated with GA versions on the next GA release run.

Confidence Score: 5/5

Safe to merge — the changes are additive CI steps that run only on GA tags, with no impact on existing release or build paths.

Both new workflow steps are isolated to GA-only conditions, touch no application code, and include the necessary cleanup (values.yaml restore). Committing hack/release-nvstaging.yaml as a tracked file also resolves the git-diff visibility concern raised in earlier review rounds. No defects were identified in the changed paths.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/ci.yaml	Adds a GA-only Helm pre-GA build step that patches values.yaml, pushes the chart with a -pre-ga version suffix, and restores the file; logic is correct and the restore step prevents state leaking to subsequent steps.
.github/workflows/release.yaml	Adds conditional generation of hack/release-nvstaging.yaml for GA releases and stages it alongside the existing release commit; $APP_VERSION is quoted, and the file is now tracked so git diff will detect future changes to it.
hack/release-nvstaging.yaml	Beta.9 placeholder committed to make the file tracked by git; will be regenerated with actual GA versions on the next GA release; docaTelemetryService intentionally keeps nvcr.io/nvidia/doca (not covered by the sed substitution, matching the PR's stated scope of nvstaging/mellanox only).

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant GH as GitHub Actions
    participant RW as release.yaml workflow
    participant CW as ci.yaml workflow
    participant Repo as Git Repo
    participant NGC as NGC / NVCR

    GH->>RW: GA tag pushed (no '-' in tag)
    RW->>Repo: make release-build → updates release.yaml, chart files
    RW->>RW: sed substitution → hack/release-nvstaging.yaml (nvidia→nvstaging)
    RW->>Repo: git add release.yaml + release-nvstaging.yaml
    RW->>Repo: git commit + push staging-VERSION branch
    RW->>GH: gh pr create (release PR)

    GH->>CW: GA tag pushed (no '-' in tag)
    CW->>CW: "Make package and push (VERSION = git_tag)"
    CW->>NGC: chart-build chart-push (production chart)
    CW->>CW: sed -i values.yaml (nvidia→nvstaging)
    CW->>NGC: "chart-build chart-push (pre-GA chart, VERSION = git_tag-pre-ga)"
    CW->>Repo: git checkout -- values.yaml (restore)

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant GH as GitHub Actions
    participant RW as release.yaml workflow
    participant CW as ci.yaml workflow
    participant Repo as Git Repo
    participant NGC as NGC / NVCR

    GH->>RW: GA tag pushed (no '-' in tag)
    RW->>Repo: make release-build → updates release.yaml, chart files
    RW->>RW: sed substitution → hack/release-nvstaging.yaml (nvidia→nvstaging)
    RW->>Repo: git add release.yaml + release-nvstaging.yaml
    RW->>Repo: git commit + push staging-VERSION branch
    RW->>GH: gh pr create (release PR)

    GH->>CW: GA tag pushed (no '-' in tag)
    CW->>CW: "Make package and push (VERSION = git_tag)"
    CW->>NGC: chart-build chart-push (production chart)
    CW->>CW: sed -i values.yaml (nvidia→nvstaging)
    CW->>NGC: "chart-build chart-push (pre-GA chart, VERSION = git_tag-pre-ga)"
    CW->>Repo: git checkout -- values.yaml (restore)

Loading

_{Reviews (2): Last reviewed commit: "ci: add pre-GA artifacts for GA releases" | Re-trigger Greptile}

[greptile-apps]

Unquoted variable in version-check shell expression

$APP_VERSION is unquoted inside the echo command. If the variable is ever empty or contains IFS-split characters (spaces, tabs, glob characters), the grep -q '-' test could behave unexpectedly. In an empty-variable edge case the grep receives no input and exits 1, causing the GA condition to be incorrectly skipped. Quote the variable to make the intent explicit and safe.

[rollandf]

Done

[greptile-apps]

Untracked release-nvstaging.yaml is invisible to git diff

git diff --exit-code only reports differences between the working tree and the index for tracked files. The freshly created hack/release-nvstaging.yaml is untracked, so it never contributes to the exit code. If no tracked file changed before this check (e.g. a workflow re-run after an already-applied release build), the outer if block is skipped entirely and release-nvstaging.yaml is silently dropped without being committed or pushed. Consider staging the file unconditionally (git add hack/release-nvstaging.yaml) immediately after the sed command, or switching the guard to git status --porcelain which also reports untracked files.

[rollandf]

Done

[greptile-apps]

In-place values.yaml patch is never reverted

sed -i permanently rewrites deployment/network-operator/values.yaml in the job's workspace with nvstaging repository URLs. There is no git checkout or restore afterwards. Any step added after this one in the helm-package-publish job would silently inherit the patched nvstaging values rather than the intended production values. Consider adding a cleanup step (git checkout -- deployment/network-operator/values.yaml) immediately after chart-build chart-push to keep the workspace clean.

[rollandf]

Done

[greptile-apps]

Quote $APP_VERSION to prevent word-splitting on an unexpected empty or whitespace value.

Suggested change

	if ! echo $APP_VERSION | grep -q '-'; then
	if ! echo "$APP_VERSION" | grep -q '-'; then

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

Restore values.yaml to its original state after the pre-GA chart build to keep the workspace clean for any steps that may be added in the future.

Suggested change

	APP_VERSION=$git_tag VERSION=${git_tag:1}-pre-ga make chart-build chart-push
	APP_VERSION=$git_tag VERSION=${git_tag:1}-pre-ga make chart-build chart-push
	git checkout -- deployment/network-operator/values.yaml

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!