feat: unify CI on Dockerfiles

[r3v5]

Summary

• Drop GoReleaser (.goreleaser.yaml) and replace with unified release.yml workflow using docker/build-push-action
• Fix Helm chart defaults: tag: __PLACEHOLDER__ → latest, cmd: /ko-app/cmd → /manager, pullPolicy: IfNotPresent → Always
• Build both kagenti-operator and agentcard-signer images via Dockerfiles on all triggers (main merges, tag pushes, manual dispatch)
• On tag pushes: package Helm chart (sed pins tag + pullPolicy to release values) and create GitHub Release
• On main merges: run E2E smoke test (Kind + cert-manager + clean helm install)
• Add concurrency control and guard latest tag to default branch only
• Remove ko entrypoint patch workaround from dev scripts
• Remove ko-local-build Makefile target, rename KO_DOCKER_REPO → LOCAL_REGISTRY
• Update docs/dev.md to remove ko references

Why

CI had a divergence: main-branch merges built images with Dockerfiles (entrypoint /manager), while release tags built with GoReleaser + ko (entrypoint /ko-app/cmd). The Helm chart hardcoded cmd: /ko-app/cmd and tag: __PLACEHOLDER__, so a clean helm install always failed — either the tag didn't exist or the entrypoint didn't match.

Two separate issues depending on which path you took:

Path 1: Install from source chart (helm install ./charts/kagenti-operator)

• Fails with ErrImagePull because tag: PLACEHOLDER doesn't exist on GHCR

Path 2: Install from released chart (helm install oci://ghcr.io/...)

• Tag is correct (sed replaced PLACEHOLDER → 0.2.0-alpha.23)
• But cmd: /ko-app/cmd only matches ko-built images
• On main merges, images were built with Dockerfiles (entrypoint /manager), not ko
• If the release workflow also used ko, then released charts worked — but the main-branch images and released images had different entrypoints

The core issue was: two different build tools producing images with different entrypoints, and a chart that couldn't work with both. I fixed it by standardizing everything on Dockerfiles + /manager.

Verification

• Built operator image locally from Dockerfile, loaded into Kind cluster
• helm install kagenti-operator ./charts/kagenti-operator succeeded
• Operator pod reached 1/1 Running with no ErrImagePull or CrashLoopBackOff
• Confirmed entrypoint /manager matches between Dockerfile and chart defaults
• Confirmed no remaining references to ko-local-build, KO_DOCKER_REPO, /ko-app/cmd, or __PLACEHOLDER__ in tracked files

Test plan

• CI lint and unit tests pass
• After merge to main: verify kagenti-operator:latest and agentcard-signer:latest exist on GHCR with /manager entrypoint
• E2E helm install job passes in CI
• Tag push produces versioned images, packaged Helm chart, and GitHub Release

Related issue(s)

[RHAIENG-3716]

[cwiklik]

Review Summary

Well-motivated PR that eliminates a real divergence between main-branch builds (Dockerfile → /manager) and release builds (ko → /ko-app/cmd). Standardizing on Dockerfiles with proper Helm chart defaults fixes the clean helm install failure. The yq-based release packaging (commit 2) is safer than the original sed approach. E2E smoke test on main merges is a good addition. @Bobbins228's feedback has been addressed.

Areas reviewed: CI/GitHub Actions, Helm, Shell, Makefile, Docs, Security
Commits: 2 commits, all signed-off: ✅
CI status: all 14 checks passing ✅ (Build, E2E, Lint, DCO, CodeQL, Trivy, Hadolint, ShellCheck, YAML Lint, Action Pinning)

Highlights

• Smart default strategy: latest + Always for dev, release workflow pins to semver + IfNotPresent — both paths consistent now
• yq with strenv() for YAML edits is much safer than sed — good iteration on @Bobbins228's feedback
• E2E smoke test (Kind + cert-manager + clean helm install + rollout check) is a solid guard for main
• Clean removal of ko entrypoint patch workaround from dev scripts

Minor note

Actions use version tags (@v4, @v6) rather than SHA pins. The repo's "Verify Action Pinning" check passes so this follows current policy — just noting that SHA pinning is a stronger supply-chain security practice for the future.

[pdettori]

/lgtm