From 417122703a432f37ff0fb0363f89ab1d34f707b0 Mon Sep 17 00:00:00 2001
From: Simo Lin <simo.lin@oracle.com>
Date: Fri, 27 Jun 2025 17:56:39 -0700
Subject: [PATCH] [ci] fix release

---
 .github/workflows/helm-gh-pages.yaml         |  28 +++-
 .github/workflows/openvex.yaml               |   2 +-
 .github/workflows/release.yaml               |  43 ++++-
 .github/workflows/sbom.yaml                  |  20 ++-
 .github/workflows/update-release-images.yaml | 163 -------------------
 README.md                                    |  24 ++-
 6 files changed, 101 insertions(+), 179 deletions(-)
 delete mode 100644 .github/workflows/update-release-images.yaml

diff --git a/.github/workflows/helm-gh-pages.yaml b/.github/workflows/helm-gh-pages.yaml
index d1932a18..5671dc28 100644
--- a/.github/workflows/helm-gh-pages.yaml
+++ b/.github/workflows/helm-gh-pages.yaml
@@ -1,4 +1,4 @@
-name: Publish Helm Charts to GitHub Pages
+name: Publish Helm Charts to GitHub Pages and OCI Registry
 
 on:
   push:
@@ -14,6 +14,11 @@ permissions:
   contents: write
   pages: write
   id-token: write
+  packages: write
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_ORG: moirai-internal
 
 jobs:
   publish-charts:
@@ -34,6 +39,13 @@ jobs:
           git config user.name "$GITHUB_ACTOR"
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.MOIRAI_REGISTRY_TOKEN }}
+
       - name: Prepare charts directory
         run: |
           mkdir -p .charts-repo
@@ -55,6 +67,12 @@ jobs:
             helm package "${chart}" -d .charts-repo
           done
 
+      - name: Push charts to OCI registry
+        run: |
+          for chart in .charts-repo/*.tgz; do
+            helm push ${chart} oci://${{ env.REGISTRY }}/${{ env.IMAGE_ORG }}/charts
+          done
+
       - name: Checkout gh-pages branch
         run: |
           git fetch origin gh-pages || true
@@ -98,6 +116,14 @@ jobs:
               
               <div class="instructions">
                   <h2>Installation Instructions</h2>
+                  
+                  <h3>Option 1: OCI Registry (Recommended)</h3>
+                  <pre>
+# Install directly from OCI registry
+helm install ome-crd oci://ghcr.io/moirai-internal/charts/ome-crd --namespace ome --create-namespace
+helm install ome oci://ghcr.io/moirai-internal/charts/ome-resources --namespace ome</pre>
+
+                  <h3>Option 2: Helm Repository</h3>
                   <pre>
 # Add the OME Helm repository
 helm repo add ome https://sgl-project.github.io/ome
diff --git a/.github/workflows/openvex.yaml b/.github/workflows/openvex.yaml
index 4bf5ab7c..06be361f 100644
--- a/.github/workflows/openvex.yaml
+++ b/.github/workflows/openvex.yaml
@@ -48,7 +48,7 @@ jobs:
           # Create VEX document for known false positives or accepted risks
           vexctl create \
             --author="OME Maintainers" \
-            --role="Project Maintainer" \
+            --author-role="Project Maintainer" \
             --product="pkg:github/sgl-project/ome@${TAG}" \
             --file="ome-${TAG}.vex.json"
           
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index a0bd3d01..9f466dff 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -137,21 +137,33 @@ jobs:
         with:
           version: 'latest'
 
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.MOIRAI_REGISTRY_TOKEN }}
+
       - name: Update chart versions
         run: |
           VERSION=${{ needs.prepare.outputs.version }}
+          TAG=${{ needs.prepare.outputs.tag }}
           
           # Update chart versions
           for chart in charts/*/; do
             yq eval -i ".version = \"${VERSION}\"" ${chart}Chart.yaml
             yq eval -i ".appVersion = \"${VERSION}\"" ${chart}Chart.yaml
             
-            # Update image tags in values.yaml
-            if [[ -f ${chart}values.yaml ]]; then
-              yq eval -i ".image.tag = \"${{ needs.prepare.outputs.tag }}\"" ${chart}values.yaml
-              yq eval -i ".image.repository = \"ghcr.io/moirai-internal/ome-manager\"" ${chart}values.yaml
-              yq eval -i ".modelAgent.image.repository = \"ghcr.io/moirai-internal/model-agent\"" ${chart}values.yaml
-              yq eval -i ".modelAgent.image.tag = \"${{ needs.prepare.outputs.tag }}\"" ${chart}values.yaml
+            # Update image tags in values.yaml for ome-resources chart
+            if [[ -f ${chart}values.yaml ]] && [[ $(basename ${chart}) == "ome-resources" ]]; then
+              # Update the defaultVersion anchor
+              yq eval -i ".ome.version = \"${TAG}\"" ${chart}values.yaml
+              
+              # Update specific image tags that don't use the anchor
+              yq eval -i ".ome.benchmarkJob.tag = \"${TAG}\"" ${chart}values.yaml
+              yq eval -i ".ome.multinodeProber.tag = \"${TAG}\"" ${chart}values.yaml
+              yq eval -i ".ome.omeAgent.tag = \"${TAG}\"" ${chart}values.yaml
+              yq eval -i ".modelAgent.image.tag = \"${TAG}\"" ${chart}values.yaml
             fi
           done
 
@@ -162,7 +174,14 @@ jobs:
             helm package ${chart} -d .charts
           done
 
-      - name: Create chart index
+      - name: Push charts to OCI registry
+        run: |
+          for chart in .charts/*.tgz; do
+            chart_name=$(basename ${chart%.tgz} | cut -d- -f1)
+            helm push ${chart} oci://${{ env.REGISTRY }}/${{ env.IMAGE_ORG }}/charts
+          done
+
+      - name: Create chart index for GitHub Pages
         run: |
           helm repo index .charts --url https://github.com/sgl-project/ome/releases/download/${{ needs.prepare.outputs.tag }}
 
@@ -262,6 +281,16 @@ jobs:
           
           ## ⎈ Helm Installation
           
+          ### Option 1: OCI Registry (Recommended)
+          
+          \`\`\`bash
+          # Install directly from OCI registry
+          helm install ome-crd oci://ghcr.io/moirai-internal/charts/ome-crd --version ${{ needs.prepare.outputs.version }} --namespace ome --create-namespace
+          helm install ome oci://ghcr.io/moirai-internal/charts/ome-resources --version ${{ needs.prepare.outputs.version }} --namespace ome
+          \`\`\`
+          
+          ### Option 2: GitHub Releases
+          
           \`\`\`bash
           # Add the OME Helm repository
           helm repo add ome https://github.com/sgl-project/ome/releases/download/${{ needs.prepare.outputs.tag }}
diff --git a/.github/workflows/sbom.yaml b/.github/workflows/sbom.yaml
index 1778f3cf..bc38c03a 100644
--- a/.github/workflows/sbom.yaml
+++ b/.github/workflows/sbom.yaml
@@ -41,11 +41,25 @@ jobs:
           syft dir:. -o spdx-json > ome-${TAG}-sbom.spdx.json
           syft dir:. -o cyclonedx-json > ome-${TAG}-sbom.cyclonedx.json
           
-          # Generate SBOM for container images
+          # Generate SBOM for container images with retry logic
           for image in ome-manager model-agent ome-agent multinode-prober; do
             echo "Generating SBOM for ${image}..."
-            syft ghcr.io/moirai-internal/ome/${image}:${TAG} -o spdx-json > ${image}-${TAG}-sbom.spdx.json
-            syft ghcr.io/moirai-internal/ome/${image}:${TAG} -o cyclonedx-json > ${image}-${TAG}-sbom.cyclonedx.json
+            
+            # Retry up to 5 times with 30 second delays
+            for attempt in {1..5}; do
+              if syft ghcr.io/moirai-internal/${image}:${TAG} -o spdx-json > ${image}-${TAG}-sbom.spdx.json 2>/dev/null; then
+                syft ghcr.io/moirai-internal/${image}:${TAG} -o cyclonedx-json > ${image}-${TAG}-sbom.cyclonedx.json
+                echo "✅ Successfully generated SBOM for ${image}"
+                break
+              else
+                echo "⏳ Attempt ${attempt}/5 failed. Image might not be available yet. Retrying in 30s..."
+                if [ ${attempt} -lt 5 ]; then
+                  sleep 30
+                else
+                  echo "❌ Failed to generate SBOM for ${image} after 5 attempts"
+                fi
+              fi
+            done
           done
 
       - name: Upload SBOMs to release
diff --git a/.github/workflows/update-release-images.yaml b/.github/workflows/update-release-images.yaml
deleted file mode 100644
index ac161047..00000000
--- a/.github/workflows/update-release-images.yaml
+++ /dev/null
@@ -1,163 +0,0 @@
-name: Update Release Images
-
-on:
-  release:
-    types: [published]
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: 'Tag to update images to (e.g., v0.1.0)'
-        required: true
-        type: string
-
-permissions:
-  contents: write
-  pull-requests: write
-
-jobs:
-  update-images:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          ref: main
-
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: '1.24.1'
-
-      - name: Install yq
-        uses: mikefarah/yq@v4
-
-      - name: Determine version
-        id: version
-        run: |
-          if [[ "${{ github.event_name }}" == "release" ]]; then
-            TAG="${{ github.event.release.tag_name }}"
-          else
-            TAG="${{ inputs.tag }}"
-          fi
-          echo "tag=${TAG}" >> $GITHUB_OUTPUT
-          echo "📦 Updating images to version: ${TAG}"
-
-      - name: Update config patches
-        run: |
-          TAG="${{ steps.version.outputs.tag }}"
-          
-          # Update manager deployment patch
-          cat > config/default/manager_image_patch.yaml << EOF
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: ome-controller-manager
-  namespace: ome
-spec:
-  template:
-    spec:
-      containers:
-        - name: manager
-          image: ghcr.io/moirai-internal/ome-manager:${TAG}
-EOF
-          
-          # Update model agent daemonset patch
-          cat > config/default/model_agent_image_patch.yaml << EOF
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: ome-model-agent-daemonset
-  namespace: ome
-spec:
-  template:
-    spec:
-      containers:
-        - name: model-agent
-          image: ghcr.io/moirai-internal/model-agent:${TAG}
-EOF
-
-      - name: Update Helm chart values
-        run: |
-          TAG="${{ steps.version.outputs.tag }}"
-          
-          # Update the defaultVersion at the top
-          yq eval -i '.ome.version = "'${TAG}'"' charts/ome-resources/values.yaml
-          
-          # Update specific component images
-          yq eval -i '.ome.multinodeProber.tag = "'${TAG}'"' charts/ome-resources/values.yaml
-          yq eval -i '.ome.controller.tag = "'${TAG}'"' charts/ome-resources/values.yaml
-          yq eval -i '.ome.omeAgent.tag = "'${TAG}'"' charts/ome-resources/values.yaml
-          yq eval -i '.modelAgent.image.tag = "'${TAG}'"' charts/ome-resources/values.yaml
-          
-          # Update the controller image to use the new namespace format
-          yq eval -i '.ome.controller.image = "ghcr.io/moirai-internal/ome-manager"' charts/ome-resources/values.yaml
-          
-          echo "✅ Updated Helm chart values"
-
-      - name: Update Chart.yaml versions
-        run: |
-          VERSION="${{ steps.version.outputs.tag }}"
-          VERSION="${VERSION#v}"  # Remove 'v' prefix if present
-          
-          # Update all Chart.yaml files
-          for chart in charts/*/; do
-            if [[ -f "${chart}Chart.yaml" ]]; then
-              yq eval -i ".version = \"${VERSION}\"" "${chart}Chart.yaml"
-              yq eval -i ".appVersion = \"${VERSION}\"" "${chart}Chart.yaml"
-              echo "✅ Updated ${chart}Chart.yaml"
-            fi
-          done
-
-      - name: Validate changes
-        run: |
-          echo "📋 Changes made:"
-          echo ""
-          echo "Config patches:"
-          ls -la config/default/*_image_patch.yaml || true
-          echo ""
-          echo "Helm values changes:"
-          git diff charts/ome-resources/values.yaml || true
-          echo ""
-          echo "Chart.yaml changes:"
-          git diff charts/*/Chart.yaml || true
-
-      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v6
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          commit-message: |
-            [Release] Update images to ${{ steps.version.outputs.tag }}
-            
-            - Update config patches for manager and model-agent
-            - Update Helm chart default image tags
-            - Update Chart.yaml versions
-            
-            Auto-generated by release workflow
-          branch: update-images-${{ steps.version.outputs.tag }}
-          delete-branch: true
-          title: "[Release] Update images to ${{ steps.version.outputs.tag }}"
-          body: |
-            ## 🚀 Release Image Update
-            
-            This PR automatically updates all image references to version `${{ steps.version.outputs.tag }}`.
-            
-            ### Changes made:
-            - ✅ Updated config patches for kustomize deployments
-            - ✅ Updated Helm chart image tags in values.yaml
-            - ✅ Updated Chart.yaml versions
-            
-            ### Components updated:
-            - ome-manager
-            - model-agent
-            - multinode-prober
-            - ome-agent
-            
-            Please review and merge this PR to ensure `make install` uses the latest release images.
-            
-            ---
-            *This PR was automatically generated by the release workflow.*
-          labels: |
-            release
-            automated
-          assignees: ${{ github.actor }}
\ No newline at end of file
diff --git a/README.md b/README.md
index 60579b45..4dec4c64 100644
--- a/README.md
+++ b/README.md
@@ -45,7 +45,21 @@ Read the [documentation](https://sgl-project.github.io/ome/docs/) to learn more
 
 **Requires Kubernetes 1.28 or newer**
 
-To install OME in your cluster using Helm:
+### Option 1: OCI Registry (Recommended)
+
+Install OME directly from the OCI registry:
+
+```bash
+# Install OME CRDs
+helm upgrade --install ome-crd oci://ghcr.io/moirai-internal/charts/ome-crd --namespace ome --create-namespace
+
+# Install OME resources
+helm upgrade --install ome oci://ghcr.io/moirai-internal/charts/ome-resources --namespace ome
+```
+
+### Option 2: Helm Repository
+
+Install using the traditional Helm repository:
 
 ```bash
 # Add the OME Helm repository
@@ -53,13 +67,15 @@ helm repo add ome https://sgl-project.github.io/ome
 helm repo update
 
 # Install OME CRDs first
-helm install ome-crd ome/ome-crd --namespace ome --create-namespace
+helm upgrade --install ome-crd ome/ome-crd --namespace ome --create-namespace
 
 # Install OME resources
-helm install ome ome/ome-resources --namespace ome
+helm upgrade --install ome ome/ome-resources --namespace ome
 ```
 
-For installation from source:
+### Option 3: Install from Source
+
+For development or customization:
 
 ```bash
 # Clone the repository