release: enhanced Go workflows with monorepo support and Slack notifications (#24)

* feat: add GitOps Update workflow and comprehensive documentation

- Add GitOps Update reusable workflow with multi-environment support (dev/stg/prd/sandbox)
- Add self-release workflow for automated semantic versioning
- Create comprehensive documentation for all workflows:
  - GitOps Update workflow guide
  - API Dog E2E Tests workflow guide
  - PR Security Scan workflow guide
  - Release workflow guide
  - Documentation index with examples and best practices
- Add semantic release configuration (.releaserc.yml)
- Update CONTRIBUTING.md with conventional commits guidelines and release process
- Update README.md with versioning section and documentation links
- Simplify release workflow to use .releaserc.yml configuration

Key Features:
- Multi-environment GitOps updates with automatic tag detection
- Static and dynamic YAML key mapping support
- Optional ArgoCD sync integration
- Docker Hub login to avoid rate limits
- Comprehensive documentation with examples and troubleshooting
- Automated semantic versioning with conventional commits

* chore: change dependabot target branch to develop

* chore: add PR template

* feat(gitops): add convention-based configuration with auto-generated paths and names

- Add convention-based configuration that auto-generates values from repository name
- Auto-generate app name, artifact pattern, commit prefix, and ArgoCD app name
- Auto-generate GitOps file paths based on server and environment
- Make Docker Hub login enabled by default to avoid rate limits
- Simplify ArgoCD sync steps using the action module
- Remove sandbox tag detection (sandbox only updates with production releases)
- Update production releases to sync both prd and sandbox environments
- Reduce required inputs from 11 to just 1 (yaml_key_mappings)
- Update documentation with simplified examples and convention details

* docs: replace real repository names and IDs with fictional examples

- Replace real repository names (plugin-auth, plugin-crm, midaz) with generic examples
- Replace real Apidog environment IDs with fictional values
- Replace organization-specific secret names with generic examples
- Move environment_id from input to secret in api-dog-e2e-tests workflow for better security
- Update all documentation examples to use fictional data

* chore: remove rc rule from .releaserc.yml

* chore: pass dockerfile path as parameter

* chore: pass npm secrets as parameter

* chore: pass npm secrets as parameter

* refactor: simplify GitOps workflow environment detection and file handling

* fix: simplify ArgoCD app name handling in sync workflow

* feat: enhanced Go workflows with monorepo support and Slack notifications (#23)

* feat: add Go workflows and PR validation with GitHub token support

Add comprehensive Go project workflows:
- go-ci.yml: Multi-version CI with linting and cross-platform builds
- go-security.yml: Security scanning with 8 tools (gosec, trivy, etc.)
- go-release.yml: Automated releases with GoReleaser
- go-unit-tests.yml: Fast unit testing with matrix support
- go-coverage-check.yml: Coverage validation with PR comments
- pr-validation.yml: PR validation with semantic titles and auto-labeling

All workflows support GitHub token as optional secret parameter for API operations.
Token defaults to GITHUB_TOKEN if not provided.

Add release-candidate branch to semantic-release configuration.

Update documentation:
- Add workflow usage guides for all new workflows
- Remove emojis from README
- Update branch order to: develop, release-candidate, main

* fix: rename github_token to manage_token to avoid reserved name collision

GitHub Actions reserves the name 'github_token' as a system name,
causing workflow_call to fail with collision error.

Changes:
- Rename secret 'github_token' to 'manage_token' in go-coverage-check.yml
- Rename secret 'github_token' to 'manage_token' in pr-validation.yml
- Update all references (9 total) across both workflows

This aligns with the pattern used in gitops-update.yml and prevents
the "secret name collides with system reserved name" error.

* Upgrade CodeQL Action from v3 to v4

Updated the CodeQL action used for SARIF upload from the deprecated v3
to the current v4 version.

Changes:
- Update github/codeql-action/upload-sarif from v3 to v4

This addresses the deprecation warning:
"CodeQL Action v3 will be deprecated in December 2026"

Benefits of v4:
- Improved performance and stability
- Better permission handling with reusable workflows
- Enhanced compatibility with GitHub's security features
- Long-term support and active maintenance

Reference: https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/

This should also resolve the "Resource not accessible by integration"
errors when uploading SARIF files to GitHub Code Scanning.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: rename github_token to manage_token to avoid reserved name conflict (#21)

* fix: update go-coverage-report version and remove all-checks-pass job

- Update fgrosse/go-coverage-report from @v1 to @v1.2.0 (v1 doesn't exist)
- Remove all-checks-pass job to prevent cascading failures
- Individual checks are sufficient for PR validation

Fixes issues in lerian-cli PR #1

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix(go-coverage-check): aggregate coverage by package instead of listing individual files

## Problem
The "Coverage by Package" section in PR comments was empty or showing individual file entries instead of aggregated package-level coverage. The AWK script had two issues:

1. Used reserved keyword `func` as variable name (syntax error)
2. Listed individual files with coverage, not package aggregates

## Solution
- Generate markdown table format for better readability
- Extract package path by removing filename from file path
- Accumulate coverage data across all functions in each package
- Calculate average coverage percentage per package
- Sort packages alphabetically for consistent output

## Changes
- Replace bullet list with markdown table (| Package | Coverage |)
- Fix AWK syntax by using `pkg` instead of reserved `func`
- Add aggregation logic to sum coverage across package functions
- Add debug output to show generated coverage report

## Output Example

### Before (Broken)
\`\`\`
## Coverage by Package

- **path/to/file.go**: 85.5%
- **path/to/file.go**: 90.2%
...
\`\`\`

### After (Fixed)
\`\`\`
## Coverage by Package

| Package | Coverage |
|---------|----------|
| \`github.com/org/project/internal/client\` | 95.6% |
| \`github.com/org/project/internal/config\` | 88.7% |
| \`github.com/org/project/internal/output\` | 98.8% |
\`\`\`

## Testing
Tested with Go 1.24 coverage files, verified correct aggregation across multiple packages with varying coverage levels.

* feat(changed-paths): add reusable workflow for detecting changed paths

Adds a new reusable workflow for monorepo CI/CD optimization that detects
changed paths between commits with support for path filtering, path level
trimming, and app name generation for matrix strategies.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* feat: add Go PR analysis reusable workflow

New workflow for Go monorepo PR analysis that handles:
- Change detection for specified paths
- Matrix-based execution per changed app
- GolangCI-Lint with configurable version
- Security scanning (gosec, govulncheck)
- Unit tests with coverage
- Coverage threshold check with PR comments
- Build verification

All logic is centralized in this workflow for easy maintenance.

Includes documentation at docs/go-pr-analysis-workflow.md

* feat: upgrade golangci-lint-action to v7 for golangci-lint v2 support

- golangci-lint v2.x requires golangci-lint-action v7
- v6 only supports golangci-lint v1.x

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* feat: add detailed coverage report with package breakdown

- Generate coverage by package table in PR comments
- Generate HTML coverage report as artifact
- Add coverage summary to GitHub Actions summary
- Update existing PR comments instead of creating duplicates

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* fix: add debug logging for coverage comment posting

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* feat: add monorepo support with filter_paths for release workflow

- Add filter_paths input to detect changes in monorepo apps
- Add prepare_matrix job to build dynamic matrix from changed paths
- If filter_paths provided: detects changes and releases only changed apps
- If filter_paths empty: single app mode, releases from root
- Support per-app working directories via matrix
- Install @semantic-release/changelog for per-app changelogs

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* feat: add unified build workflow for Docker images

- Support both DockerHub and GHCR registries
- Optional change detection with filter_paths for monorepo
- Platform strategy: beta/rc = amd64 only, release = amd64+arm64
- Semantic versioning tags
- Optional app name prefix for monorepo apps
- Build caching with GitHub Actions cache
- Default runner: firmino-lxc-runners

Also updated release.yml default runner to firmino-lxc-runners.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* feat: use changed-paths.yml internally for monorepo detection

Updated build.yml, release.yml, and pr-security-scan.yml to use
the local changed-paths.yml workflow instead of external action.

- Removed dependency on LerianStudio/github-actions-changed-paths
- All workflows now use 3-job pattern: detect_changes -> prepare -> main job
- Changed filter_paths to JSON array format for consistency
- Default runner: firmino-lxc-runners

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* fix: improve GHCR authentication and image naming

- Use github.actor for GHCR username (matches existing pipeline)
- Require ghcr_token secret (no fallback)
- Normalize repository owner to lowercase (GHCR requirement)

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* fix: use github-actions-changed-paths action in all workflows

Switched from workflow call (./.github/workflows/changed-paths.yml)
to using the action (LerianStudio/github-actions-changed-paths@main)
as a step within jobs.

This approach works because actions can be used from any repository,
while workflow calls with relative paths fail when called from
external repositories.

- build.yml: use action in prepare job
- release.yml: use action in prepare job
- pr-security-scan.yml: already using action (no change)

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* fix: remove block scalar from filter_paths to fix action input

The YAML block scalar (|-) was causing issues when passing
filter_paths to the github-actions-changed-paths action.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* fix: move working_directory to action input for semantic-release step

working-directory is only valid for 'run' steps, not 'uses' steps.
The cycjimmy/semantic-release-action accepts working_directory as an input.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* fix: add Node.js setup step for release workflow

Self-hosted runners may not have Node.js installed.
Add actions/setup-node@v4 to ensure npm is available.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* fix: extract version from prefixed tag for Docker metadata

Monorepo tags like 'agent-v1.0.0-beta.1' need the prefix stripped
to get a valid semver 'v1.0.0-beta.1' for docker/metadata-action.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* fix: handle multi-hyphen app names in version extraction

Use sed pattern that finds '-v' followed by digit to properly extract
version from tags like 'control-plane-v1.0.0-beta.1'.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* feat(go-pr-analysis): add single-app mode when filter_paths is empty

When filter_paths is not provided or empty, the workflow now treats
the repository as a single-app repo and runs against the root directory
instead of trying to detect changed directories.

This simplifies usage for non-monorepo Go projects:
- Monorepo: filter_paths: '["apps/api", "apps/worker"]'
- Single-app: filter_paths not set (or empty)

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* feat(build): add GitOps artifacts upload support

- Add enable_gitops_artifacts input (default: false)
- Upload tag artifacts for downstream gitops-update workflow
- Artifacts follow pattern: gitops-tags-<app-name>/<app-name>.tag

* feat(workflows): add Slack notifications to all reusable workflows

- Created slack-notify.yml reusable workflow for centralized notifications
- All workflows now notify on both success and failure
- Messages include: repo name, author, failed jobs (on failure), commit, branch
- Graceful degradation when SLACK_WEBHOOK_URL secret not configured
- Uses secrets: inherit pattern for app repos (no per-repo configuration needed)

Updated workflows:
- build.yml
- go-pr-analysis.yml
- pr-validation.yml
- pr-security-scan.yml
- release.yml
- gitops-update.yml
- api-dog-e2e-tests.yml
- go-release.yml

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* feat(workflows): migrate to secrets inherit pattern

- Remove secrets declarations from workflow_call (workflows now use org secrets directly)
- Update secret references to use uppercase org secret names:
  - DOCKER_USERNAME, DOCKER_PASSWORD
  - MANAGE_TOKEN
  - LERIAN_STUDIO_MIDAZ_PUSH_BOT_APP_ID, LERIAN_STUDIO_MIDAZ_PUSH_BOT_PRIVATE_KEY
  - LERIAN_CI_CD_USER_GPG_KEY, LERIAN_CI_CD_USER_GPG_KEY_PASSWORD
  - LERIAN_CI_CD_USER_NAME, LERIAN_CI_CD_USER_EMAIL
  - ARGOCD_GHUSER_TOKEN, ARGOCD_URL
  - TAP_GITHUB_TOKEN, GORELEASER_KEY, NPMRC_TOKEN
- Keep slack-notify.yml with secret input (nested workflow requirement)
- Keep api-dog-e2e-tests.yml unchanged (app-specific secrets, notifications commented out)

App repos now use 'secrets: inherit' for simpler configuration.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* feat(pr-validation): add source branch validation

- Add enforce_source_branches input to enable branch source checking
- Add allowed_source_branches input for configuring allowed patterns
- Add target_branches_for_source_check input for specifying protected branches
- Add pr-source-branch job that validates and adds REQUEST_CHANGES review if invalid
- Supports exact match (develop) and prefix match (hotfix/*) patterns

* fix(pr-security-scan): scan only changed component folder instead of entire repo

- Change scan-ref from '.' to matrix.working_dir
- Only scans the component folder that has changes
- Prevents scanning unrelated folders in monorepos

* feat(go-pr-analysis): add support for private Go modules

- Add go_private_modules input to specify GOPRIVATE pattern
- Configure git authentication using MANAGE_TOKEN for private repos
- Apply to all jobs: lint, security, tests, coverage, build

* fix(go-pr-analysis): clarify coverage report title as Unit Test Coverage

* chore: standardize runner_type parameter with firmino-lxc-runners default

- Renamed runner to runner_type in build.yml and release.yml
- Updated default from ubuntu-* to firmino-lxc-runners in all workflows:
  - build.yml
  - release.yml
  - go-pr-analysis.yml
  - pr-validation.yml
  - pr-security-scan.yml
  - slack-notify.yml
  - go-ci.yml
  - go-coverage-check.yml
  - go-release.yml
  - go-security.yml
  - go-unit-tests.yml
  - changed-paths.yml

* fix: enable CGO for race detector in tests

-race flag requires cgo to be enabled

* fix: remove -race flag from tests (requires gcc not available on custom runners)

* fix: restore -race flag with CGO_ENABLED=1 (gcc now available on runners)

* docs: update documentation and remove duplicate workflows

- Remove go-coverage-check.yml and go-unit-tests.yml (now in go-pr-analysis)
- Add build-workflow.md documentation
- Add slack-notify-workflow.md documentation
- Update go-pr-analysis-workflow.md with private modules, CGO_ENABLED, secrets inherit
- Update pr-validation-workflow.md with source branch validation feature
- Update pr-security-scan-workflow.md with component-scoped scanning
- Update release-workflow.md to use runner_type parameter
- Update README.md with new workflows and remove duplicate entries

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

* fix: update self-release.yml to use runner_type and secrets inherit

- Changed runner to runner_type parameter
- Changed explicit secrets to secrets: inherit pattern

* fix: use ubuntu-latest runner for self-release

---------

Co-authored-by: Guilherme Moreira Rodrigues <gui.rodrigues@lerian.studio>
Co-authored-by: Guilherme Moreira Rodrigues <30627541+guimoreirar@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

Author: 4 people

.github/dependabot.yml

@@ -6,7 +6,7 @@ updates:
     schedule:
       interval: "weekly"
       day: "monday"
-    target-branch: "main"
+    target-branch: "develop"
     labels:
       - "dependencies"
       - "github-actions"
@@ -33,7 +33,7 @@ updates:
     schedule:
       interval: "weekly"
       day: "wednesday"
-    target-branch: "main"
+    target-branch: "develop"
     labels:
       - "dependencies"
       - "go"

.github/pull_request_template.md

@@ -0,0 +1,73 @@
+## Description
+
+<!-- Provide a brief description of the changes in this PR -->
+
+## Type of Change
+
+<!-- Mark the relevant option with an "x" -->
+
+- [ ] `feat`: New feature or workflow
+- [ ] `fix`: Bug fix
+- [ ] `docs`: Documentation update
+- [ ] `refactor`: Code refactoring
+- [ ] `perf`: Performance improvement
+- [ ] `test`: Adding or updating tests
+- [ ] `ci`: CI/CD configuration changes
+- [ ] `chore`: Maintenance tasks
+- [ ] `BREAKING CHANGE`: Breaking change (requires major version bump)
+
+## Affected Workflows
+
+<!-- Mark all workflows affected by this PR -->
+
+- [ ] GitOps Update
+- [ ] API Dog E2E Tests
+- [ ] PR Security Scan
+- [ ] Release Workflow
+- [ ] Other (specify): _______________
+
+## Changes Made
+
+<!-- List the main changes in this PR -->
+
+-
+-
+-
+
+## Breaking Changes
+
+<!-- If this is a breaking change, describe what breaks and how to migrate -->
+
+**None** / **Describe breaking changes here**
+
+## Testing
+
+<!-- Describe how you tested these changes -->
+
+- [ ] Tested locally
+- [ ] Tested in development environment
+- [ ] Tested with example repository: _______________
+- [ ] All existing workflows still work
+
+## Checklist
+
+<!-- Ensure all items are completed before requesting review -->
+
+- [ ] Code follows conventional commit format
+- [ ] Documentation updated (if applicable)
+- [ ] Examples updated (if applicable)
+- [ ] No hardcoded secrets or sensitive data
+- [ ] Backward compatible (or breaking changes documented)
+- [ ] Self-review completed
+- [ ] Comments added for complex logic
+
+## Related Issues
+
+<!-- Link any related issues -->
+
+Closes #
+Related to #
+
+## Additional Notes
+
+<!-- Add any additional context, screenshots, or information -->

.github/workflows/api-dog-e2e-tests.yml

@@ -10,10 +10,6 @@ on:
         description: 'Node.js version to use'
         type: string
         default: '20'
-      environment_id:
-        description: 'Apidog environment ID (optional - will auto-detect from tag if not provided)'
-        required: false
-        type: string
       test_iterations:
         description: 'Number of test iterations'
         type: string
@@ -37,6 +33,9 @@ on:
       apidog_access_token:
         description: 'Apidog access token for authentication'
         required: true
+      environment_id:
+        description: 'Apidog environment ID (optional - will auto-detect from tag if not provided)'
+        required: false
       dev_environment_id:
         description: 'Apidog dev environment ID (for beta tags)'
         required: false
@@ -82,7 +81,7 @@ jobs:
       - name: Set manual environment ID
         if: ${{ !inputs.auto_detect_environment }}
         run: |
-          echo "ENVIRONMENT_ID=${{ inputs.environment_id }}" >> $GITHUB_ENV
+          echo "ENVIRONMENT_ID=${{ secrets.environment_id }}" >> $GITHUB_ENV
           echo "TAG_TYPE=manual" >> $GITHUB_ENV
 
       - name: Run Apidog Test Scenario
@@ -111,4 +110,17 @@ jobs:
         if: always()
         run: |
           npm uninstall -g apidog-cli || true
-          rm -rf $(npm root -g)/apidog-cli || true
+          rm -rf $(npm root -g)/apidog-cli || true
+
+  # TODO: Add Slack notification when ready
+  # notify:
+  #   name: Notify
+  #   needs: [api-dog-e2e-tests]
+  #   if: always()
+  #   uses: ./.github/workflows/slack-notify.yml
+  #   with:
+  #     status: ${{ needs.api-dog-e2e-tests.result }}
+  #     workflow_name: "API Dog E2E Tests"
+  #     failed_jobs: ${{ needs.api-dog-e2e-tests.result == 'failure' && 'E2E Tests' || '' }}
+  #   secrets:
+  #     SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/build.yml

@@ -0,0 +1,249 @@
+name: "Build and Push Docker Images"
+
+# This reusable workflow handles Docker image builds and pushes to registries
+# Supports both DockerHub and GHCR (GitHub Container Registry)
+#
+# Features:
+# - Monorepo support with optional change detection via LerianStudio/github-actions-changed-paths
+# - Multi-registry support (DockerHub and/or GHCR)
+# - Platform strategy: beta/rc builds amd64 only, release builds amd64+arm64
+# - Semantic versioning tags
+# - GitOps artifacts upload for downstream gitops-update workflow
+
+on:
+  workflow_call:
+    inputs:
+      runner_type:
+        description: 'Runner to use for the workflow'
+        type: string
+        default: 'firmino-lxc-runners'
+      filter_paths:
+        description: 'Newline-separated list of path prefixes to filter. If not provided, builds from root.'
+        type: string
+        required: false
+        default: ''
+      path_level:
+        description: 'Limits the path to the first N segments (e.g., 2 -> "apps/agent")'
+        type: string
+        default: '2'
+      enable_dockerhub:
+        description: 'Enable pushing to DockerHub'
+        type: boolean
+        default: true
+      enable_ghcr:
+        description: 'Enable pushing to GitHub Container Registry'
+        type: boolean
+        default: false
+      dockerhub_org:
+        description: 'DockerHub organization name'
+        type: string
+        default: 'lerianstudio'
+      ghcr_org:
+        description: 'GHCR organization name (defaults to repository owner)'
+        type: string
+        default: ''
+      dockerfile_name:
+        description: 'Name of the Dockerfile'
+        type: string
+        default: 'Dockerfile'
+      app_name_prefix:
+        description: 'Prefix for app names in monorepo (e.g., "midaz" results in "midaz-agent")'
+        type: string
+        default: ''
+      build_context:
+        description: 'Docker build context (defaults to repository root for monorepo)'
+        type: string
+        default: '.'
+      enable_gitops_artifacts:
+        description: 'Enable GitOps artifacts upload for downstream gitops-update workflow'
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  prepare:
+    runs-on: ${{ inputs.runner_type }}
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+      has_builds: ${{ steps.set-matrix.outputs.has_builds }}
+      platforms: ${{ steps.set-platforms.outputs.platforms }}
+      is_release: ${{ steps.set-platforms.outputs.is_release }}
+    steps:
+      - name: Get changed paths (monorepo)
+        if: inputs.filter_paths != ''
+        id: changed-paths
+        uses: LerianStudio/github-actions-changed-paths@main
+        with:
+          filter_paths: ${{ inputs.filter_paths }}
+          path_level: ${{ inputs.path_level }}
+          get_app_name: 'true'
+          app_name_prefix: ${{ inputs.app_name_prefix }}
+
+      - name: Set matrix
+        id: set-matrix
+        run: |
+          if [ -z "${{ inputs.filter_paths }}" ]; then
+            # Single app mode - build from root
+            APP_NAME="${{ github.event.repository.name }}"
+            echo "matrix=[{\"name\": \"${APP_NAME}\", \"working_dir\": \".\"}]" >> $GITHUB_OUTPUT
+            echo "has_builds=true" >> $GITHUB_OUTPUT
+          else
+            MATRIX='${{ steps.changed-paths.outputs.matrix }}'
+            if [ "$MATRIX" == "[]" ] || [ -z "$MATRIX" ]; then
+              echo "matrix=[]" >> $GITHUB_OUTPUT
+              echo "has_builds=false" >> $GITHUB_OUTPUT
+            else
+              echo "matrix=$MATRIX" >> $GITHUB_OUTPUT
+              echo "has_builds=true" >> $GITHUB_OUTPUT
+            fi
+          fi
+
+      - name: Set platforms based on tag type
+        id: set-platforms
+        run: |
+          TAG="${GITHUB_REF#refs/tags/}"
+          
+          if [[ "$TAG" == *"-beta"* ]] || [[ "$TAG" == *"-rc"* ]]; then
+            echo "platforms=linux/amd64" >> $GITHUB_OUTPUT
+            echo "is_release=false" >> $GITHUB_OUTPUT
+            echo "Building for amd64 only (beta/rc tag)"
+          else
+            echo "platforms=linux/amd64,linux/arm64" >> $GITHUB_OUTPUT
+            echo "is_release=true" >> $GITHUB_OUTPUT
+            echo "Building for amd64 and arm64 (release tag)"
+          fi
+
+  build:
+    needs: prepare
+    if: needs.prepare.outputs.has_builds == 'true'
+    runs-on: ${{ inputs.runner_type }}
+    name: Build ${{ matrix.app.name }}
+    strategy:
+      max-parallel: 2
+      fail-fast: false
+      matrix:
+        app: ${{ fromJson(needs.prepare.outputs.matrix) }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        if: needs.prepare.outputs.is_release == 'true'
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to DockerHub
+        if: inputs.enable_dockerhub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Log in to GHCR
+        if: inputs.enable_ghcr
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.MANAGE_TOKEN }}
+
+      - name: Normalize repository owner to lowercase
+        id: normalize
+        run: |
+          echo "owner_lower=$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT
+
+      - name: Set image names
+        id: image-names
+        run: |
+          IMAGES=""
+          GHCR_ORG="${{ inputs.ghcr_org }}"
+          if [ -z "$GHCR_ORG" ]; then
+            GHCR_ORG="${{ steps.normalize.outputs.owner_lower }}"
+          else
+            GHCR_ORG=$(echo "$GHCR_ORG" | tr '[:upper:]' '[:lower:]')
+          fi
+          
+          if [ "${{ inputs.enable_dockerhub }}" == "true" ]; then
+            IMAGES="${{ inputs.dockerhub_org }}/${{ matrix.app.name }}"
+          fi
+          
+          if [ "${{ inputs.enable_ghcr }}" == "true" ]; then
+            if [ -n "$IMAGES" ]; then
+              IMAGES="${IMAGES},ghcr.io/${GHCR_ORG}/${{ matrix.app.name }}"
+            else
+              IMAGES="ghcr.io/${GHCR_ORG}/${{ matrix.app.name }}"
+            fi
+          fi
+          
+          echo "images=$IMAGES" >> $GITHUB_OUTPUT
+
+      - name: Extract version from tag
+        id: version
+        run: |
+          TAG="${GITHUB_REF#refs/tags/}"
+          # Strip app prefix by finding -v and extracting from there
+          # e.g., agent-v1.0.0-beta.1 -> v1.0.0-beta.1
+          # e.g., control-plane-v1.0.0-beta.1 -> v1.0.0-beta.1
+          VERSION=$(echo "$TAG" | sed 's/.*-\(v[0-9]\)/\1/')
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Extracted version: $VERSION from tag: $TAG"
+
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ steps.image-names.outputs.images }}
+          tags: |
+            type=semver,pattern={{version}},value=${{ steps.version.outputs.version }}
+            type=semver,pattern={{major}}.{{minor}},value=${{ steps.version.outputs.version }}
+            type=semver,pattern={{major}},value=${{ steps.version.outputs.version }},enable=${{ needs.prepare.outputs.is_release }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: ${{ inputs.build_context }}
+          file: ${{ matrix.app.working_dir }}/${{ inputs.dockerfile_name }}
+          platforms: ${{ needs.prepare.outputs.platforms }}
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      # GitOps artifacts for downstream gitops-update workflow
+      - name: Create GitOps tag artifact
+        if: inputs.enable_gitops_artifacts
+        run: |
+          set -euo pipefail
+          mkdir -p gitops-tags
+          # Extract version without leading 'v'
+          VERSION="${{ steps.version.outputs.version }}"
+          VERSION="${VERSION#v}"
+          printf "%s" "$VERSION" > "gitops-tags/${{ matrix.app.name }}.tag"
+          echo "Created artifact: gitops-tags/${{ matrix.app.name }}.tag with version: $VERSION"
+
+      - name: Upload GitOps tag artifact
+        if: inputs.enable_gitops_artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: gitops-tags-${{ matrix.app.name }}
+          path: gitops-tags/
+
+  # Slack notification
+  notify:
+    name: Notify
+    needs: [prepare, build]
+    if: always() && needs.prepare.outputs.has_builds == 'true'
+    uses: ./.github/workflows/slack-notify.yml
+    with:
+      status: ${{ needs.build.result }}
+      workflow_name: "Build & Push Docker Images"
+      failed_jobs: ${{ needs.build.result == 'failure' && 'Build' || '' }}
+    secrets:
+      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}