chore(pipe): add ORAS installation and tagging for latest chart version

[guimoreirar]

Midaz Pull Request Checklist

Pull Request Type

• Midaz
• Plugin Access Manager
• Plugin CRM
• Reporter
• Plugin Fees
• Plugin BR PIX Direct JD
• Plugin BR PIX Indirect BTG
• Otel Collector
• Pipeline
• Documentation
• Fetcher
• Matcher
• Flowker
• Underwriter

Checklist

Please check each item after it's completed.

• I have tested these changes locally.
• I have updated the documentation accordingly.
• I have added necessary comments to the code, especially in complex areas.
• I have ensured that my changes adhere to the project's coding standards.
• I have checked for any potential security issues.
• I have ensured that all tests pass.
• I have updated the version appropriately (if applicable).
• I have confirmed this code is ready for review.

Additional Notes

Obs: Please, always remember to target your PR to develop branch instead of main.

[coderabbitai]

Walkthrough

The release workflow in .github/workflows/release.yml was extended with two new steps that run on a new release published to main: one step installs ORAS using oras-project/setup-oras@v1.2.4; the other authenticates to GitHub Container Registry and Docker Hub and uses ORAS to copy the released Helm chart image from its versioned tag to a latest tag in both registries.

Sequence Diagram(s)

sequenceDiagram
    participant Release as Release event
    participant Runner as GitHub Actions runner
    participant ORAS as ORAS tool
    participant GHCR as GitHub Container Registry
    participant Docker as Docker Hub

    Release->>Runner: trigger release workflow
    Runner->>Runner: install oras (oras-project/setup-oras@v1.2.4)
    Runner->>ORAS: authenticate to GHCR (token)
    Runner->>ORAS: authenticate to Docker Hub (username/password)
    ORAS->>GHCR: copy chart image from vX.Y.Z tag to latest
    ORAS->>Docker: copy chart image from vX.Y.Z tag to latest
    Runner-->>Release: step complete

Loading

🚥 Pre-merge checks | ✅ 1 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	PR description follows the required template structure with PR Type selected (Pipeline) and multiple checklist items completed; however, critical sections lack substantive content.	Add detailed explanation in 'Additional Notes' section describing the purpose of ORAS installation, why chart tagging is needed, and any implementation details or breaking changes. Document which checklist items apply to this CI workflow change.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding ORAS installation and tagging for latest chart version in the pipeline workflow.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gandalf-at-lerian]

LGTM! Clean addition — ORAS cp is the right approach for OCI re-tagging. Conditions are properly scoped to main + new release. Blocking behavior on registry sync is the correct call to keep GHCR and Docker Hub consistent.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Around line 182-183: The second oras cp command is using Docker Hub as the
source but the versioned chart is published only to GHCR; update the source in
the second command so it copies from ghcr.io/lerianstudio/${CHART}:${VERSION} to
registry-1.docker.io/lerianstudio/${CHART}:latest (i.e., change the source
reference in the oras cp that currently starts with
"registry-1.docker.io/lerianstudio/${CHART}:${VERSION}" to
"ghcr.io/lerianstudio/${CHART}:${VERSION}") so the push to Docker Hub pulls the
versioned artifact from GHCR.
- Around line 169-171: Replace the floating tag in the GitHub Actions step named
"Install oras" (uses: oras-project/setup-oras@v1.2.4) with the action pinned to
the full commit SHA for that release (e.g., oras-project/setup-oras@<full-sha>),
and add a trailing comment containing the tag for human clarity (e.g., #
v1.2.4); update the uses line to reference the full SHA instead of `@v1.2.4` to
prevent tag retargeting and preserve supply-chain integrity.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a6aa2f1e-de19-4d36-ae73-ca4a964ebbad

📥 Commits

Reviewing files that changed from the base of the PR and between 3ed9fbe and a0c267e.

📒 Files selected for processing (1)

• .github/workflows/release.yml