ci(cd): normalize and align CD pipeline (#465)

[nanotaboada]

Summary

• Extract test job from release so tests run in isolation before any publish step
• Add linux/arm64 to build platforms
• Add id-token: write and attestations: write permissions to release
• Set provenance: mode=max; attest image digest with actions/attest-build-provenance@v4.1.0
• Add --no-merges to the changelog git log command
• Add empty changelog guard ("No new changes since $PREVIOUS_TAG")
• Normalize first-release message to "No changes (first release)"
• Remove changelog.txt write step
• Add ## Changes section to release body

Test plan

• CI passes on this branch
• test job runs and fails fast if tests fail (before Docker build starts)
• release job only runs when test succeeds
• Verify attestation step on next tagged release

Closes #465

🤖 Generated with Claude Code

Summary by CodeRabbit

• Improvements
  • Extended platform support to build for ARM64 architecture in addition to AMD64.
  • Added build provenance attestations to enable security verification of published releases.
  • Refactored testing workflow to run as a dedicated step prior to release steps.
  • Improved changelog generation with better handling of first releases and empty updates.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 56544da5-5e8b-4f7b-95d7-387dd026e153

📥 Commits

Reviewing files that changed from the base of the PR and between 4a81db3 and bdf9328.

📒 Files selected for processing (2)

• .github/workflows/dotnet-cd.yml
• CHANGELOG.md

---

Walkthrough

Restructured the CD pipeline by extracting a dedicated test job that runs before deployment, extended Docker image publishing to support multi-architecture builds (amd64 and arm64), enabled build provenance attestation, and improved changelog generation with merge-commit exclusion and empty-changelog guards.

Changes

Cohort / File(s)	Summary
CD Pipeline Restructuring .github/workflows/dotnet-cd.yml	Extracted a dedicated test job performing .NET restore/build/test steps; added needs: test dependency to release job and removed inlined test steps; extended Docker platforms from linux/amd64 to linux/amd64,linux/arm64; enabled provenance with provenance: mode=max and added actions/attest-build-provenance@v4.1.0 step; updated release job permissions to include id-token: write and attestations: write; enhanced changelog generation with --no-merges flag, empty-changelog fallback ("No new changes since $PREVIOUS_TAG"), and normalized first-release message to "No changes (first release)"; added "## Changes" section to GitHub Release body.
Changelog Documentation CHANGELOG.md	Added release notes documenting CI/CD pipeline adjustments: test job isolation, multi-architecture support, provenance permissions, attestation integration, and changelog generation improvements.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Extract dedicated test job with checkout, setup .NET, restore, build (Release), and run tests [#465]	✅
Add needs: test to release job and remove inlined test steps [#465]	✅
Add id-token: write and attestations: write permissions to release job [#465]	✅
Add linux/arm64 platform and enable provenance: mode=max with actions/attest-build-provenance@v4.1.0 [#465]	✅
Tighten changelog generation: add --no-merges, empty-changelog guard, and normalize first-release message [#465]	✅

Possibly related issues

• #564: Applies the same CD pipeline restructuring (test job extraction, multi-arch builds, provenance/attestations, changelog --no-merges) to a Python FastAPI repository
• chore(ci): add cache for NuGet packages on Azure Pipelines #90: Implements identical CI/CD workflow changes (test job separation, multi-platform Docker builds, attestation integration, changelog generation improvements) for a Rust Rocket project
• chore(deps): Bump Serilog.AspNetCore from 9.0.0 to 10.0.0 #314: Mirrors the same CD pipeline normalization across job structure, Docker platforms, provenance configuration, and changelog logic in a Java Spring Boot repository
• #581: Applies matching workflow modifications (separate test job, linux/arm64 multi-arch, provenance/attestations, --no-merges changelog) to a TypeScript Express project
• Add PostgreSQL support as configurable database provider #249: Implements the same set of CD workflow adjustments (test job extraction, multi-arch platforms, provenance/attestations, changelog filtering) for a Go Gin repository

Possibly related PRs

• ci: move workflow permissions to job level #339: Modifies GitHub Actions workflow job structure and permission configurations affecting release job setup
• feat: implement tag-based deployment with stadium release names (#356) #357: Updates .github/workflows/dotnet-cd.yml with changes to CD steps including build/publish, changelog generation, and release creation logic

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title follows Conventional Commits format (ci(cd):), is under 80 characters (46), and accurately describes the main changes to normalize and align the CD pipeline.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/normalize-cd-pipeline

• 🛠️ sync documentation: Commit on current branch
• 🛠️ sync documentation: Create PR
• 🛠️ enforce http error handling: Commit on current branch
• 🛠️ enforce http error handling: Create PR
• 🛠️ idiomatic review: Commit on current branch
• 🛠️ idiomatic review: Create PR
• 🛠️ verify api contract: Commit on current branch
• 🛠️ verify api contract: Create PR

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[nanotaboada]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.