GRIF-716.2: Add workflow_dispatch for promoting bricks stable tag

.github/workflows/lcm-pipeline.yaml

@@ -303,13 +303,28 @@ jobs:
             --repo ${{ github.repository }} \
             --body "## LCM bricks image available
 
-          New image \`stable/lcm-bricks\` available and tagged for all prod clusters.
-          Please, manually run the respective rundeck job for each: ${{ secrets.RUNDECK_URL }}
+          New image \`stable/lcm-bricks\` is available.
 
           | | |
           |---|---|
           | **Version** | \`${{ needs.prepare-build.outputs.service_version }}\` |
-          | **Build tag** | \`${{ needs.prepare-build.outputs.image_tag }}\` |"
+          | **Build tag** | \`${{ needs.prepare-build.outputs.image_tag }}\` |
+
+          ### Next steps
+
+          **1. Tag the image with its major version**
+          Run the [LCM: Retag stable image to major version](${{ github.server_url }}/${{ github.repository }}/actions/workflows/lcm-stable-retag.yaml) workflow dispatch:
+          - Go to **Actions → LCM: Retag stable image to major version → Run workflow**
+          - Set **tag** to \`${{ needs.prepare-build.outputs.service_version }}\`
+          - Leave **dry-run** unchecked and click **Run workflow**
+
+          Or via gh CLI:
+          \`\`\`
+          gh workflow run lcm-stable-retag.yaml --repo ${{ github.repository }} -f tag=${{ needs.prepare-build.outputs.service_version }} -f dry-run=false
+          \`\`\`
+
+          **2. Register bricks to prod clusters**
+          Once the retag completes, manually run the respective Rundeck job for each cluster: ${{ secrets.RUNDECK_URL }}"
         env:
           GH_TOKEN: ${{ secrets.TOKEN_GITHUB_YENKINS }}
 

.github/workflows/lcm-stable-retag.yaml

@@ -0,0 +1,89 @@
+name: "LCM: Retag stable image to major version"
+run-name: "Retag stable lcm-bricks ${{ inputs.tag }} → M${{ inputs.tag }}"
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Stable image tag to retag (e.g. 3.7.106)'
+        required: true
+        type: string
+      dry-run:
+        description: 'Dry-run only — print crane commands without executing'
+        required: true
+        default: false
+        type: boolean
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
+jobs:
+  retag-stable:
+    name: Retag stable/${{ inputs.tag }} to major version
+    runs-on:
+      group: infra1-runners-arc
+      labels: runners-small
+    permissions:
+      id-token: write
+      contents: read
+    env:
+      INFRA_REPO_URL: ${{ secrets.ECR_URL }}
+    steps:
+      - name: Get required Vault secrets
+        uses: hashicorp/vault-action@v3
+        with:
+          url: ${{ secrets.VAULT_ADDRESS }}
+          method: jwt
+          path: jwt/github
+          role: ecr-ii-push
+          secrets: |
+            secret/data/v2/data-special/infra1-user-ecr-rw aws_ecr_access_key | AWS_ACCESS_KEY ;
+            secret/data/v2/data-special/infra1-user-ecr-rw aws_ecr_secret_key | AWS_SECRET_KEY ;
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ env.AWS_ACCESS_KEY }}
+          aws-secret-access-key: ${{ env.AWS_SECRET_KEY }}
+          aws-region: us-east-1
+
+      - name: Login to Amazon ECR
+        uses: aws-actions/amazon-ecr-login@v2
+        with:
+          mask-password: 'true'
+
+      - name: Retag images
+        env:
+          TAG: ${{ inputs.tag }}
+          DRY_RUN: ${{ inputs.dry-run }}
+        run: |
+          set -euo pipefail
+          major=$(echo "$TAG" | cut -d. -f1)
+          major_tag="M${major}"
+          images=(lcm-bricks lcm-bricks-nextversion)
+          for image in "${images[@]}"; do
+            src="${INFRA_REPO_URL}/stable/${image}:${TAG}"
+            if [ "${DRY_RUN}" == 'true' ]; then
+              echo "[dry-run] crane tag ${src} ${major_tag}"
+            else
+              crane tag "${src}" "${major_tag}"
+              echo "Tagged ${image}:${TAG} → ${image}:${major_tag}"
+            fi
+          done
+
+      - name: Summary
+        env:
+          TAG: ${{ inputs.tag }}
+        run: |
+          set -euo pipefail
+          major=$(echo "$TAG" | cut -d. -f1)
+          {
+            echo "## LCM stable retag"
+            echo ""
+            echo "| | |"
+            echo "|---|---|"
+            echo "| **Source tag** | \`${TAG}\` |"
+            echo "| **Major tag** | \`M${major}\` |"
+            echo "| **Dry-run** | \`${{ inputs.dry-run }}\` |"
+          } >> "$GITHUB_STEP_SUMMARY"