release: publish trust-manager.crds.yaml as a GitHub Release artifact

[Sanil2108]

Summary

Fixes #142. Adds a new `render-crds` make target that produces a stand-alone `trust-manager.crds.yaml` and attaches it to each draft GitHub Release — same convenience cert-manager itself ships as `cert-manager.crds.yaml`.

What changed

`make/release-crds.mk` (new)

```make
$(crds_release_artifact): $(helm_chart_archive) | $(NEEDS_HELM) $(NEEDS_YQ) $(bin_dir)/scratch
$(HELM) template trust-manager $(helm_chart_archive) \
--set crds.enabled=true \
--set crds.keep=false \
--show-only templates/crd-trust.cert-manager.io_bundles.yaml \
--no-hooks \
| $(YQ) 'del(.metadata.labels."app.kubernetes.io/managed-by", .metadata.labels."helm.sh/chart")' \
> $@
```

Rendering against `$(helm_chart_archive)` (the packaged tarball) rather than `$(helm_chart_source_dir)` is deliberate — `helm package --app-version` rewrites the chart's version, so the rendered CRD picks up the actual release tag in its `app.kubernetes.io/version` label. Templating against the source dir directly would ship a CRD labelled `v0.0.0`.

The yq filter strips the Helm-runtime-only labels (`app.kubernetes.io/managed-by`, `helm.sh/chart`) and `crds.keep=false` removes the `helm.sh/resource-policy: keep` annotation, so the artifact is suitable for plain `kubectl apply`.

`make/02_mod.mk`

Includes the new file and runs `render-crds` as the last step of `make release`. Echoes `RELEASE_CRDS_ARTIFACT=$(crds_release_artifact)` to `$GITHUB_OUTPUT` so the workflow can find it.

`.github/workflows/release.yaml`

The `build_and_push` job uploads `_bin/scratch/trust-manager.crds.yaml` as a workflow artifact (pinned `actions/upload-artifact@v7.0.1` SHA, matching the repo's existing SHA-pinning convention). The `github_release` job downloads it and passes it as a positional file argument to `gh release create` so it's attached to the draft release.

Test plan

• `helm template … | yq …` renders cleanly against the current chart locally — output is well-formed CRD YAML, no Helm-runtime labels left.
• Full release pipeline (only verifiable on a tag push). Worth flagging: `render-crds` is fatal in `make release` — if the template or yq filter fails, the release blocks. That's intentional (you'd want to know your release artifact pipeline broke), but happy to make it best-effort if you'd prefer.

Notes

• The downstream URL pattern after merge will be `https://github.com/cert-manager/trust-manager/releases/download//trust-manager.crds.yaml` — matching cert-manager's pattern, addressing the workaround commenters were asking for in expose bundles CRD as release artifact #142.
• I picked v7.0.1 / v8.0.1 for upload/download artifact since they're the current latest. Happy to drop to older majors if you have a preference.

Fixes #142

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign hjoshi123 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cert-manager-prow]

Hi @Sanil2108. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[Sanil2108]

Hi @erikgb — just checking in on this one. It's been about three weeks since I opened the PR and I wanted to make sure I haven't missed any feedback. Happy to make changes if anything needs adjusting. Thanks!

[erikgb]

@Sanil2108, thanks for the ping! This PR appears like an AI-generated PR. 🤠 Please confirm that you personally understand all the proposed changes and describe how you have tested the changes. Some of it will need to be tested when performing a release. I can cut an alpha release to test this after the PR is merged.

[cert-manager-prow]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.