chore(main): release 3.38.0

[jsell-rh]

🤖 I have created a release beep boop

3.38.0 (2026-06-23)

Features

• knowledge graph creation, GMA, extraction jobs, and maintenance pipeline (#737) (806322f)

---

This PR was generated with Release Please. See documentation.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: b825d303-809b-44c6-b145-4eddd8f37c6a

📥 Commits

Reviewing files that changed from the base of the PR and between 806322f and 4a633dd.

📒 Files selected for processing (5)

• .github/.release-please-manifest.json
• CHANGELOG.md
• src/api/pyproject.toml
• src/dev-ui/VERSION
• website/package.json

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

---

📝 Walkthrough

Summary by CodeRabbit

Release v3.38.0

• New Features
  • Knowledge graph creation
  • GMA enhancements
  • Extraction job improvements
  • Maintenance pipeline updates

Walkthrough

Version string bumped from 3.37.1 to 3.38.0 across five files: the release-please manifest (.github/.release-please-manifest.json), Python API package definition (src/api/pyproject.toml), dev-ui version file (src/dev-ui/VERSION), website package descriptor (website/package.json), and CHANGELOG.md. The changelog entry is dated 2026-06-23 and records a Features entry for knowledge graph creation, GMA, extraction jobs, and maintenance pipeline.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

---

Supply chain note — CWE-494 (Download of Code Without Integrity Check), CWE-693 (Protection Mechanism Failure):

.github/.release-please-manifest.json is a CI/CD-controlled artifact. A tampered version string here directly influences what release-please tags, publishes, and promotes to registries. Verify the commit originates from the automated release bot identity, not a human committer impersonating it. Any human push to this file is a red flag for pipeline integrity violation.

website/package.json version drift without a corresponding package-lock.json bump in this diff — confirm the lockfile was updated out-of-band or the registry publish step does not resolve unexpected transitive versions at build time (CWE-829).

🚥 Pre-merge checks | ✅ 10 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
No Hardcoded Secrets	⚠️ Warning	PR adds env/api.env with base64 encryption key (44 chars, >32 limit) and env/spicedb.env with embedded credentials in URL (postgres://user:pass@host): CWE-798.	Remove KARTOGRAPH_MGMT_ENCRYPTION_KEY from env/api.env and move database credentials from SPICEDB_DATASTORE_CONN_URI to separate environment variables.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly describes the main change: a version release bump from 3.37.1 to 3.38.0 across all package manifests and version files.
Description check	✅ Passed	The description is directly related to the changeset, providing auto-generated release notes that document the feature additions and version bump for v3.38.0.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	PR contains only version bumps and changelog updates; no logging statements with secrets found in modified files.
No Weak Cryptography	✅ Passed	PR contains only version bumps and release notes; no cryptographic code, weak primitives (MD5, DES, RC4, SHA1 security-purposes), or unsafe secret comparisons introduced.
No Injection Vectors	✅ Passed	Release PR bumps version 3.37.1→3.38.0 with version file updates, config changes, and documentation. All SQL queries use psycopg2 parameterized queries (sql.SQL/sql.Identifier), subprocess calls us...
No Privileged Containers	✅ Passed	PR contains only version bumps and changelog entries; no Kubernetes manifests, Helm templates, or Dockerfiles are modified, making privileged container check not applicable.
No Pii Or Sensitive Data In Logs	✅ Passed	No logging statements present in PR changes; release-only version bumps in configuration and changelog files contain no PII, session IDs, or sensitive data.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch release-please--branches--main--components--kartograph

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch release-please--branches--main--components--kartograph

---

_{Comment @coderabbitai help to get the list of available commands.}

[github-actions]

PR Preview Action v1.8.1
Preview removed because the pull request was closed.
2026-06-23 18:47 UTC

[jsell-rh]

🤖 Created releases:

• v3.38.0

🌻

[aredenba-rh]

Release 3.38.0 tagged on main following merge of #737 (knowledge graph management, GMA, extraction jobs, maintenance pipeline).

What happens next (automated):

1. Konflux on-push pipelines build all four components (api, dev-ui, agent-runtime, openshell-gateway) from main
2. Successful builds open deploy-tag PRs in hp-fleet-gitops bumping stage image tags
3. ArgoCD syncs stage once those PRs are merged

Konflux bootstrap PRs #775 / #776 were closed as superseded — pipeline YAML landed via #737.