fix: align otel-collector image tag with appVersion

[mfroembgen]

Problem

The clickstack chart on current main has appVersion: 2.28.0, but the default bundled collector image is still pinned to docker.clickhouse.com/clickhouse/clickstack-otel-collector:2.19.0.

As reported in #219, the older collector rejects the ClickHouse exporter json key pushed by newer ClickStack app versions:

'clickhouseexporter.Config' has invalid keys: json

That causes the default collector pod to crash loop.

Changes

• Bump the default otel-collector.image.tag from 2.19.0 to 2.28.0, matching the current chart appVersion.
• Update the appVersion workflow so future appVersion bumps also update the collector image tag.
• Add a patch changeset for the chart fix.

Verification

helm lint charts/clickstack
helm template smoke charts/clickstack --set clickhouse.persistence.enabled=false --set mongodb.persistence.enabled=false | rg 'clickstack-otel-collector|hyperdx:2\.28\.0|2\.19\.0|2\.28\.0'

The rendered default collector image is now:

image: "docker.clickhouse.com/clickhouse/clickstack-otel-collector:2.28.0"

Fixes #219.

Related to #220. Replaces closed #233 with only the original first commit.

[changeset-bot]

🦋 Changeset detected

Latest commit: ec07086

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
helm-charts	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[github-actions]

Deep Review

Scope: 3 files — charts/clickstack/values.yaml (collector image tag 2.19.0 → 2.28.0), .github/workflows/update-app-version.yml (new tag-sync step), .changeset/align-otel-collector-tag.md (new).
Intent: Align the default otel-collector.image.tag with chart appVersion: 2.28.0 to stop the older collector from crash-looping on a newer config key, and keep the two in sync on future bumps.

The core value change is correct: clickstack-otel-collector appears exactly once in values.yaml, the new tag matches appVersion, and the opentelemetry-collector subchart consumes otel-collector.image.tag as expected. The findings below concern the automation added to the workflow, not the rendered chart.

🔴 P0/P1 — must fix

• .github/workflows/update-app-version.yml:30 — the new step interpolates ${{ github.event.inputs.tag }} directly into the sed shell command, creating a script-injection sink and also breaking on legitimate tags containing &, /, or ".
  • Fix: bind the input to an env: variable and reference "$TAG" inside the quoted sed, and constrain the input to a version charset (e.g. ^[A-Za-z0-9._-]+$) before use.
  • _{security, correctness}

🟡 P2 — recommended

• .github/workflows/update-app-version.yml:30 — the /clickstack-otel-collector/{n;s/...} pattern depends on tag: being the line immediately after repository:; if that layout ever changes, sed exits 0 while changing nothing, producing a PR with appVersion bumped but the collector tag stale — silently reintroducing the mismatch this PR fixes.
  • Fix: target the YAML path with yq -i '.["otel-collector"].image.tag = ...', or add a post-step assertion that the tag was rewritten and equals the new appVersion, failing the workflow on mismatch.
  • _{reliability, maintainability, correctness, project-standards}

🔵 P3 nitpicks (1)

• .github/workflows/update-app-version.yml:30 — the automation hard-couples the collector image tag to appVersion with no record of that assumption; if the collector ever ships on a divergent cadence the workflow will pin a tag with no published image.
  • Fix: document the shared-version assumption near the step, or add a docker manifest inspect preflight before opening the PR.

---

Reviewers (6): correctness, testing, maintainability, project-standards, security, reliability.

Testing gaps:

• The collector image default is rendered by the opentelemetry-collector subchart, so it is not assertable via the repo's local helm-unittest templates; no shell-level test exercises the new sed against a values.yaml fixture.
• No CI check asserts that otel-collector.image.tag equals Chart.yaml appVersion after a bump.

Note (pre-existing, not introduced here): the same raw-${{ }}-into-shell pattern exists on the unchanged appVersion sed step and the changeset filename; worth hardening together when addressing the P1.