As I have indicated in The woes of the httpd update (and others), you’ll have to run foreman-installer after any update, regardless of foreman/katello updates or not. So basically the procedure is always the way you wrote unless you upgrade which need the additional work to set up the new version repositories (and reading the release notes in case of some breaking changes…)
The packages unlock, of course, is only necessary if you have used packages lock before…