Skip to content

ci: publish helm chart to oci ghcr.io #214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
peppescg wants to merge 4 commits into
base: main
Choose a base branch
from
Open

ci: publish helm chart to oci ghcr.io #214

peppescg wants to merge 4 commits into from

Conversation

@peppescg
Copy link
Collaborator

@peppescg peppescg commented Dec 22, 2025
edited
Loading

Summary

Add GitHub Actions workflow to publish Helm chart to OCI registry (ghcr.io) with Cosign signing for supply chain security.

Changes

  • Add automated Helm chart publishing workflow triggered on version tags (v*)
  • Implement Cosign keyless signing using GitHub Actions OIDC
  • Dynamically update Chart.yaml version from Git tags
  • Add error handling for digest extraction during signing

Motivation

  • Direct install: helm install toolhive-cloud-ui oci://ghcr.io/stacklok/toolhive-cloud-ui/toolhive-cloud-ui --version 0.0.7
  • Native GitOps support: ArgoCD and Flux work out-of-the-box with OCI registries
  • Supply chain security: Cosign signing enables signature verification

Usage

Install chart

helm install toolhive-cloud-ui oci://ghcr.io/stacklok/toolhive-cloud-ui/toolhive-cloud-ui --version

Verify signature

  cosign verify \
    --certificate-identity-regexp='https://github.com/stacklok/.*' \
    --certificate-oidc-issuer='https://token.actions.githubusercontent.com' \
    ghcr.io/stacklok/toolhive-cloud-ui/toolhive-cloud-ui:<version>

Test

I tested the gh action publishing tag v0.0.0-rc.test - https://github.com/stacklok/toolhive-cloud-ui/pkgs/container/toolhive-cloud-ui

@peppescg peppescg self-assigned this Dec 22, 2025
@github-actions github-actions bot added the size/XS Extra small PR: < 100 lines changed label Dec 22, 2025
@peppescg peppescg linked an issue Dec 22, 2025 that may be closed by this pull request
[Chore]: publish the helm chart to OCI #193
Open
peppescg and others added 2 commits January 22, 2026 11:10
@peppescg
ci: publish helm chart
ee69107
@peppescg @claude
fix(ci): update checkout action and improve cosign error handling
1cabc31 
- Update checkout action to v5.0.1 SHA matching repo standard
- Add strict error handling with set -euo pipefail
- Fix stderr/stdout redirection for better portability
- Add digest extraction validation with helpful error output

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@github-actions github-actions bot added size/S Small PR: 100-299 lines changed and removed size/XS Extra small PR: < 100 lines changed labels Jan 22, 2026
@peppescg peppescg marked this pull request as ready for review January 22, 2026 12:04
Copilot AI review requested due to automatic review settings January 22, 2026 12:04
@peppescg peppescg changed the title ci: publish helm chart ci: publish helm chart oci Jan 22, 2026
Copilot AI reviewed Jan 22, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a GitHub Actions workflow to automatically publish the Helm chart to GitHub Container Registry (ghcr.io) when version tags are pushed. The workflow packages the chart, pushes it to an OCI registry, and signs it with Cosign for supply chain security.

Changes:

  • Adds automated Helm chart publishing workflow triggered by version tags (v*)
  • Implements Cosign signing for published Helm charts using keyless OIDC-based signing
  • Updates Chart.yaml version and appVersion dynamically from Git tags

@peppescg @claude
fix(ci): fix chart name extraction for cosign signing
1a84ed9 
Use helm show chart to extract the actual chart name instead of
parsing the filename, which fails when version contains dashes.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@github-actions github-actions bot added size/S Small PR: 100-299 lines changed and removed size/S Small PR: 100-299 lines changed labels Jan 22, 2026
@peppescg @claude
docs(ci): fix cosign verify command with keyless verification flags
76c0cf5 
Add --certificate-identity-regexp and --certificate-oidc-issuer flags
required for verifying artifacts signed with Sigstore keyless signing.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@github-actions github-actions bot added size/S Small PR: 100-299 lines changed and removed size/S Small PR: 100-299 lines changed labels Jan 22, 2026
@peppescg peppescg changed the title ci: publish helm chart oci ci: publish helm chart to oci ghcr.io Jan 22, 2026
@kantord
Copy link
Member

kantord commented Jan 22, 2026

approved, but probably it's good if @ChrisJBurns also takes a look?

@peppescg
Copy link
Collaborator Author

peppescg commented Jan 22, 2026
edited
Loading

approved, but probably it's good if @ChrisJBurns also takes a look?

yep, makes sense, I pinged him as well. I tested the workflow and cosign and both work as expected

ChrisJBurns
ChrisJBurns approved these changes Jan 22, 2026
View reviewed changes
Copy link
Contributor

@ChrisJBurns ChrisJBurns left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Although a note for future, you may want to use something like https://github.com/stacklok/releaseo. I made it specifically for the problem around Helm Chart releases and app version updates. Currently in this PR you modify the files in the pipeline and publish them, this means there are files that are being pushed that can't be traced back to a source commit. Releaseo makes release PRs that write the version changes into Git and allow you to build your releases from them.

@peppescg
Copy link
Collaborator Author

peppescg commented Jan 22, 2026

LGTM!

Although a note for future, you may want to use something like https://github.com/stacklok/releaseo. I made it specifically for the problem around Helm Chart releases and app version updates. Currently in this PR you modify the files in the pipeline and publish them, this means there are files that are being pushed that can't be traced back to a source commit. Releaseo makes release PRs that write the version changes into Git and allow you to build your releases from them.

That's amazing. I will take a look and add it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kantord kantord kantord approved these changes

@ChrisJBurns ChrisJBurns ChrisJBurns approved these changes

Assignees

@peppescg peppescg

Labels

size/S Small PR: 100-299 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Chore]: publish the helm chart to OCI

4 participants

@peppescg @kantord @ChrisJBurns