runtime: Add a CI specific dependency

Although not used yet, this will help us immensely to test development
versions of Kata Containers, and catch issues on our integration as soon
as possible.

Let's add a new action to ensure we don't accidentaly add / push the CI
specific dependency as part of the release.  The action itself was
heavily vibe coded using Cursor AI.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>

Author: fidencio

.github/workflows/chart-lock-check.yaml

@@ -0,0 +1,144 @@
+name: Chart.lock Validation
+
+on:
+  pull_request:
+    types:
+      - edited
+      - opened
+      - reopened
+      - synchronized
+
+jobs:
+  validate-chart-lock:
+    name: Validate Chart.lock
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check Chart.lock for 0.0.0-dev entries
+        id: check
+        run: |
+          echo "🔍 Checking Chart.lock for 0.0.0-dev entries..."
+          
+          if [ ! -f Chart.lock ]; then
+            echo "ℹ️  No Chart.lock file found"
+            echo "has_dev_version=false" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+          
+          # Check if Chart.lock contains 0.0.0-dev version
+          if grep -q "version: 0.0.0-dev" Chart.lock; then
+            echo "❌ Found 0.0.0-dev in Chart.lock"
+            echo "has_dev_version=true" >> $GITHUB_OUTPUT
+            
+            echo ""
+            echo "Problematic entries:"
+            grep -B2 -A2 "version: 0.0.0-dev" Chart.lock || true
+            
+            echo ""
+            echo "::error::Chart.lock contains 0.0.0-dev entries that must be removed"
+            
+          else
+            echo "✅ No 0.0.0-dev entries found in Chart.lock"
+            echo "has_dev_version=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Add comment to PR
+        if: steps.check.outputs.has_dev_version == 'true'
+        run: |
+          gh pr comment ${{ github.event.pull_request.number }} --body "## ❌ Chart.lock Contains 0.0.0-dev Entries
+
+          Found \`0.0.0-dev\` entries in \`Chart.lock\` that must be removed.
+
+          **Why this is a problem:**
+          The \`kata-as-coco-runtime-for-ci\` dependency uses \`version: 0.0.0-dev\` which is:
+          - Only for CI testing
+          - Not a real release
+          - Should never be committed to Chart.lock
+
+          **How to fix:**
+
+          Manually edit Chart.lock to remove the entire dependency block containing \`version: 0.0.0-dev\`:
+
+          \`\`\`yaml
+          # Remove this entire block from Chart.lock:
+          - name: kata-deploy
+            repository: oci://ghcr.io/kata-containers/kata-deploy-charts
+            version: 0.0.0-dev
+          \`\`\`
+
+          Then commit and push:
+          \`\`\`bash
+          git add Chart.lock
+          git commit -m \"fix: Remove 0.0.0-dev from Chart.lock\"
+          git push
+          \`\`\`
+
+          **Why not regenerate with helm dependency update?**
+          Running \`helm dependency update\` would add the 0.0.0-dev entry back. This entry only exists for CI testing and should never be in Chart.lock.
+
+          **Prevention:**
+          Chart.lock is managed by CI/CD workflows. Don't manually run \`helm dependency update\` - the prepare-release script handles updates correctly."
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Fail if 0.0.0-dev found
+        if: steps.check.outputs.has_dev_version == 'true'
+        run: |
+          echo "::error::Chart.lock contains 0.0.0-dev entries that must be removed"
+          exit 1
+
+      - name: Summary
+        if: always()
+        run: |
+          if [ "${{ steps.check.outputs.has_dev_version }}" = "true" ]; then
+            cat >> $GITHUB_STEP_SUMMARY << 'EOF'
+          ## ❌ Chart.lock Validation Failed
+          
+          Found `0.0.0-dev` entries in Chart.lock that must be removed.
+          
+          ### Why this is a problem
+          
+          The `kata-as-coco-runtime-for-ci` dependency uses `version: 0.0.0-dev` which is:
+          - Only used for CI testing
+          - Not a real release
+          - Should never be committed to Chart.lock
+          
+          ### How to fix
+          
+          Manually edit Chart.lock to remove the entire dependency block containing `version: 0.0.0-dev`:
+          
+          ```yaml
+          # Remove this entire block:
+          - name: kata-deploy
+            repository: oci://ghcr.io/kata-containers/kata-deploy-charts
+            version: 0.0.0-dev
+          ```
+          
+          Then commit:
+          ```bash
+          git add Chart.lock
+          git commit -m "fix: Remove 0.0.0-dev from Chart.lock"
+          git push
+          ```
+          
+          ### Why not regenerate?
+          
+          **Don't run `helm dependency update`** - it will add 0.0.0-dev back.
+          This entry only exists for CI testing.
+          
+          ### Prevention
+          
+          - Chart.lock is managed by CI/CD workflows
+          - The prepare-release script handles updates correctly
+          - Don't manually run `helm dependency update`
+          EOF
+          else
+            echo "## ✅ Chart.lock Validated" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "No \`0.0.0-dev\` entries found in Chart.lock." >> $GITHUB_STEP_SUMMARY
+          fi
+

Chart.lock

@@ -2,5 +2,5 @@ dependencies:
 - name: kata-deploy
   repository: oci://ghcr.io/kata-containers/kata-deploy-charts
   version: 3.21.0
-digest: sha256:b977d4d978dba0ba373655e26101006178d8e5a63fec3f7cf9a79529d8e59684
-generated: "2025-10-24T16:35:30.992306339+02:00"
+digest: sha256:65eb9c198f907fb4eb18a8b8679b3ec624c34008516ada467382463baab6a5c0
+generated: "2025-10-24T17:10:59.456732835+02:00"

Chart.yaml

@@ -18,3 +18,8 @@ dependencies:
     version: "3.21.0"
     repository: "oci://ghcr.io/kata-containers/kata-deploy-charts"
     condition: kata-as-coco-runtime.enabled
+  - name: kata-deploy
+    alias: kata-as-coco-runtime-for-ci
+    version: "0.0.0-dev"
+    repository: "oci://ghcr.io/kata-containers/kata-deploy-charts"
+    condition: kata-as-coco-runtime-for-ci.enabled

values.yaml

@@ -65,3 +65,16 @@ kata-as-coco-runtime:
     #   - values/kata-aarch64.yaml for ARM64
     #   - values/kata-remote.yaml for peer-pods
     <<: *x86_64_shims
+
+# Optional: CI variant using upstream kata-containers-latest
+# Disabled by default. Uses same shims as CoCo runtime but different image.
+# Enable with: --set kata-as-coco-runtime-for-ci.enabled=true
+kata-as-coco-runtime-for-ci:
+  enabled: false
+  <<: *commonConfig
+  
+  env:
+    debug: "true"
+    <<: *x86_64_shims
+    _experimentalSetupSnapshotter: "nydus"
+    _experimentalForceGuestPull: ""

values/kata-aarch64.yaml

@@ -22,3 +22,13 @@ kata-as-coco-runtime:
   env:
     debug: "false"
     <<: *aarch64_shims
+
+kata-as-coco-runtime-for-ci:
+  <<: *commonConfig
+  
+  env:
+    debug: "true"
+    <<: *aarch64_shims
+    _experimentalSetupSnapshotter: "nydus"
+    _experimentalForceGuestPull: ""
+

values/kata-remote.yaml

@@ -20,3 +20,12 @@ kata-as-coco-runtime:
   env:
     debug: "false"
     <<: *remote_shims
+
+kata-as-coco-runtime-for-ci:
+  <<: *commonConfig
+  
+  env:
+    debug: "true"
+    <<: *remote_shims
+    _experimentalSetupSnapshotter: "nydus"
+    _experimentalForceGuestPull: ""

values/kata-s390x.yaml

@@ -22,3 +22,12 @@ kata-as-coco-runtime:
   env:
     debug: "false"
     <<: *s390x_shims
+
+kata-as-coco-runtime-for-ci:
+  <<: *commonConfig
+  
+  env:
+    debug: "true"
+    <<: *s390x_shims
+    _experimentalSetupSnapshotter: "nydus"
+    _experimentalForceGuestPull: ""