feat: add Docker build workflows and Helm chart for deployment

- Add GitHub Actions workflows for Docker image builds:
  - docker-build-main.yml: builds on pushes to main branch
  - docker-build-tag.yml: builds on tag creation for releases
- Add complete Helm chart for Kubernetes deployment:
  - Chart.yaml with metadata and version info
  - Comprehensive values.yaml with environment configuration
  - Template files for all Kubernetes resources:
    - Deployment with configurable replicas and environment variables
    - Service with ClusterIP type and port configuration
    - Ingress with TLS support and path-based routing
    - ServiceAccount with RBAC configuration
  - Helper templates for consistent naming and labeling
- Configure environment variables for Auth0, Supabase, and PCC services
- Set up proper resource limits and health checks
- Include comprehensive README with deployment instructions

This enables containerized deployment to Kubernetes environments with
proper CI/CD integration for automated image builds.

Signed-off-by: Alan Sherman <asherman@linuxfoundation.org>

Author: AlanSherman

.github/workflows/docker-build-main.yml

@@ -0,0 +1,60 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+
+name: Docker Build - Main Branch
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=development
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            BUILD_ENV=production

.github/workflows/docker-build-tag.yml

@@ -0,0 +1,139 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+
+name: Docker Build - Release
+
+on:
+  push:
+    tags:
+      - v*
+
+permissions:
+  contents: read
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+  COSIGN_VERSION: v2.5.3
+  HELM_VERSION: v3.18.4
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    outputs:
+      app_version: ${{ steps.prepare.outputs.app_version }}
+      chart_name: ${{ steps.prepare.outputs.chart_name }}
+      chart_version: ${{ steps.prepare.outputs.chart_version }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Prepare versions and chart name
+        id: prepare
+        run: |
+          set -euo pipefail
+          APP_VERSION=$(echo ${{ github.ref_name }} | sed 's/v//g')
+          CHART_NAME="$(yq '.name' charts/*/Chart.yaml)"
+          CHART_VERSION="$(yq '.version' charts/*/Chart.yaml)"
+          {
+            echo "app_version=$APP_VERSION"
+            echo "chart_name=$CHART_NAME"
+            echo "chart_version=$CHART_VERSION"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            BUILD_ENV=production
+
+  release-helm-chart:
+    needs: build-and-push
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+    outputs:
+      digest: ${{ steps.publish-ghcr.outputs.digest }}
+      image_name: ${{ steps.publish-ghcr.outputs.image_name }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Publish Chart to GHCR
+        id: publish-ghcr
+        uses: linuxfoundation/lfx-public-workflows/.github/actions/helm-chart-oci-publisher@c465d6571fa0b8be9d551d902955164ea04a00af # main
+        with:
+          name: ${{ needs.build-and-push.outputs.chart_name }}
+          repository: ${{ github.repository }}/chart
+          chart_version: ${{ needs.build-and-push.outputs.chart_version }}
+          app_version: ${{ needs.build-and-push.outputs.app_version }}
+          registry: ghcr.io
+          registry_username: ${{ github.actor }}
+          registry_password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+        with:
+          cosign-release: "${{ env.COSIGN_VERSION }}"
+
+      - name: Login to GitHub
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Sign the Helm chart in GHCR
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          cosign sign --yes '${{ steps.publish-ghcr.outputs.image_name }}@${{ steps.publish-ghcr.outputs.digest }}'
+
+  create-ghcr-helm-provenance:
+    needs:
+      - release-helm-chart
+    permissions:
+      actions: read
+      id-token: write
+      packages: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+    with:
+      image: ${{ needs.release-helm-chart.outputs.image_name }}
+      digest: ${{ needs.release-helm-chart.outputs.digest }}
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}

charts/lfx-v2-pcc-ui/Chart.yaml

@@ -0,0 +1,16 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+
+apiVersion: v2
+name: lfx-v2-pcc-ui
+description: A Helm chart for LFX Project Control Center UI - Angular SSR application with Express backend
+type: application
+version: 0.1.0
+appVersion: "latest"
+keywords:
+  - lfx
+  - project-control-center
+  - ui
+home: https://github.com/linuxfoundation/lfx-v2-pcc-ui
+sources:
+  - https://github.com/linuxfoundation/lfx-v2-pcc-ui

charts/lfx-v2-pcc-ui/README.md

@@ -0,0 +1,80 @@
+# LFX V2 PCC UI Helm Chart
+
+This Helm chart deploys the LFX V2 PCC UI application, which is an Angular SSR application with Express backend for the LFX Project Control Center.
+
+## Configuration
+
+### Required Configuration
+
+The following values must be configured before deployment:
+
+```yaml
+environment:
+  PCC_BASE_URL:
+    value: ''
+  PCC_AUTH0_CLIENT_ID:
+    value: ''
+  PCC_AUTH0_CLIENT_SECRET:
+    value: ''
+  SUPABASE_URL:
+    value: ''
+  POSTGRES_API_KEY:
+    value: ''
+```
+
+These can also be set from a secret
+
+```yaml
+POSTGRES_API_KEY:
+  value: ''
+  valueFrom:
+    secretKeyRef:
+      name: pcc-env-secrets
+      key: api_key
+```
+
+### Global Parameters
+
+| Parameter                 | Description                         | Default |
+| ------------------------- | ----------------------------------- | ------- |
+| `global.imageRegistry`    | Global Docker image registry        | `""`    |
+| `global.imagePullSecrets` | Global Docker registry secret names | `[]`    |
+
+### Application Parameters
+
+| Parameter           | Description        | Default                                 |
+| ------------------- | ------------------ | --------------------------------------- |
+| `replicaCount`      | Number of replicas | `1`                                     |
+| `image.registry`    | Image registry     | `""`                                    |
+| `image.repository`  | Image repository   | `ghcr.io/linuxfoundation/lfx-v2-pcc-ui` |
+| `image.tag`         | Image tag          | `"latest"`                              |
+| `image.pullPolicy`  | Image pull policy  | `IfNotPresent`                          |
+| `image.pullSecrets` | Image pull secrets | `[]`                                    |
+
+### Environment Variables
+
+| Parameter                       | Description         | Required | Default                                   |
+| ------------------------------- | ------------------- | -------- | ----------------------------------------- |
+| `environment.ENV`               | Environment name    | Yes      | `"production"`                            |
+| `environment.QUERY_SERVICE_URL` | Query service URL   | No       | `"http://localhost:8080/query/resources"` |
+| `environment.NODE_ENV`          | Node.js environment | No       | `"production"`                            |
+| `environment.PORT`              | Application port    | No       | `"4000"`                                  |
+
+### Service Parameters
+
+| Parameter             | Description         | Default     |
+| --------------------- | ------------------- | ----------- |
+| `service.type`        | Service type        | `ClusterIP` |
+| `service.port`        | Service port        | `80`        |
+| `service.targetPort`  | Target port         | `4000`      |
+| `service.annotations` | Service annotations | `{}`        |
+
+### Ingress Parameters
+
+| Parameter             | Description                 | Default |
+| --------------------- | --------------------------- | ------- |
+| `ingress.enabled`     | Enable ingress              | `false` |
+| `ingress.className`   | Ingress class name          | `""`    |
+| `ingress.annotations` | Ingress annotations         | `{}`    |
+| `ingress.hosts`       | Ingress hosts configuration | `[]`    |
+| `ingress.tls`         | Ingress TLS configuration   | `[]`    |

charts/lfx-v2-pcc-ui/templates/_helpers.tpl

@@ -0,0 +1,97 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "lfx-v2-pcc-ui.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "lfx-v2-pcc-ui.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "lfx-v2-pcc-ui.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "lfx-v2-pcc-ui.labels" -}}
+helm.sh/chart: {{ include "lfx-v2-pcc-ui.chart" . }}
+{{ include "lfx-v2-pcc-ui.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Values.labels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "lfx-v2-pcc-ui.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "lfx-v2-pcc-ui.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "lfx-v2-pcc-ui.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "lfx-v2-pcc-ui.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the image name with tag
+*/}}
+{{- define "lfx-v2-pcc-ui.image" -}}
+{{- $tag := .Values.image.tag | default .Chart.AppVersion }}
+{{- printf "%s:%s" .Values.image.repository $tag }}
+{{- end }}
+
+{{/*
+Common annotations
+*/}}
+{{- define "lfx-v2-pcc-ui.annotations" -}}
+{{- with .Values.annotations }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Pod annotations
+*/}}
+{{- define "lfx-v2-pcc-ui.podAnnotations" -}}
+{{- with .Values.podAnnotations }}
+{{ toYaml . }}
+{{- end }}
+{{- with .Values.annotations }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}