release: publish escalation chart on tag builds (#576)

MaxRink · web-flow · commit 4fcd19d90c6a · 2026-03-17T16:58:40.000+01:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -19,7 +19,7 @@ env:
 
 jobs:
   # ---------------------------------------------------------------------------
-  # Build release manifests and bgctl CLI binaries
+  # Build release manifests, Helm chart package, and bgctl CLI binaries
   # ---------------------------------------------------------------------------
   prepare:
     permissions:
@@ -32,6 +32,10 @@ jobs:
         with:
           go-version-file: go.mod
           cache: true
+      - name: Set up Helm
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
+        with:
+          version: v4.0.4
       - name: Generate manifests
         run: |
           make manifests
@@ -68,6 +72,23 @@ jobs:
             manifests-base.yaml
             manifests-debug.yaml
             manifests-crds.yaml
+      - name: Package escalation Helm chart
+        run: |
+          set -euo pipefail
+
+          # Keep chart version from Chart.yaml; stamp appVersion with the release tag.
+          mkdir -p chart-dist
+          helm package charts/escalation-config \
+            --destination chart-dist \
+            --app-version "${{ github.ref_name }}"
+
+          echo "Packaged chart artifacts:"
+          ls -la chart-dist
+      - name: Upload chart artifact
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: release-chart
+          path: chart-dist/escalation-config-*.tgz
       - name: Build bgctl release assets
         run: |
           set -e
@@ -431,13 +452,62 @@ jobs:
             echo "Warning: Artifact path not confirmed after retries (HTTP ${HTTP_STATUS_AFTER}). It might be a permission issue or Artifactory indexing delay."
           fi
 
+  # ---------------------------------------------------------------------------
+  # Publish escalation-config Helm chart to GHCR OCI
+  # ---------------------------------------------------------------------------
+  publish-chart:
+    needs: [prepare]
+    permissions:
+      contents: read
+      packages: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download chart artifact
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: release-chart
+          path: chart-dist
+      - name: Set up Helm
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
+        with:
+          version: v4.0.4
+      - name: Login to GHCR for Helm OCI
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ${{ env.REGISTRY }} \
+            --username "${{ github.actor }}" \
+            --password-stdin
+      - name: Publish escalation-config chart
+        env:
+          CHART_REPO: oci://ghcr.io/${{ github.repository }}/charts
+        run: |
+          set -euo pipefail
+
+          CHART_PACKAGE="$(ls chart-dist/escalation-config-*.tgz | head -n1)"
+          CHART_VERSION="$(helm show chart "${CHART_PACKAGE}" | awk '/^version:/ {print $2}')"
+
+          if [ -z "${CHART_VERSION}" ]; then
+            echo "Failed to determine chart version from ${CHART_PACKAGE}" >&2
+            exit 1
+          fi
+
+          echo "Preparing to publish escalation-config:${CHART_VERSION} to ${CHART_REPO}"
+
+          # Idempotent behavior for reruns: skip if this chart version already exists.
+          if helm show chart "${CHART_REPO}/escalation-config" --version "${CHART_VERSION}" >/dev/null 2>&1; then
+            echo "Chart escalation-config:${CHART_VERSION} already present in GHCR; skipping push."
+            exit 0
+          fi
+
+          helm push "${CHART_PACKAGE}" "${CHART_REPO}"
+          echo "Published ${CHART_PACKAGE} to ${CHART_REPO}"
+
   # ---------------------------------------------------------------------------
   # Create GitHub Release with manifests, bgctl binaries, and SBOM
   # ---------------------------------------------------------------------------
   release:
     # NOTE: Does not depend on `artifactory` intentionally — Artifactory is a
     # best-effort mirror and should not block GitHub Release creation.
-    needs: [prepare, assemble]
+    needs: [prepare, assemble, publish-chart]
     permissions:
       contents: write
       packages: read
@@ -453,6 +523,11 @@ jobs:
         with:
           name: bgctl-dist
           path: dist
+      - name: Download chart artifact
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: release-chart
+          path: chart-dist
       - name: Create GitHub Release
         uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
         with:
@@ -461,6 +536,7 @@ jobs:
             manifests-base.yaml
             manifests-debug.yaml
             manifests-crds.yaml
+            chart-dist/escalation-config-*.tgz
             dist/bgctl_*.tar.gz
             dist/bgctl_*.zip
             dist/bgctl_*.sha256
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 
 - **Frontend: upgrade Vite 7 → 8 and @vitejs/plugin-legacy 7 → 8** (PR #562): Major version bumps — Vite 8 replaces Rollup with Rolldown and removes esbuild in favor of Oxc. `@vitejs/plugin-vue` patch bumped to 6.0.5. No breaking changes to the frontend build configuration.
+- **Release workflow: publish escalation Helm chart**: Tag-based releases now package `charts/escalation-config`, publish it to GHCR Helm OCI (`oci://ghcr.io/telekom/k8s-breakglass/charts/escalation-config`), and attach the chart `.tgz` to the GitHub Release assets.
 
 - **Webhook SAR metrics: removed high-cardinality `group` label** ([#527](https://github.com/telekom/k8s-breakglass/issues/527)): Removed unbounded `group` label from `breakglass_webhook_session_sar_{allowed,denied,errors}_total` metrics to prevent time-series explosion in Prometheus
 - **JWT and JWKS metrics label renamed from `issuer` to `identity_provider`** ([#472](https://github.com/telekom/k8s-breakglass/issues/472)): Prometheus metrics `breakglass_jwt_validation_*` and `breakglass_jwks_cache_{hits,misses}_total` now use the `identity_provider` label (resolved IDP name) instead of `issuer` (raw URL) to prevent unbounded cardinality from attacker-controlled issuer claims. Dashboards/alerts referencing the old `issuer` label on these metrics must be updated.
diff --git a/charts/escalation-config/README.md b/charts/escalation-config/README.md
@@ -34,6 +34,18 @@ helm install my-escalation ./charts/escalation-config \
   --set cluster.tenant=production
 ```
 
+### Installation from GHCR Helm OCI (release artifacts)
+
+```bash
+helm install my-escalation \
+  oci://ghcr.io/telekom/k8s-breakglass/charts/escalation-config \
+  --version <chart-version> \
+  -f values.yaml
+```
+
+`<chart-version>` is the chart `version` from `charts/escalation-config/Chart.yaml`.
+It is versioned independently from the container image tag.
+
 ## Configuration
 
 ### Cluster Configuration
diff --git a/docs/release-process.md b/docs/release-process.md
@@ -33,17 +33,23 @@ This document defines the release requirements for k8s-breakglass. It is intende
    - An SPDX-JSON SBOM attestation is attached to each signed image via `cosign attest`.
    - Cosign signatures and attestations are mirrored to Artifactory on a best-effort basis via `cosign copy`.
 
+7. **Helm chart publication**
+   - `charts/escalation-config` is packaged during release preparation.
+   - The packaged chart is pushed to GHCR as a Helm OCI artifact at `oci://ghcr.io/telekom/k8s-breakglass/charts/escalation-config`.
+   - The chart `.tgz` is attached to the GitHub Release assets.
+
 ## Multi-Architecture Builds
 
 Release images are built as multi-arch manifests supporting both `linux/amd64` and `linux/arm64` platforms. Each architecture is built natively on a dedicated runner (no QEMU emulation), then assembled into a single multi-arch manifest list.
 
 **Build pipeline:**
 
-1. **Prepare** — generates Kustomize manifests, cross-compiles `bgctl` binaries for all OS/arch combinations, and uploads them as artifacts.
+1. **Prepare** — generates Kustomize manifests, packages `charts/escalation-config`, cross-compiles `bgctl` binaries for all OS/arch combinations, and uploads them as artifacts.
 2. **Build** (matrix: `amd64`, `arm64`) — builds and pushes a single-platform image by digest on a native runner for each architecture.
 3. **Assemble** — downloads all per-arch digests and creates a unified multi-arch manifest tagged with the release version (and `latest` for tag pushes). Generates SLSA provenance attestation, signs the image with keyless Cosign, and attaches an SBOM attestation.
 4. **Artifactory** — mirrors the multi-arch image and cosign artifacts (signatures + attestations) to the internal Artifactory OCI registry (best-effort).
-5. **Release** — creates a GitHub Release with manifests, `bgctl` binaries, checksums, and SBOM (SPDX-JSON format via Syft).
+5. **Publish chart** — pushes `escalation-config` chart to GHCR Helm OCI (`oci://ghcr.io/telekom/k8s-breakglass/charts`).
+6. **Release** — creates a GitHub Release with manifests, Helm chart package, `bgctl` binaries, checksums, and SBOM (SPDX-JSON format via Syft).
 
 > **Note:** Buildx layer caching (`cache-from`/`cache-to`) is intentionally omitted in
 > release builds to ensure clean, reproducible images without layer reuse from prior
@@ -54,6 +60,7 @@ Release images are built as multi-arch manifests supporting both `linux/amd64` a
 - Verify CI success on the release commit.
 - Ensure the changelog is up to date.
 - Generate artifacts via the release workflow.
+- Verify chart publication in GHCR (`oci://ghcr.io/telekom/k8s-breakglass/charts/escalation-config`).
 - Publish checksums and update release notes.
 - Verify provenance attestation was pushed to the registry.
 - Verify SBOM is attached to the GitHub Release.
@@ -67,6 +74,11 @@ Consumers should be able to:
 - Verify provenance attestation via `gh attestation verify` or the GitHub attestation API.
 - Verify SBOM contents match the release image.
 - Verify Cosign signature: `cosign verify ghcr.io/telekom/k8s-breakglass@<digest> --certificate-identity-regexp='https://github.com/telekom/k8s-breakglass/' --certificate-oidc-issuer='https://token.actions.githubusercontent.com'`
+- Verify Helm chart availability:
+   ```bash
+   helm show chart oci://ghcr.io/telekom/k8s-breakglass/charts/escalation-config \
+      --version <chart-version>
+   ```
 - Verify SBOM attestation:
   ```bash
   cosign verify-attestation ghcr.io/telekom/k8s-breakglass@<digest> \
