From b7691ac5e973c7d42f4f26f5bb1d6683846b81ac Mon Sep 17 00:00:00 2001
From: Marc Singer <marc@singer.gg>
Date: Sun, 15 Feb 2026 20:45:59 +0100
Subject: [PATCH] feat: add helm chart build and publish

---
 .../{docker.yml => publish-docker-image.yml}  |  8 ++-
 .github/workflows/publish-helm-chart.yml      | 60 +++++++++++++++++++
 2 files changed, 66 insertions(+), 2 deletions(-)
 rename .github/workflows/{docker.yml => publish-docker-image.yml} (92%)
 create mode 100644 .github/workflows/publish-helm-chart.yml

diff --git a/.github/workflows/docker.yml b/.github/workflows/publish-docker-image.yml
similarity index 92%
rename from .github/workflows/docker.yml
rename to .github/workflows/publish-docker-image.yml
index df618a6..e54859c 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/publish-docker-image.yml
@@ -1,9 +1,13 @@
-name: 'Build docker image'
+name: Publish Docker Image to GHCR
+
+permissions:
+  contents: read
+  packages: write
 
 on:
   push:
     branches:
-    - main
+      - main
 
 jobs:
   build:
diff --git a/.github/workflows/publish-helm-chart.yml b/.github/workflows/publish-helm-chart.yml
new file mode 100644
index 0000000..d9f5bff
--- /dev/null
+++ b/.github/workflows/publish-helm-chart.yml
@@ -0,0 +1,60 @@
+name: Publish Helm chart to GHCR
+
+permissions:
+  contents: read
+  packages: write
+
+on:
+  push:
+    branches:
+      - main
+
+env:
+  CHART_DIR: ./deploy/cert-manager-desec-webhook
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      
+      - name: Setup Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: 'latest'
+      
+      - name: Install yq
+        uses: mikefarah/yq@v4
+      
+      - name: Compute chart version
+        id: ver
+        run: |
+          # Version strategy for "push to main":
+          # Use Chart.yaml version + short SHA to avoid collisions.
+          BASE_VERSION="$(yq -r '.version' "${CHART_DIR}/Chart.yaml")"
+          SHORT_SHA="$(git rev-parse --short=8 HEAD)"
+          VERSION="${BASE_VERSION}-${SHORT_SHA}"
+          echo "chart_dir=${CHART_DIR}" >> "$GITHUB_OUTPUT"
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+      
+      - name: Login to GHCR
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io \
+            --username "${{ github.actor }}" \
+            --password-stdin
+      
+      - name: Lint chart
+        run: helm lint "${{ steps.ver.outputs.chart_dir }}"
+      
+      - name: Package chart
+        run: |
+          helm package "${{ steps.ver.outputs.chart_dir }}" \
+            --version "${{ steps.ver.outputs.version }}" \
+            --destination ./dist
+      
+      - name: Push chart to GHCR (OCI)
+        env:
+          OWNER: ${{ github.repository_owner }}
+        run: |
+          helm push ./dist/*.tgz oci://ghcr.io/${OWNER}/helm
\ No newline at end of file