feat(helm): add OCI support

[nlamirault]

Description

With Helm v3.8.0, the OCI support became GA, which is an excellent chance to start publishing Helm charts to OCI-compliant registries.

What problem is being solved?

Add OCI Helm chart

How is it being solved?

What changes are made to solve it?

References

Review Checklist

• I have clicked on "allow edits by maintainers".
• I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
• The correct base branch is being used, if not main
• I have added tests to validate that the change in functionality is working as expected

Summary by CodeRabbit

• New Features
  • Helm charts are now published to the GitHub Container Registry (OCI). You can retrieve releases from ghcr.io//helm-charts.
• Chores
  • Updated release pipeline to also publish chart artifacts to GHCR while keeping the existing release flow unchanged.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

The release workflow file adds steps to authenticate to GitHub Container Registry and push Helm chart artifacts to an OCI registry after the existing chart-releaser step. Permissions for package writing are enabled on the release job. No other files or exported/public entities are changed.

Changes

Cohort / File(s)	Summary
Release workflow \.github/workflows/release.yml	Adds packages: write permission, a docker/login-action step to GHCR, and a helm push step to publish released chart .tgz files to ghcr.io/${GITHUB_REPOSITORY_OWNER}/helm-charts. Existing release flow remains; new steps run after chart-releaser.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor Dev as GitHub Actions (release job)
    participant CR as chart-releaser
    participant GHCR as GitHub Container Registry
    participant Helm as Helm CLI

    Dev->>CR: Run chart-releaser (existing)
    Note over Dev,CR: Release assets (charts) created

    rect rgba(200, 240, 255, 0.3)
    Note over Dev: New steps
    Dev->>GHCR: docker/login-action (authenticate)
    Dev->>Helm: helm push *.tgz to oci://ghcr.io/.../helm-charts
    Helm->>GHCR: Upload chart OCI artifacts
    end

    GHCR-->>Dev: Publish result

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "feat(helm): add OCI support" is concise, follows conventional commit style, and accurately summarizes the primary change in the PR—adding OCI publishing support for Helm charts (workflow changes to push charts to an OCI registry). It is specific enough for a teammate scanning the history to understand the main intent and contains no noisy file lists or vague wording.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/release.yml (1)

35-37: Bump Helm to ≥ v3.8.0 or this OCI push will fail.

The workflow installs v3.5.0, which doesn’t include GA OCI support nor the core helm push command you use later.

Apply:

-          version: v3.5.0
+          version: v3.8.0

🧹 Nitpick comments (2)

.github/workflows/release.yml (2)

53-59: Prefer explicit Helm registry login (works across environments).

Docker login may work, but helm registry login guarantees creds are available to Helm’s registry client. Keep docker login if you want, but add this step right after it.

Apply:

       - name: Login to GHCR
         uses: docker/[email protected]
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Helm registry login (GHCR)
+        run: helm registry login ghcr.io -u "${{ github.actor }}" -p "${{ secrets.GITHUB_TOKEN }}"

Please confirm the push succeeds on forks where docker creds might not be present.

---

60-68: Tighten push step: correct owner var, fail fast, simplify loop, and gate on artifacts.

• Use ${{ github.repository_owner }} to avoid relying on a possibly unset $GITHUB_REPOSITORY_OWNER.
• Add set -euo pipefail.
• Remove redundant empty-guard (nullglob already handles it).
• Gate the step if no packages were produced.

Apply:

-      - name: Push chart to GHCR
-        run: |
-          shopt -s nullglob
-          for pkg in .cr-release-packages/*.tgz; do
-            if [ -z "${pkg:-}" ]; then
-              break
-            fi
-            helm push "${pkg}" "oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/helm-charts"
-          done
+      - name: Push chart to GHCR
+        if: ${{ hashFiles('.cr-release-packages/*.tgz') != '' }}
+        run: |
+          set -euo pipefail
+          shopt -s nullglob
+          for pkg in .cr-release-packages/*.tgz; do
+            helm push "${pkg}" "oci://ghcr.io/${{ github.repository_owner }}/helm-charts"
+          done

Validate the resulting GHCR package path matches your expected naming (helm-charts/<chart-name> under the org).

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3c3f8ed and e420bc3.

📒 Files selected for processing (1)

• .github/workflows/release.yml (2 hunks)

🔇 Additional comments (1)

.github/workflows/release.yml (1)

12-12: Good: packages permission added for GHCR publishes.

Required for docker/login-action with GITHUB_TOKEN to push to GHCR.

[rhamzeh]

Thanks @nlamirault!

Just doing some due diligence, there doesn't seem to be any mention of the GitHub registry here: https://helm.sh/docs/topics/registries/#use-hosted-registries

And in the GitHub container registry docs, there's no mention of helm charts.

I think I understand how helm did this - the chart itself is published as an OCI artifact that the helm command can pull and interpret, so it shouldn't matter. But just as a precaution, so that we don't figure this out later during a release - do you have an example of other helm charts being pushed to the GitHub OCI?

Also maybe we can add a note to the chart's README - something along the lines of:

This chart is also available for installation from the GitHub OCI registry. It requires helm 3.8+. To pull from the GitHub OCI registry, run: <commands to pull and install>

I also have questions about how this handles multiple helm charts. Right now we have the openfga one, and the benchmark one we are deprecating, and in the future we have more. Any insight on how that works with an OCI registry?

Can you also bump the helm version here to the current latest - 3.19.0? It's currently set to 3.5.0 which doesn't have OCI registry support.

[nlamirault]

You can see some Helm charts using OCI format from prometheus-community: https://github.com/orgs/prometheus-community/packages?repo_name=helm-charts

It is handler like a Docker image.

[rhamzeh]

Thanks @nlamirault!