add oci chart release for robusta

[DrFaust92]

closes #1801

[coderabbitai]

Walkthrough

Add GitHub Actions steps to authenticate to ghcr.io and package + push the Helm chart (helm/robusta) as an OCI artifact during the release workflow.

Changes

Cohort / File(s)	Summary
Release workflow — GHCR login & Helm OCI publish .github/workflows/release.yaml	Added docker/login-action@v3 step to log in to ghcr.io using ${{ github.actor }} / ${{ secrets.GITHUB_TOKEN }}; added steps to helm package helm/robusta and helm push robusta-${{ env.RELEASE_VER }}.tgz to oci://ghcr.io/${{ github.repository_owner }}/charts.

Sequence Diagram(s)

sequenceDiagram
  participant GH as GitHub Actions
  participant Runner as Workflow Runner
  participant GHCR as GitHub Container Registry (ghcr.io)
  participant Helm as Helm (cli)

  rect rgba(150,200,250,0.12)
    Note over GH,Runner: Release workflow executes
  end

  GH->>Runner: checkout + setup
  GH->>Runner: docker/login-action@v3 (registry: ghcr.io)
  Runner->>GHCR: authenticate using GITHUB_TOKEN
  GH->>Runner: run helm package helm/robusta
  Runner->>Helm: create robusta-${env.RELEASE_VER}.tgz
  GH->>Runner: run helm push robusta-${env.RELEASE_VER}.tgz oci://ghcr.io/.../charts
  Runner->>GHCR: push OCI chart artifact
  GHCR-->>Runner: accept/publish chart
  GH->>GH: workflow completes

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Single CI workflow file modified; config additions are straightforward.
• Areas to check:
  • tarball name matches ${{ env.RELEASE_VER }} usage and packaging output,
  • helm push OCI syntax and Helm version/plugins available on runner,
  • GITHUB_TOKEN permissions and target repository ownership for GHCR publish.

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'add oci chart release for robusta' is clear, specific, and directly describes the main change in the pull request.
Description check	✅ Passed	The description references the linked issue (#1801) which is directly related to the changeset implementing OCI chart releases.
Linked Issues check	✅ Passed	The PR implements the core objective from issue #1801: publishing Robusta Helm charts to an OCI repository by adding workflow steps to authenticate and push the chart.
Out of Scope Changes check	✅ Passed	All changes in the pull request are directly related to implementing OCI chart releases as requested in the linked issue, with no extraneous modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2cb9d5c and de65c13.

📒 Files selected for processing (1)

• .github/workflows/release.yaml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: run_tests

🔇 Additional comments (2)

.github/workflows/release.yaml (2)

127-137: Verify GITHUB_TOKEN permissions are sufficient for pushing to GHCR OCI registry.

The workflow uses ${{ secrets.GITHUB_TOKEN }} with the packages: write permission to authenticate to ghcr.io. According to GitHub's documentation, this should allow pushing to GHCR, but the interaction between GITHUB_TOKEN, docker/login-action, and helm push to OCI registries can have edge cases:

• Confirm that GITHUB_TOKEN works for OCI (not just Docker v2) registry authentication to ghcr.io.
• Test the helm push command in a PR or test environment to catch authentication errors before they reach production.
• If helm push fails due to auth issues, you may need to use a PAT (Personal Access Token) with write:packages scope instead.

---

127-132: Helm OCI registry implementation looks sound, but verify implementation details match assumptions.

The docker/login-action to helm push flow is a documented and standard practice. Helm 3.x (including the v3.19.2 available on ubuntu-latest) natively reads Docker credentials from ~/.docker/config.json, so the authentication chain should work. OCI registry support is stable in Helm 3.8.0+, so no experimental flags are needed.

However, confirm these details in your implementation:

1. Chart name in Chart.yaml: Verify the chart name is robusta to ensure helm package helm/robusta produces robusta-${{env.RELEASE_VER}}.tgz as expected in the push command.

2. OCI repository path: Ensure the helm push command on line 137 uses the correct full OCI path format: oci://ghcr.io/${{ github.repository_owner }}/charts/robusta:${{ env.RELEASE_VER }} (including chart name and version tag).

3. RELEASE_VER environment variable: Confirm that RELEASE_VER is properly set from the release tag and matches the version in Chart.yaml to avoid version mismatches.

The approach itself is sound and uses the official recommended pattern for publishing Helm charts to ghcr.io.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2618af6 and b19d53e.

📒 Files selected for processing (1)

• .github/workflows/release.yaml (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: run_tests

🔇 Additional comments (2)

.github/workflows/release.yaml (2)

127-132: GitHub Container Registry login looks good.

The GHCR login is correctly configured with the standard docker/login-action@v3, ghcr.io registry, and GITHUB_TOKEN for authentication. The workflow permissions include packages: write, which is appropriate.

---

134-137: All helm push configuration verified as correct.

The three concerns have been confirmed:

1. The helm push syntax for OCI registries in helm v3+ uses the format helm push <archive>.tgz oci://<registry>/<repo>, which matches your code.

2. Filename matching will work: Chart.yaml version is updated to ${{env.RELEASE_VER}} (lines 49, 51) before helm package helm/robusta executes, so the generated .tgz will be named robusta-${{env.RELEASE_VER}}.tgz as expected.

3. GHCR authentication is properly configured via the docker/login-action@v3 step (lines 127-132) with ${{ secrets.GITHUB_TOKEN }} before the helm push command.

The implementation is correct. Consider adding an explicit helm setup step if reproducibility across different runners is desired, but it's not required since helm is typically pre-installed on ubuntu-latest.

[DrFaust92]

@arikalon1 can this be looked at?

[arikalon1]

Thanks for the contribution @DrFaust92

[arikalon1]

@DrFaust92 Reviewed and merged - sorry for the slow turnaround
Thanks for the PR

[DrFaust92]

thanks arikalon1! it needs a release to test. lmk if there are any issues and ill fix it

[arikalon1]

@DrFaust92 I created a pre-release to test it, 0.30.1-alpha
I think it works fine
Can you please double check it works as expected?

[DrFaust92]

@arikalon1 the action run looks fine but no artifact to pull

there should be something like this https://github.com/runatlantis/helm-charts/pkgs/container/charts%2Fatlantis
can you check on repo settings if this is disabled for some reason?

[arikalon1]

@DrFaust92 I think it's here: https://github.com/robusta-dev/robusta/pkgs/container/charts%2Frobusta
But I'm getting unauthorized when trying to pull it

[arikalon1]

ok, it's defined as private - I'll check how to change that

[arikalon1]

@DrFaust92 can you check now?

[DrFaust92]

yes, thanks @arikalon1 it looks good now. lmk if you can release a stable version for this

[arikalon1]

we just released one yesterday @DrFaust92
The next one should be in 2 weeks or so