ci(helm): publish chart to GHCR on chart-v* tags#1372
Merged
Conversation
The helm-chart workflow only linted/unit-tested/render-checked the chart;
nothing published it, so `oci://ghcr.io/block/buzz/charts/buzz` (the install
ref the chart README documents) did not exist. Downstream consumers had to
vendor the chart by hand.
Add a `publish` job to helm-chart.yml that packages the chart and pushes it
to GHCR as an OCI artifact, mirroring docker.yml's relay-image publish:
GITHUB_TOKEN GHCR login, `packages: write`, and a `GHCR_CHART_REPO` repo-var
override for forks. It fires only on a `chart-v*` tag push or the auto-tag
rescue dispatch — never on `main` pushes or PRs — so an in-progress `main`
can never overwrite a released chart version. It fails loudly if the tag
version and Chart.yaml version disagree.
Wire a fourth `chart-release/<v>` lane into
auto-tag-on-release-pr-merge.yml (tag `chart-v<v>`, dispatch helm-chart.yml),
matching the existing desktop and relay lanes, and update the chart README's
stale "OCI publish is a follow-up" note with a Releasing section.
Top-level `permissions: {}` with per-job grants, consistent with docker.yml.
Co-authored-by: Tyler Longwell <tlongwell@block.xyz>
Signed-off-by: Tyler Longwell <tlongwell@block.xyz>
A `paths` filter under `on.push` is applied to tag pushes too, so a `chart-v*` tag whose commit didn't modify a chart file would be filtered out and the publish job would never run. This is the only workflow in the repo that combined `push.tags` with `push.paths`; docker.yml, release.yml, and sprig.yml all deliberately keep `paths` out of a tag-carrying `push` for this exact reason. PR runs stay scoped via `pull_request.paths`; main pushes now lint unconditionally (cheap), and tag pushes always run so publish can fire. Co-authored-by: Tyler Longwell <tlongwell@block.xyz> Signed-off-by: Tyler Longwell <tlongwell@block.xyz>
Co-authored-by: npub12gtutshhh76rx0jx697f32f9tffd4hhp3hx58fp4x6u4uemkm7sqf8f757 <5217c5c2f7bfb4333e46d17c98a9255a52dadee18dcd43a43536b95e6776dfa0@sprout-oss.stage.blox.sqprod.co> Signed-off-by: npub12gtutshhh76rx0jx697f32f9tffd4hhp3hx58fp4x6u4uemkm7sqf8f757 <5217c5c2f7bfb4333e46d17c98a9255a52dadee18dcd43a43536b95e6776dfa0@sprout-oss.stage.blox.sqprod.co>
wpfleger96
pushed a commit
that referenced
this pull request
Jun 30, 2026
…work * origin/main: (25 commits) fix(thread): stop mid-scroll content jump in live threads (#1397) fix(ci): restore main to green — tauri fmt, personas.rs file-size split, Windows path test (#1399) fix(desktop): enable buzz-dev-mcp MCP server for Codex agents (#1394) fix(ci): restore E2E flakiness fixes for pgschema, docker-pull, and spec timing (#1396) fix(personas): persist pack-backed persona UI edits across reboot (#1392) fix(buzz-acp): clear steer_rx on all run_prompt_task exit paths (#1391) Restore channel date divider rule (#1395) Speed up profile wave action (#1379) Restore visible links for rich previews (#1378) Mobile channel list polish (#1367) style(desktop): unify corner radii to rounded-2xl (16px) (#1393) fix(desktop): skip keychain write when blob contents are unchanged (#1377) fix(desktop): stop clipping the agent-activity row under the composer (#1371) Constrain macOS overscroll to conversations (#1317) Mobile appearance foundation (#1366) chore(release): release Buzz Desktop version 0.3.38 (#1375) feat(desktop): provider-agnostic model selection + databricks discovery (#1307) release(helm): buzz chart 0.1.1 (#1374) Harden relay attack surfaces (#1369) ci(helm): publish chart to GHCR on chart-v* tags (#1372) ...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
The
helm chartworkflow only lints / unit-tests / render-checks the chart — nothing publishes it. Sooci://ghcr.io/block/buzz/charts/buzz(the install ref the chart README already documents) does not exist, and downstream consumers (e.g. thebuzz-ossArgoCD app inblock-coder-tf-stacks) have had to vendor the chart by hand.This PR makes the chart a real published OCI artifact.
How
helm-chart.yml— newpublishjob. Packages the chart andhelm pushes it to GHCR, mirroringdocker.yml's relay-image publish:GITHUB_TOKENGHCR login,packages: write, pinned action SHAs.GHCR_CHART_REPOrepo-var override so forks can push to their own namespace without editing the file (mirrorsdocker.yml'sGHCR_IMAGE).chart-v*tag push or the auto-tag rescue dispatch — never onmainpushes or PRs, so an in-progressmaincan never overwrite a released chart version.Chart.yaml'sversiondisagree (no mislabeled artifacts).lint-and-unittestjob (needs:), which runs on the tag push.auto-tag-on-release-pr-merge.yml— fourthchart-release/<v>lane. Tagschart-v<v>and dispatcheshelm-chart.yml, identical machinery to the existing desktop (version-bump/) and relay (relay-release/) lanes. Onecasebranch + one dispatch mapping.README.md— replaced the stale "OCI publish is a follow-up" note with aReleasingsection.permissions: {}with per-job grants, consistent withdocker.yml.Release flow
Push a
chart-release/<version>branch (with<version>==Chart.yamlversion); merging it auto-tagschart-v<version>→ dispatches the publish job →oci://ghcr.io/block/buzz/charts/buzz:<version>.Validation (local, no publish performed)
actionlint .github/workflows/helm-chart.yml→ clean. (The one SC2129 style note inauto-tag-*.ymlis pre-existing onmain, not from this PR.)helm dependency build+helm package deploy/charts/buzz→ producesbuzz-0.1.0.tgz, exactly the filename the push step references.0.1.0, semver-validates, matchesChart.yaml.Follow-ups (out of scope, noted in README)
chart-v0.1.0is cut, theblock-coder-tf-stacksbuzz-ossapp can drop its vendored chart copy and point atoci://ghcr.io/block/buzz/charts.