feat: Add chart (#1)

* feat: Add chart

* ci: Bump chart-testing-action version

* ci: Satisfy linter

* ci: Satisfy linter

* ci: Satisfy linter

* fix: Fix templates

* fix: Fix templates

* ci: Modify values

* fix: Fix priorityClass

* ci: Increase version

* ci: Increase versions

* feat: Add schedule timezones, documentation

* feat: Add schedule timezones, documentation

* feat: Add schedule timezones, documentation

* ci: Satify ci

* ci: Satify ci

* feat: Modifications

* chore(repo): Sync repository template

* chore(repo): Sync repository template

* ci(workflows): Use mise instead of asdf

* docs: Update README

* feat(chart): Add restrictive security context to containers

* fix(chart): Pin overprovisioning pause image version

* fix(chart): Update pause image version

* feat(chart): Add default labeling

* feat(keeper): Disable replicas when schedule is enabled

* feat(keeper): Use placeholders instead of map

* feat(keeper): Use placeholders instead of map

* feat(keeper): Add labels

* feat(keeper): Use placeholders instead of map

* docs(keeper): Update README

* feat(keeper): Adjust priorityClass values

* feat(keeper): Use official kubectl image

* ci: Update mise setup

* feat(keeper): Disable priorityclass creation if override provided

Author: Balsir

.github/workflows/cache-warmup.yaml

@@ -0,0 +1,40 @@
+name: Cache Warmup
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main # caches from the main branch are shared with all other branches and pull requests
+
+permissions:
+  contents: read
+
+env:
+  # renovate: datasource=github-releases depName=jdx/mise
+  MISE_VERSION: 2025.10.10
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+        with:
+          persist-credentials: false
+
+      - name: Setup Mise
+        uses: jdx/mise-action@e3d7b8d67a7958d1207f6ed871e83b1ea780e7b0 # v3.3.1
+        with:
+          version: ${{ env.MISE_VERSION }}
+
+      - name: Cache pre-commit
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        with:
+          path: ~/.cache/pre-commit
+          key: ${{ runner.os }}-pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}-warmup
+          restore-keys: ${{ runner.os }}-pre-commit-
+
+      - name: Run pre-commit
+        run: pre-commit install --install-hooks
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required for GH API calls quota

.github/workflows/cleanup.yaml

@@ -0,0 +1,38 @@
+name: Cleanup
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [closed]
+
+permissions:
+  contents: read
+
+jobs:
+  metadata-collector:
+    uses: ./.github/workflows/metadata-collector.yaml
+
+  packages:
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: write
+    needs: metadata-collector
+    strategy:
+      fail-fast: false
+      matrix:
+        chart: ${{ fromJSON(needs.metadata-collector.outputs.charts) }}
+    steps:
+      - name: GitHub Slug Action
+        uses: rlespinasse/github-slug-action@955b5ba4560860f8a633bd24190941f16016e42c # v5.1.0
+
+      - name: Cleanup Helm chart
+        run: |
+          gh api \
+            --method DELETE \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            /orgs/${{ github.repository_owner }}/packages/container/${PACKAGE_NAME} || true
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PACKAGE_NAME: ${{ env.GITHUB_REPOSITORY_NAME_PART_SLUG_URL }}%2F${{ env.GITHUB_EVENT_REF_SLUG_URL || env.GITHUB_HEAD_REF_SLUG_URL }}%2F${{ matrix.chart }}

.github/workflows/helm-lint-test.yaml

@@ -0,0 +1,42 @@
+name: Metadata collector
+
+on:
+  workflow_call:
+    outputs:
+      charts:
+        description: "List of changed charts within the repository"
+        value: ${{ jobs.chart-list.outputs.charts }}
+
+permissions:
+  contents: read
+
+jobs:
+  chart-list:
+    runs-on: ubuntu-24.04
+    outputs:
+      charts: ${{ steps.changed-charts.outputs.all_changed_files || steps.changed-charts-tag.outputs.all_changed_files }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # pragma: allowlist secret
+        with:
+          persist-credentials: true # needed for private repositories
+
+      - name: Get changed charts without tag
+        uses: step-security/changed-files@95b56dadb92a30ca9036f16423fd3c088a71ee94 # v46.0.5
+        id: changed-charts
+        if: github.ref_type != 'tag'
+        with:
+          dir_names: true
+          dir_names_max_depth: 1
+          path: charts
+          matrix: true
+
+      - name: Get changed chart using tag
+        if: github.ref_type == 'tag'
+        id: changed-charts-tag
+        run: |
+          # Extract tag name which triggered this workflow: refs/tags/my-chart-1.2.3 -> my-chart-1.2.3
+          TAG_REF="${GITHUB_REF#refs/tags/}"
+          # Extract chart name from tag name by removing the version part: my-chart-1.2.3 -> my-chart
+          CHART_NAME="${TAG_REF%%-[0-9]*}"
+          echo "all_changed_files=[\"${CHART_NAME}\"]" >> $GITHUB_OUTPUT

.github/workflows/helm-release.yaml

@@ -0,0 +1,183 @@
+name: Pull Request
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - charts/**
+
+permissions:
+  contents: read
+
+concurrency:
+  group: pull-request-${GITHUB_REF}
+  cancel-in-progress: false
+
+env:
+  # renovate: datasource=github-releases depName=jdx/mise
+  MISE_VERSION: 2025.10.10
+  # renovate: datasource=github-releases depName=helm/helm
+  HELM_VERSION: v3.18.6
+  # renovate: datasource=github-tags depName=python/cpython
+  PYTHON_VERSION: v3.13.7
+  # renovate: datasource=github-releases depName=helm/chart-testing-action
+  CHART_TESTING_VERSION: v3.13.0
+  # renovate: datasource=github-releases depName=adrienverge/yamllint
+  CHART_TESTING_YAMLLINT_VERSION: v1.37.1
+  # renovate: datasource=github-releases depName=23andMe/Yamale
+  CHART_TESTING_YAMALE_VERSION: 6.0.0
+
+jobs:
+  metadata-collector:
+    uses: ./.github/workflows/metadata-collector.yaml
+
+  version-check:
+    uses: ./.github/workflows/version-check.yaml
+
+  pre-commit:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+        with:
+          persist-credentials: false
+
+      - name: Setup Mise
+        uses: jdx/mise-action@e3d7b8d67a7958d1207f6ed871e83b1ea780e7b0 # v3.3.1
+        with:
+          version: ${{ env.MISE_VERSION }}
+
+      - name: Cache pre-commit
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        with:
+          path: ~/.cache/pre-commit
+          key: ${{ runner.os }}-pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
+          restore-keys: ${{ runner.os }}-pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}-
+
+      - name: Run pre-commit
+        run: pre-commit run --show-diff-on-failure --color=always --all-files
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required for GH API calls quota
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # required for zizmor
+
+  artifacthub-lint:
+    runs-on: ubuntu-24.04
+    container:
+      image: docker.io/artifacthub/ah:v1.21.0 # referencing version via env variable not supported in GHA
+      options: --user=root
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Run Artifact Hub lint
+        working-directory: ./charts/
+        run: ah lint
+
+  chart-testing:
+    runs-on: ubuntu-24.04
+    needs: [pre-commit, artifacthub-lint, metadata-collector, version-check]
+    strategy:
+      fail-fast: false
+      matrix:
+        chart: ${{ fromJSON(needs.metadata-collector.outputs.charts) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Set up Helm
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
+        with:
+          version: ${{ env.HELM_VERSION }}
+
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
+        with:
+          version: ${{ env.CHART_TESTING_VERSION }}
+          yamllint_version: ${{ env.CHART_TESTING_YAMLLINT_VERSION }}
+          yamale_version: ${{ env.CHART_TESTING_YAMALE_VERSION }}
+
+      - name: Build Helm dependencies
+        # Build Helm chart dependencies locally to support both chart-testing lint and install operations.
+        # This allows using the --skip-helm-dependencies flag with chart-testing commands, eliminating the need for separate repository configurations during testing.
+        run: scripts/helm-dependency-build.sh $CHART_NAME
+        env:
+          CHART_NAME: ${{ matrix.chart }}
+
+      - name: Run chart-testing (lint)
+        # zizmor:ignore-template-injection
+        run: ct lint --target-branch main --validate-maintainers=false --check-version-increment=false --lint-conf .yamllint.yaml --charts charts/${CHART_NAME}
+        env:
+          CHART_NAME: ${{ matrix.chart }}
+
+      - name: Determine chart type
+        id: chart-type
+        run: echo "type=$(yq -r '.type' charts/${CHART_NAME}/Chart.yaml)" >> $GITHUB_OUTPUT
+        env:
+          CHART_NAME: ${{ matrix.chart }}
+
+      - name: Create kind cluster
+        if: ${{ steps.chart-type.outputs.type == 'application' }} # Only run installation tests for application charts, skip library charts
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
+
+      # FIXME config: Place custom steps to install CRDs or other dependencies here
+
+      - name: Run chart-testing (install)
+        if: ${{ steps.chart-type.outputs.type == 'application' }} # Only run installation tests for application charts, skip library charts
+        # zizmor:ignore-template-injection
+        run: ct install --target-branch main --charts charts/${CHART_NAME}
+        env:
+          CHART_NAME: ${{ matrix.chart }}
+
+  release:
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: write
+    needs: [chart-testing, metadata-collector, version-check]
+    strategy:
+      fail-fast: false
+      matrix:
+        chart: ${{ fromJSON(needs.metadata-collector.outputs.charts) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Set up Helm
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
+        with:
+          version: ${{ env.HELM_VERSION }}
+
+      - name: GitHub Slug Action
+        uses: rlespinasse/github-slug-action@955b5ba4560860f8a633bd24190941f16016e42c # v5.1.0
+
+      - name: Build Helm dependencies
+        # Build Helm chart dependencies locally to support both chart-testing lint and install operations.
+        # This allows using the --skip-helm-dependencies flag with chart-testing commands, eliminating the need for separate repository configurations during testing.
+        run: scripts/helm-dependency-build.sh $CHART_NAME
+        env:
+          CHART_NAME: ${{ matrix.chart }}
+
+      - name: Publish Helm chart
+        # FIXME config: Add dependency repositories
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io --username ${GITHUB_ACTOR} --password-stdin
+
+          helm package charts/${CHART_NAME}
+          helm push "$(realpath ${CHART_NAME}-*.tgz)" oci://ghcr.io/${REPOSITORY_NAME}
+
+          helm registry logout ghcr.io
+        env:
+          REPOSITORY_NAME: ${{ github.repository }}/${{ env.GITHUB_EVENT_REF_SLUG || env.GITHUB_HEAD_REF_SLUG }}
+          CHART_NAME: ${{ matrix.chart }}