feat(helm): add OCI registry publishing workflow for GHCR (#226)

* feat(helm): add OCI registry publishing workflow for GHCR

Publishes charts to ghcr.io on version tags. Includes test trigger on feat/helm-oci-registry branch.

* fix(helm): publish all charts with synchronized versions

Updates all chart versions and fhir dependency version to enable nuts-knooppunt packaging.

* feat(helm): prefix chart names with 'helm-' to distinguish from Docker images

* fix(helm): update fhir dependency repository to OCI for user installations

* chore(helm): re-add test branch trigger for validation

* fix(helm): reorder workflow to publish standalone charts before dependencies

Resolves chicken-and-egg problem where helm dependency update failed because
helm-fhir wasn't published yet. Now:
1. Package and push standalone charts (fhir, pep) first
2. Update nuts-knooppunt to use OCI dependencies
3. Run helm dependency update (helm-fhir now exists on GHCR)
4. Package and push helm-nuts-knooppunt

* chore(helm): remove test branch trigger from workflow

* refactor(helm): use Chart.yaml as source of truth for versions

- Rename charts to helm-* prefix in Chart.yaml
- Update fhir dependency to OCI registry in nuts-knooppunt Chart.yaml
- Remove version override logic from workflow
- Chart versions now managed manually in Chart.yaml files

* chore(helm): re-add test branch trigger

* chore(helm): remove unused version extraction step

* chore(helm): removed test branch

* docs(helm): add README explaining versioning and publishing workflow

* chore(helm): update Chart.lock and add concurrency comment

* refactor(helm): implement automated chart versioning

Split Helm chart publishing into 3 separate workflows:
- nuts-knooppunt: coupled versioning from git tags
- fhir/pep: independent versioning on path changes

Changes:
- Auto-version nuts-knooppunt chart from git tags
- Add PEP as optional dependency
- Set version/appVersion to 0.0.0 placeholders
- Empty image.tag to use Chart.AppVersion
- Update README with versioning strategies

Addresses feedback on PR #226 requiring deterministic
version management and reducing manual sync errors

* Apply suggestions from code review

`pep` was missing from some comments

Co-authored-by: Copilot <[email protected]>

* chore(helm): bump helm-pep and pep chart versions to 0.1.1 - testing CI

* chore(helm): remove feat/helm-oci-registry branch from publish workflows as tests succeeded

* docs(helm): clarify versioning strategies and fix fhir appVersion

- Fix helm-fhir appVersion: 1.16.0 -> 7.2.0 (match actual HAPI version)
- Clarify automatic (nuts-knooppunt) vs manual (fhir/pep) versioning
- Explain independent release cycles (PEP changes infrequently, FHIR follows HAPI)
- Add critical warning about chart version bumps (OCI immutability)
- Add semantic versioning guide (patch/minor/major)
- Add concrete examples for HAPI upgrade and chart config fixes

---------

Co-authored-by: Copilot <[email protected]>

Author: JorisHeadease

.github/workflows/publish-helm-fhir.yaml

@@ -0,0 +1,54 @@
+---
+name: "Publish Helm Chart - fhir"
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "helm/fhir/**"
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  publish-fhir:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: "3.14.0"
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Package and push helm-fhir chart
+        run: |
+          # Package helm-fhir
+          helm package helm/fhir -d .helm-packages
+
+          # Push to GHCR
+          helm push .helm-packages/helm-fhir-*.tgz oci://ghcr.io/${{ github.repository_owner }}
+
+      - name: Output published chart
+        run: |
+          FHIR_VERSION=$(grep "^version:" helm/fhir/Chart.yaml | awk '{print $2}')
+
+          echo "Published Helm chart:"
+          echo "  - oci://ghcr.io/${{ github.repository_owner }}/helm-fhir:$FHIR_VERSION"
+          echo ""
+          echo "Install with:"
+          echo "  helm install my-fhir oci://ghcr.io/${{ github.repository_owner }}/helm-fhir --version $FHIR_VERSION"

.github/workflows/publish-helm-nuts-knooppunt.yaml

@@ -0,0 +1,81 @@
+---
+name: "Publish Helm Chart - nuts-knooppunt"
+
+on:
+  push:
+    tags:
+      - "v*"
+  workflow_dispatch:
+
+# cancel build action if superseded by new commit on same branch (not needed for tag builds, leaving it in when it also builds on branches)
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  publish-knooppunt:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: "3.14.0"
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract version from tag
+        id: version
+        run: |
+          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
+            VERSION=${GITHUB_REF#refs/tags/v}
+          else
+            # For workflow_dispatch, use version from Chart.yaml
+            VERSION=$(grep "^version:" helm/nuts-knooppunt/Chart.yaml | awk '{print $2}')
+          fi
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Extracted version: $VERSION"
+
+      - name: Update nuts-knooppunt chart version
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+
+          # Update nuts-knooppunt chart version/appVersion from git tag
+          sed -i "s/^version:.*/version: $VERSION/" helm/nuts-knooppunt/Chart.yaml
+          sed -i "s/^appVersion:.*/appVersion: \"$VERSION\"/" helm/nuts-knooppunt/Chart.yaml
+
+          echo "Updated nuts-knooppunt chart to version $VERSION"
+
+      - name: Update chart dependencies
+        run: |
+          cd helm/nuts-knooppunt
+          # Pull dependencies (helm-fhir, helm-pep, nuts-node-chart) from their registries
+          helm dependency update
+
+      - name: Package and push nuts-knooppunt chart
+        run: |
+          # Package nuts-knooppunt (with resolved dependencies)
+          helm package helm/nuts-knooppunt -d .helm-packages
+
+          # Push to GHCR
+          helm push .helm-packages/helm-nuts-knooppunt-*.tgz oci://ghcr.io/${{ github.repository_owner }}
+
+      - name: Output published chart
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+
+          echo "Published Helm chart:"
+          echo "  - oci://ghcr.io/${{ github.repository_owner }}/helm-nuts-knooppunt:$VERSION"
+          echo ""
+          echo "Install with:"
+          echo "  helm install my-knooppunt oci://ghcr.io/${{ github.repository_owner }}/helm-nuts-knooppunt --version $VERSION"

.github/workflows/publish-helm-pep.yaml

@@ -0,0 +1,54 @@
+---
+name: "Publish Helm Chart - pep"
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "helm/pep/**"
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  publish-pep:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: "3.14.0"
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Package and push helm-pep chart
+        run: |
+          # Package helm-pep
+          helm package helm/pep -d .helm-packages
+
+          # Push to GHCR
+          helm push .helm-packages/helm-pep-*.tgz oci://ghcr.io/${{ github.repository_owner }}
+
+      - name: Output published chart
+        run: |
+          PEP_VERSION=$(grep "^version:" helm/pep/Chart.yaml | awk '{print $2}')
+
+          echo "Published Helm chart:"
+          echo "  - oci://ghcr.io/${{ github.repository_owner }}/helm-pep:$PEP_VERSION"
+          echo ""
+          echo "Install with:"
+          echo "  helm install my-pep oci://ghcr.io/${{ github.repository_owner }}/helm-pep --version $PEP_VERSION"

helm/README.md

@@ -0,0 +1,141 @@
+# Helm Charts
+
+This directory contains Helm charts for nuts-knooppunt and its components.
+
+## Available Charts
+
+- `helm-nuts-knooppunt` - Main chart with fhir, pep, and nuts-node dependencies
+- `helm-fhir` - HAPI FHIR server (standalone)
+- `helm-pep` - Policy Enforcement Point (standalone)
+
+## Version Management
+
+Different charts have different versioning strategies:
+
+- **helm-nuts-knooppunt**: Automatic versioning (set by git tag)
+- **helm-fhir**: Manual versioning (set in Chart.yaml)
+- **helm-pep**: Manual versioning (set in Chart.yaml)
+
+**Why automatic for nuts-knooppunt?**
+
+This chart is only published on git tags, which by definition indicate app changes. Automatically coupling chart version to git tag simplifies versioning: `helm install --version 0.2.0` always deploys app v0.2.0.
+
+**Why manual for fhir/pep?**
+
+These components have independent release cycles from nuts-knooppunt:
+- **PEP**: Reference implementation, changes infrequently
+- **FHIR**: Third-party HAPI server, follows HAPI release schedule
+
+Following Helm best practices (Bitnami, Prometheus, etc.), chart version is managed manually and tracks chart development separately from app version. This allows:
+- Chart bug fixes without app version changes (0.1.0 → 0.1.1)
+- App upgrades with chart version bump (0.2.0 → 0.3.0 when upgrading HAPI 7.2.0 → 7.4.0)
+- Flexibility to release chart improvements independent of app releases
+
+### Releasing nuts-knooppunt
+
+The nuts-knooppunt chart version is coupled to the application version.
+
+1. Go to GitHub → [Releases](https://github.com/nuts-foundation/nuts-knooppunt/releases) → "Draft a new release"
+2. Choose a tag (e.g., `v0.2.0`) or create a new one
+3. Add release title and notes describing changes
+4. Click "Publish release"
+
+GitHub Actions automatically:
+- Extracts version from tag (`v0.2.0` → `0.2.0`)
+- Updates `helm/nuts-knooppunt/Chart.yaml` with `version` and `appVersion`
+- Pulls dependencies (helm-fhir, helm-pep, nuts-node-chart) from their registries
+- Packages and publishes helm-nuts-knooppunt to GHCR
+
+**Note:** The workflow runs on any git tag matching `v*`.
+
+**Result:** `helm install --version 0.2.0` deploys exactly application v0.2.0.
+
+### Updating helm-fhir or helm-pep
+
+These charts are published automatically when their directories change on the `main` branch.
+
+**⚠️ CRITICAL: Always bump chart version when changing image tags or config. OCI registries are immutable - publishing the same version twice overwrites the existing chart.**
+
+**Semantic versioning guide:**
+- **Patch (0.1.0 → 0.1.1)**: Chart bug fixes, config tweaks, same app version
+- **Minor (0.1.0 → 0.2.0)**: New app version, backwards compatible
+- **Major (0.1.0 → 1.0.0)**: Breaking chart changes (renamed values, removed features)
+
+**Example: Upgrading HAPI FHIR**
+
+1. Update `helm/fhir/Chart.yaml`:
+   ```yaml
+   version: 0.2.0        # Bump minor (new HAPI version)
+   appVersion: "7.4.0"   # New HAPI version
+   ```
+
+2. Update `helm/fhir/values.yaml`:
+   ```yaml
+   image:
+     tag: v7.4.0         # New HAPI FHIR image
+   ```
+
+3. Update `helm/nuts-knooppunt/Chart.yaml` dependency:
+   ```yaml
+   dependencies:
+     - name: helm-fhir
+       version: "0.2.0"  # Reference new chart version
+   ```
+
+4. Create PR, merge to `main` → workflow automatically publishes helm-fhir:0.2.0
+
+5. Create new nuts-knooppunt release (e.g., `v0.2.1`) to include the new FHIR version
+
+**Example: Chart config fix (no HAPI upgrade)**
+
+1. Update `helm/fhir/Chart.yaml`:
+   ```yaml
+   version: 0.1.1        # Bump patch (config fix only)
+   appVersion: "7.2.0"   # Same HAPI version
+   ```
+
+2. Fix config in templates or values.yaml
+
+3. Merge to `main` → workflow publishes helm-fhir:0.1.1
+
+**Same process for helm-pep**: Always bump chart version when changing anything.
+
+## Published Charts
+
+Charts are available at GitHub Container Registry:
+```
+oci://ghcr.io/nuts-foundation/helm-nuts-knooppunt
+oci://ghcr.io/nuts-foundation/helm-fhir
+oci://ghcr.io/nuts-foundation/helm-pep
+```
+
+## Installation
+
+```bash
+# Install specific release version
+helm install my-knooppunt oci://ghcr.io/nuts-foundation/helm-nuts-knooppunt --version 0.2.0
+
+# Override specific values
+helm install my-knooppunt oci://ghcr.io/nuts-foundation/helm-nuts-knooppunt \
+  --version 0.2.0 \
+  --set replicaCount=3
+
+# Use custom image tag (not recommended - breaks version coupling)
+helm install my-knooppunt oci://ghcr.io/nuts-foundation/helm-nuts-knooppunt \
+  --version 0.2.0 \
+  --set image.tag=custom-build
+```
+
+## Development
+
+For local development and testing:
+
+```bash
+# Package charts locally
+helm package helm/fhir -d .helm-packages
+helm package helm/pep -d .helm-packages
+helm package helm/nuts-knooppunt -d .helm-packages
+
+# Install from local package
+helm install my-knooppunt .helm-packages/helm-nuts-knooppunt-*.tgz
+```

helm/fhir/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-name: fhir
+name: helm-fhir
 description: A Helm chart for Kubernetes
 
 # A chart can be either an 'application' or a 'library' chart.
@@ -21,4 +21,4 @@ version: 0.1.0
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.0"
+appVersion: "7.2.0"

helm/nuts-knooppunt/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
-- name: fhir
-  repository: file://../fhir
+- name: helm-fhir
+  repository: oci://ghcr.io/nuts-foundation
   version: 0.1.0
 - name: nuts-node-chart
   repository: https://nuts-foundation.github.io/nuts-node/
   version: 0.0.6
-digest: sha256:f2f74a65adf4eb1c904fda043fcf11ad7d29803c368575c623b064be88921fb4
-generated: "2025-10-31T13:12:41.463572+01:00"
+digest: sha256:6e7f70c7d8edae18899db995121e561da1f37853cb993649a108b47e746f7ec4
+generated: "2025-11-03T12:13:17.673569+01:00"

helm/nuts-knooppunt/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-name: nuts-knooppunt
+name: helm-nuts-knooppunt
 description: Helm chart for nuts-knooppunt
 
 # A chart can be either an 'application' or a 'library' chart.
@@ -15,19 +15,25 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.3
+# NOTE: Automatically set by CI/CD from git tag version.
+version: 0.0.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.16.0"
+# NOTE: Automatically set by CI/CD from git tag version.
+appVersion: "0.0.0"
 
 dependencies:
-  - name: fhir
+  - name: helm-fhir
     condition: fhir.enabled
-    repository: file://../fhir
+    repository: oci://ghcr.io/nuts-foundation
     version: "0.1.0"
+  - name: helm-pep
+    condition: pep.enabled
+    repository: oci://ghcr.io/nuts-foundation
+    version: "0.1.1"
   - name: nuts-node-chart
     alias: nuts
     condition: nuts.enabled