Add CI check to verify Helm chart image references are pullable (#222)

<!--- Note to EXTERNAL Contributors -->
<!-- Thanks for opening a PR! 
If it is a significant code change, please **make sure there is an open
issue** for this.
We work best with you when we have accepted the idea first before you
code. -->

<!--- For ALL Contributors 👇 -->

## What was changed
Uses crane to verify all container image references rendered by the Helm
chart exist in their registries, catching broken or deprecated registry
paths (e.g. gcr.io deprecation) on every PR and weekly.

## Why?
We missed an un-pullable image (maintainer changed the image registry)
which needed to be fixed by #219 . Don't want that to happen again

## Checklist
<!--- add/delete as needed --->

1. Closes <!-- add issue number here -->

2. How was this tested:
<!--- Please describe how you tested your changes/how we can test them
-->

3. Any docs updates needed?
<!--- update README if applicable
      or point out where to update docs.temporal.io -->

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: carlydf

.github/workflows/helm-image-check.yml

@@ -0,0 +1,75 @@
+name: Helm Image Check
+
+on:
+  push:
+    branches: [main]
+    paths: ["helm/**"]
+  pull_request:
+    paths: ["helm/**"]
+  schedule:
+    - cron: "0 9 * * 1"  # Weekly Monday 9am UTC — catches registry deprecations
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  check-images:
+    name: Verify Helm Chart Images Exist
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.14.3
+
+      - name: Install crane
+        uses: imjasonh/setup-crane@v0.4
+
+      - name: Render chart and verify images
+        run: |
+          set -euo pipefail
+
+          # Render all config variants (mirrors helm-validate.yml) so images behind
+          # non-default flags are also checked
+          helm template test-release helm/temporal-worker-controller \
+            > /tmp/rendered-default.yaml
+          helm template test-release helm/temporal-worker-controller \
+            --set namespace.create=true \
+            > /tmp/rendered-namespace.yaml
+          helm template test-release helm/temporal-worker-controller \
+            --set authProxy.enabled=false \
+            --set metrics.disableAuth=true \
+            > /tmp/rendered-no-auth.yaml
+
+          # Union all image: values across all renders
+          images=$(cat /tmp/rendered-default.yaml /tmp/rendered-namespace.yaml /tmp/rendered-no-auth.yaml \
+            | grep -E '^\s+image:' \
+            | sed 's/.*image:[[:space:]]*//' \
+            | tr -d '"' \
+            | sort -u)
+
+          echo "Images to verify:"
+          echo "$images"
+          echo ""
+
+          failed=0
+          while IFS= read -r image; do
+            [ -z "$image" ] && continue
+            echo -n "Checking $image ... "
+            if crane manifest "$image" > /dev/null 2>&1; then
+              echo "OK"
+            else
+              echo "FAILED"
+              failed=1
+            fi
+          done <<< "$images"
+
+          if [ "$failed" -ne 0 ]; then
+            echo ""
+            echo "One or more images could not be verified."
+            echo "Update image references to valid, accessible registry paths."
+            exit 1
+          fi

helm/temporal-worker-controller/templates/manager.yaml

@@ -107,7 +107,7 @@ spec:
           capabilities:
             drop:
               - "ALL"
-        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1
+        image: registry.k8s.io/kubebuilder/kube-rbac-proxy:v0.14.1
         args:
           - "--secure-listen-address=0.0.0.0:8443"
           - --upstream=http://127.0.0.1:{{ .Values.metrics.port }}/