feat: add Helm chart publishing workflow to release process

[stearz]

What type of PR is this?

feature

What this PR does / why we need it:

Github action that releases the helm chart to separate heln
repo

Which issue(s) this PR is related to:

Fixes #805
Fixes #781

Special notes for your reviewer:

The target repository still needs to be created manually:

# Setup Helm Chart Repository

This guide describes how to set up the `kelos-dev/helm-charts` repository to automatically publish Helm charts via GitHub Actions.

## Prerequisites

- GitHub repository `kelos-dev/helm-charts` must exist
- Admin access to both `kelos-dev/kelos` and `kelos-dev/helm-charts` repositories

## Setup Steps

### 1. Create and Initialize the Helm Charts Repository

Create the repository on GitHub:

    gh repo create kelos-dev/helm-charts --public

Clone it locally:

    git clone https://github.com/kelos-dev/helm-charts.git
    cd helm-charts

Initialize main branch with README:

    echo "# Kelos Helm Charts" > README.md
    echo "" >> README.md
    echo "## Usage" >> README.md
    echo "" >> README.md
    echo '```bash' >> README.md
    echo "helm repo add kelos https://kelos-dev.github.io/helm-charts" >> README.md
    echo "helm repo update" >> README.md
    echo "helm install kelos kelos/kelos" >> README.md
    echo '```' >> README.md

    git add README.md
    git commit -m "Initialize Helm chart repository"
    git push origin main

### 2. Enable GitHub Pages

1. Go to repository **Settings** → **Pages**
2. Under **Source**, select:
   - Branch: **`main`**
   - Folder: **`/ (root)`**
3. Click **Save**
4. GitHub Pages will be available at: `https://kelos-dev.github.io/helm-charts`

### 3. Create Personal Access Token (PAT)

1. Go to GitHub **Settings** → **Developer settings** → **Personal access tokens** → **Fine-grained tokens**
2. Click **Generate new token**
3. Configure the token:
   - **Token name**: `kelos-helm-chart-publisher`
   - **Expiration**: Choose appropriate expiration (e.g., 1 year)
   - **Repository access**: **Only select repositories** → Select `kelos-dev/helm-charts`
   - **Permissions**:
     - Repository permissions → **Contents**: **Read and write**
4. Click **Generate token**
5. Copy the token (you won't be able to see it again)

### 4. Add Token as Secret to kelos Repository

1. Go to `kelos-dev/kelos` repository
2. Navigate to **Settings** → **Secrets and variables** → **Actions**
3. Click **New repository secret**
4. Add the secret:
   - **Name**: `HELM_CHARTS_TOKEN`
   - **Value**: Paste the PAT from step 3
5. Click **Add secret**

## Testing the Setup

Once everything is configured, the Helm chart will be automatically published when you create a new release tag:

Example: Create a new release:

    git tag v1.0.0
    git push origin v1.0.0

The GitHub Actions workflow will:
1. Build and package the Helm chart
2. Update the chart version to match the release tag
3. Push the chart to `kelos-dev/helm-charts` repository
4. Update the Helm repository index

## Using the Published Chart

After the first release, users can install Kelos using Helm:

Add the Helm repository:

    helm repo add kelos https://kelos-dev.github.io/helm-charts

Update repository index:

    helm repo update

Install Kelos with specific version:

    helm install kelos kelos/kelos --version 1.0.0

Or install latest version:

    helm install kelos kelos/kelos

## Troubleshooting

- **GitHub Actions fails with authentication error**: Verify that `HELM_CHARTS_TOKEN` secret is set correctly
- **Charts not showing up**: Check GitHub Pages is enabled and pointing to `main` branch
- **`helm repo add` fails**: Wait a few minutes for GitHub Pages to deploy after the first push

Does this PR introduce a user-facing change?

users can now install kelos using the official helm chart repo

users can now install kelos from the official helm chart repo https://kelos-dev.github.io/helm-charts

[CLAassistant]

All committers have signed the CLA.

[cubic-dev-ai]

2 issues found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/release.yaml">

<violation number="1" location=".github/workflows/release.yaml:95">
P2: Release workflow uses unpinned Helm version (`latest`), making chart publishing non-reproducible and susceptible to upstream changes.</violation>

<violation number="2" location=".github/workflows/release.yaml:141">
P2: `git commit` runs unconditionally; if there are no changes (e.g., rerun tag), it exits non‑zero and fails the workflow. Add a no-op guard to make the step idempotent.</violation>
</file>

---

Since this is your first cubic review, here's how it works:

• cubic automatically reviews your code and comments on bugs and improvements
• Teach cubic by replying to its comments. cubic learns from your replies and gets better over time
• Add one-off context when rerunning by tagging @cubic-dev-ai with guidance or docs links (including llms.txt)
• Ask questions if you need clarification on any suggestion

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[knechtionscoding]

I think pining to v3 or v4 here is useful. I know I am still on v3 because of breaking changes in v4 but having it be latest I don't think is great? Renovate or dependabot can configure this and bump it without issue

[stearz]

should be fixed with 4dbda49

[gjkim42]

Thanks for your contribution.

Actually, I am considering releasing the helm chart to ghcr.io instead of auto commiting the code to github repository.

[stearz]

Thanks for your contribution.

Actually, I am considering releasing the helm chart to ghcr.io instead of auto commiting the code to github repository.

Please check cfe977f
Users would need to run this then:

helm install kelos oci://ghcr.io/kelos-dev/kelos --version v1.0.0

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/release.yaml">

<violation number="1" location=".github/workflows/release.yaml:88">
P2: `publish-helm-chart` removes `contents: read` while still running `actions/checkout@v4`, which can fail due to insufficient permissions and block chart publishing.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}