Add Helm chart for deployment-tracker

[bdehamer]

Summary

Adds a Helm chart to make it easy for customers to install the deployment-tracker controller. The chart is co-located in the repo under deploy/charts/deployment-tracker/, following the pattern used by cert-manager and external-secrets.

What's included

Helm chart (deploy/charts/deployment-tracker/)

• Chart.yaml — chart metadata (apiVersion v2, type application)
• values.yaml — all configurable options with sensible defaults:
  • Image config (ghcr.io/github/deployment-tracker)
  • Controller config (org, logicalEnvironment, cluster, baseUrl, dnTemplate, namespace filtering, workers, metricsPort)
  • Auth — supports both API token and GitHub App, with inline values or references to existing K8s Secrets
  • Resources, security context, readiness probe, lifecycle hooks (matching internal production config)
  • Service, ServiceAccount, pod annotations, node scheduling
• Templates: ServiceAccount, ClusterRole, ClusterRoleBinding, Deployment, Service, NOTES.txt
• _helpers.tpl — standard Helm name/label/selector helpers
• README.md — configuration docs with install examples and auth setup

CI workflow updates

• release.yaml — on tag push, now also packages and pushes the Helm chart as an OCI artifact to oci://ghcr.io/github/charts alongside the container image build
• build.yml — new helm-lint job runs helm lint and helm template validation on PRs and pushes to main

Install

helm install deployment-tracker \
  oci://ghcr.io/github/charts/deployment-tracker \
  --namespace deployment-tracker --create-namespace \
  --set config.org=my-org \
  --set config.logicalEnvironment=production \
  --set config.cluster=my-cluster \
  --set auth.apiTokenSecret=my-secret

Design decisions

• Chart in-repo (not a separate repo) — chart and controller are tightly coupled; co-location allows atomic changes and simpler CI
• OCI publishing to ghcr.io — modern Helm best practice, no index.yaml maintenance, co-locates chart with container image
• Auth via Secret references — recommended for production; inline values supported for dev/testing
• Required values enforced — config.org, config.logicalEnvironment, and config.cluster are validated at template time

[kommendorkapten]

How about support for a GitHub app as I think that is a popular method for authentication?

[bdehamer]

How about support for a GitHub app as I think that is a popular method for authentication?

@kommendorkapten there's a section in the readme explaining how to auth with a GitHub App.

[kommendorkapten]

Perfect, and it's in the values.yaml too 👍

[Copilot]

Pull request overview

Introduces an in-repo Helm chart to install and configure the deployment-tracker controller, and updates CI/release workflows to lint the chart on PRs and publish it as an OCI artifact on tag releases.

Changes:

• Added a Helm chart under deploy/charts/deployment-tracker/ (values, templates, docs, chart metadata).
• Added a CI job to helm lint and helm template the chart.
• Updated the release workflow to package and push the chart to GHCR as an OCI artifact alongside the container image.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
deploy/charts/deployment-tracker/Chart.yaml	New chart metadata (name/version/appVersion/kubeVersion).
deploy/charts/deployment-tracker/values.yaml	Default configuration surface for controller, auth, service, and runtime settings.
deploy/charts/deployment-tracker/templates/deployment.yaml	Renders the controller Deployment, wiring config/auth via args/env and exposing metrics.
deploy/charts/deployment-tracker/templates/serviceaccount.yaml	Optional ServiceAccount creation (and imagePullSecrets).
deploy/charts/deployment-tracker/templates/clusterrole.yaml	ClusterRole for controller access to Kubernetes resources.
deploy/charts/deployment-tracker/templates/clusterrolebinding.yaml	ClusterRoleBinding wiring the ClusterRole to the ServiceAccount.
deploy/charts/deployment-tracker/templates/service.yaml	Optional metrics Service.
deploy/charts/deployment-tracker/templates/_helpers.tpl	Standard naming/label helpers for the chart.
deploy/charts/deployment-tracker/templates/NOTES.txt	Post-install guidance and basic validation warnings.
deploy/charts/deployment-tracker/README.md	Installation/configuration documentation for the chart.
deploy/charts/deployment-tracker/.helmignore	Packaging ignore rules for Helm chart artifacts.
.github/workflows/build.yml	Adds helm-lint job to validate chart on PRs and main pushes.
.github/workflows/release.yaml	Packages and pushes the chart to GHCR on version tag pushes.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

When serviceAccount.create is false and serviceAccount.name is not set, the helper falls back to "default". Because the chart always creates a ClusterRoleBinding, this can unintentionally bind cluster-wide permissions to the namespace's default ServiceAccount. It would be safer to require serviceAccount.name when serviceAccount.create is false (or otherwise avoid defaulting to "default").

Suggested change

	{{- default "default" .Values.serviceAccount.name }}
	{{- required "serviceAccount.name must be set when serviceAccount.create is false" .Values.serviceAccount.name }}

[Copilot]

@bdehamer I've opened a new pull request, #65, to work on those changes. Once the pull request is ready, I'll request review from you.