feat(publish-helm-chart): reusable workflow for chartmuseum publish

[sydorovdmytro]

Summary

Phase 4.3 of the workflow centralization effort. Extracts four chart publish call sites into a single reusable workflow:

Call site	Today	After
vcluster publish-chart.yaml (release)	local reusable	publish-helm-chart/v1
vcluster push-head-images.yaml (head)	inline ~60 lines	publish-helm-chart/v1
loft-enterprise release-package.yaml (release, dual-product matrix)	inline	publish-helm-chart/v1
loft-enterprise push-head-images.yaml (head)	inline ~70 lines	publish-helm-chart/v1

Design

Unified algorithm: yq Chart.yaml (name + optional description), helm package per version with optional --app-version, helm cm-push per tarball. Two optional knobs cover the only meaningful divergence between callers:

• values-edits — newline-separated jsonpath=value pairs applied to <chart>/values.yaml (loft-enterprise sets .product)
• republish-latest — re-pull + re-push the repo's highest semver after the initial push, so it stays first in ChartMuseum's upload-ordered index.yaml (loft-enterprise multi-line release behavior)

YAML is glue only; logic lives in run.sh with shellcheck-clean source and bats coverage. Same pattern as cleanup-head-charts and the in-flight go-licenses PR.

What's covered by tests

24 bats tests stub helm and run real mikefarah/yq + jq:

• env validation, JSON array parsing edge cases (invalid, empty)
• Chart.yaml name + description edits
• values.yaml edits (single, multiple, malformed, missing file, blank lines)
• one helm package per version, with/without --app-version
• one cm-push per tarball with derived filename
• repo-add-before-push ordering
• republish-latest no-op vs re-push paths, plus loud failure on pull error

CI test workflow (test-publish-helm-chart.yaml) installs mikefarah yq and runs bats.

Renovate

Existing github-actions manager handles all SHA-pinned actions (checkout, setup-helm, install-yq-action, bats-action) via the # vX.Y.Z comment.

For the inline default values that aren't actions (helm version default, yq version), I added a generic regex customManager that picks up any # renovate: datasource=X depName=Y annotation in workflow YAML — applied to:

• inputs.helm-version.default: v3.20.0 (datasource github-releases, depName helm/helm)
• version: v4.45.1 for yq in both publish-helm-chart.yaml and test-publish-helm-chart.yaml (datasource github-releases, depName mikefarah/yq)

Helm-push plugin install matches existing convention (unpinned, tracks latest) — pinning is an orthogonal improvement.

Migration

Once tagged publish-helm-chart/v1, follow-up PRs will:

• vcluster: replace publish-chart.yaml and inline push-head-chart job
• loft-enterprise: replace inline publish-chart job (matrix preserved at caller level) and inline push-head-chart job

Test plan

• CI green (actionlint, zizmor, validate-renovate, test-publish-helm-chart bats)
• Tag publish-helm-chart/v1 after merge
• Migration PR: vcluster
• Migration PR: loft-enterprise