Releasy: make Helm package reproducible #3086
Description
helm package produces a non-reproducible tarball. The archive entries' timestamps are always set to the current timestamp, aka the helm package invocation timestamp.
There is sadly no way to pass tar or gzip options to helm package.
For Polaris releases, we need a signed Helm package, producing a .prov file, which contains more information than "just" the cryptographic signature (example contents here). Having said that, it's not sufficient to "just" replace helm package with a manual tar+gzip+gpg command chain.
It seems a solution is coming ... helm/helm#31323 got merged on Oct 29, 2025.