Skip to content

Add Docker image and Helm chart publishing#3

Merged
bakayolo merged 7 commits intomainfrom
add-docker-helm-gha
Apr 11, 2026
Merged

Add Docker image and Helm chart publishing#3
bakayolo merged 7 commits intomainfrom
add-docker-helm-gha

Conversation

@bakayolo
Copy link
Copy Markdown
Collaborator

@bakayolo bakayolo commented Apr 9, 2026

Summary

Adds CI for building/publishing the Docker image and a Helm chart for deploying Version Guard to Kubernetes.

Workflow: Docker & Helm (.github/workflows/docker.yml)

Trigger Docker image Helm chart
Pull request Build linux/amd64 only (validates Dockerfile, no push) ct lint + version bump check
Push to main (PR merge) Build multi-arch (amd64 + arm64), push to ghcr.io/block/version-guard:latest and :<sha>
Version tag (v*) Build multi-arch, push to ghcr.io/block/version-guard:v1.0.0 and :1.0 Validate tag matches Chart.yaml, package and push to oci://ghcr.io/block/charts/version-guard:1.0.0

PR builds are single-platform for fast feedback (~2 min vs ~16 min with multi-arch).

Versioning

Chart.yaml is the source of truth for both version (chart version) and appVersion (Docker image tag default). Both are committed in the repo and bumped in PRs before tagging a release.

Release flow:

  1. PR that bumps version and appVersion in Chart.yaml
  2. Merge to main
  3. git tag v0.2.0 && git push origin v0.2.0
  4. CI validates tag matches Chart.yaml, builds multi-arch image, packages and publishes chart

Helm chart (charts/version-guard/)

A generic chart for deploying Version Guard to Kubernetes. All runtime config is via environment variables (matching the existing .env.example pattern). Configurable via env, extraVolumes, and resource limits.

Usage:

helm install version-guard oci://ghcr.io/block/charts/version-guard --version 0.1.0 \
  --set env[0].name=TEMPORAL_ENDPOINT \
  --set env[0].value=temporal.default.svc.cluster.local:7233

Dockerfile (deploy/Dockerfile)

Multi-stage build: golang:1.24.2-alpinealpine:3.21. Non-root user (uid 1000), read-only root filesystem, port 8080 (gRPC).

🤖 Generated with Amp

bakayolo and others added 7 commits April 9, 2026 13:27
@bakayolo @ampcode-com
Add Dockerfile, Helm chart, and Docker & Helm GHA workflow
d2b664a 
- deploy/Dockerfile: multi-stage Go build (1.24.2-alpine), non-root user, port 8080
- charts/version-guard/: Helm chart (Deployment, Service, ServiceAccount) with env-var config
- .github/workflows/docker.yml: PR builds (single-arch + chart lint), main push (multi-arch to GHCR), v* tag (publish chart to OCI registry)
- Makefile: updated docker-build to use deploy/Dockerfile

Amp-Thread-ID: https://ampcode.com/threads/T-019d73dd-3cfe-773a-898f-7f7efbb7eb68
Co-authored-by: Amp <amp@ampcode.com>
@bakayolo @ampcode-com
Fix golangci-lint version: v1.62.2 → v1.64.8 (Go 1.24 compat)
fbc42fb 
Amp-Thread-ID: https://ampcode.com/threads/T-019d73dd-3cfe-773a-898f-7f7efbb7eb68
Co-authored-by: Amp <amp@ampcode.com>
@bakayolo @ampcode-com
Lint only new issues on PRs (pre-existing lint errors in codebase)
8c1fd5a 
Amp-Thread-ID: https://ampcode.com/threads/T-019d73dd-3cfe-773a-898f-7f7efbb7eb68
Co-authored-by: Amp <amp@ampcode.com>
@bakayolo @ampcode-com
Minimize: remove comments, unused args, verbose examples (-192 lines)
ce535e0 
Amp-Thread-ID: https://ampcode.com/threads/T-019d73dd-3cfe-773a-898f-7f7efbb7eb68
Co-authored-by: Amp <amp@ampcode.com>
@bakayolo @ampcode-com
Fix CI, Helm chart, and Dockerfile issues
54333cf 
- Fix YAML indentation in test.yml (broken linter step)
- Add explicit permissions to lint-chart job
- Add semver tag without v-prefix to match Chart.yaml appVersion
- Use yq instead of grep/awk for Chart.yaml parsing
- Add container-level securityContext (readOnlyRootFilesystem, drop ALL caps)
- Extract containerPort to values.yaml for consistency
- Add gRPC liveness and readiness probes
- Use BuildKit cache mounts in Dockerfile for faster builds

Amp-Thread-ID: https://ampcode.com/threads/T-019d794b-a1d1-7425-b8a6-f519f6c68b53
Co-authored-by: Amp <amp@ampcode.com>
@bakayolo @ampcode-com
Fix remaining medium-severity review items
21f8485 
- Add top-level permissions: {} for least-privilege default
- Pass secrets/context vars via env: blocks instead of inline interpolation
- Switch gRPC probes to tcpSocket (server lacks grpc.health.v1.Health)
- Add seccompProfile: RuntimeDefault for restricted PSS compliance

Amp-Thread-ID: https://ampcode.com/threads/T-019d794b-a1d1-7425-b8a6-f519f6c68b53
Co-authored-by: Amp <amp@ampcode.com>
@bakayolo @ampcode-com
Fix gofmt formatting drift
45c3787 
Amp-Thread-ID: https://ampcode.com/threads/T-019d794b-a1d1-7425-b8a6-f519f6c68b53
Co-authored-by: Amp <amp@ampcode.com>
@bakayolo bakayolo merged commit 7137341 into main Apr 11, 2026
7 checks passed
@bakayolo bakayolo deleted the add-docker-helm-gha branch April 11, 2026 14:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kiran01bm Kiran01bm Kiran01bm approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bakayolo @Kiran01bm