Skip to content

helmforgedev/charts

BranchesTags

Repository files navigation

HelmForge

HelmForge Charts

Production-ready Helm charts for self-hosted and platform workloads.

Tests Publish Quality Security Upstream GitHub stars License: Apache-2.0 Artifact Hub Charts count GPG + Cosign Signed Helm 4 Kubernetes >=1.26 Open issues Open pull requests Last commit PRs Welcome

Website · Documentation · Helm Repository · Contributing · Governance

Quick Start

HelmForge publishes charts through both a standard HTTPS Helm repository and an OCI registry on GHCR. Use the HTTPS repository when you want classic helm repo workflows, and OCI when you prefer registry-native pulls and signatures.

HTTPS repository

helm repo add helmforge https://repo.helmforge.dev
helm repo update
helm search repo helmforge/
helm install <release-name> helmforge/<chart-name> --version <version> -f values.yaml

OCI registry

helm install <release-name> oci://ghcr.io/helmforgedev/helm/<chart-name> --version <version> -f values.yaml

# Show default values
helm show values oci://ghcr.io/helmforgedev/helm/<chart-name> --version <version>

Check each chart's README and git tags for available versions.

Verify a packaged chart

Every published chart package is signed with GPG provenance, and OCI artifacts are signed with Cosign by the release workflow. Import the HelmForge public key before using Helm provenance verification.

# HTTPS repository provenance verification
helm pull helmforge/<chart-name> --version <version> --verify

# OCI signature verification
cosign verify \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity-regexp 'https://github.com/helmforgedev/charts/.github/workflows/publish.yml@refs/heads/main' \
  ghcr.io/helmforgedev/helm/<chart-name>:<version>

Why HelmForge

HelmForge is built on a simple principle: use what upstream ships, make the Kubernetes contract explicit, and keep releases verifiable.

  • Official upstream images — charts prefer images published by the application maintainers. No proprietary rebuild layer or vendor-specific runtime wrapper.
  • Pinned version tags — charts reference explicit, immutable image tags. No :latest, no floating tags, no surprises after a pull.
  • Apache-2.0 licensed — the charts, tests, and docs use a CNCF-aligned permissive license. No open-core, no paid tiers, no license traps.
  • GPG + Cosign signed — every release includes GPG provenance files for Helm verification and Sigstore Cosign keyless signatures on OCI artifacts via GitHub Actions OIDC.
  • No vendor lock-in — standard Helm, standard Kubernetes APIs, standard images. If you stop using HelmForge tomorrow, nothing breaks.
  • Explicit values contracts — product-oriented values.yaml files map directly to application and Kubernetes configuration, with schemas and validations where they prevent bad releases.
  • Operator-first docs — chart READMEs, site docs, examples, and test values are kept close to the release surface.

Charts

60+ production-ready charts covering databases, authentication, CMS, analytics, automation, AI tooling, observability, and platform infrastructure.

Browse the full catalog with descriptions, install commands, and playground configs at helmforge.dev/docs/charts.

Common categories include:

  • Databases and data stores — PostgreSQL, MySQL, MariaDB, MongoDB, Redis, Kafka, RabbitMQ, Elasticsearch, and Druid.
  • Identity and access — Keycloak, Authelia, and application charts with ingress/auth integration patterns.
  • Automation and operations — n8n, Cronicle, FastMCP Server, Cloudflared, Velero, DDNS Updater, and Envoy Gateway.
  • Content and community apps — WordPress, Ghost, Drupal, Gitea, Wallabag, Castopod, Komga, OpenWebUI, and more.

Generic platform chart

The generic chart is the reusable platform chart for workloads that need a Kubernetes contract instead of an application-specific chart. It is useful for internal services, workers, batch releases, sidecar-based apps, and platform integration tests where a full bespoke chart would add more maintenance than value.

It supports:

  • Deployments, StatefulSets, DaemonSets, Jobs, and CronJobs.
  • Multiple containers, init containers, global env/envFrom, probes, rollout checksums, and explicit restarts.
  • Primary and additional Services, headless Service mode, Ingress, and Gateway API HTTPRoutes.
  • RBAC, NetworkPolicy, ServiceMonitor, PodMonitor, PrometheusRule, VPA, HPA, and KEDA.
  • Safer validation for disabled-Service routing and KEDA ScaledObject targets.

Automation and Governance

The repository is governed by a comprehensive suite of GitHub Actions workflows that enforce quality, security, and operational intelligence automatically.

Workflow Trigger Purpose
ci.yml PR Lint, template, unit test, kubeconform, ArtifactHub lint
publish.yml Push to main Semver bump, package, sign, publish to GHCR + Pages
code-quality.yml PR Markdown lint, values quality checks, SPDX license headers
security-scan.yml PR Kubescape MITRE + NSA + SOC2 compliance scanning
pr-governance.yml PR Conventional commit enforcement, auto-labeling
upstream-watch.yml Weekly (Mon 8AM UTC) Monitors upstream image tags across Docker Hub, GHCR, and Quay.io
community.yml Daily Stale issue/PR management
repo-health.yml Daily Helm index, OCI registry, and badge endpoint monitoring

Tests and Publishing

Charts are automatically tested and published via GitHub Actions.

PR        --> ci.yml           --> [Lint] [Template] [Unit Test] [Kubeconform] [ArtifactHub Lint]
          --> code-quality.yml --> [Markdown Lint] [Values Quality] [License Headers]
          --> security-scan.yml --> [Kubescape MITRE+NSA+SOC2]
          --> pr-governance.yml --> [Conventional Commits] [Auto Labels]
Push main --> publish.yml      --> Detect --> Semver --> Package --> Sign --> Publish --> Git tag
Weekly    --> upstream-watch.yml --> Scan all charts --> Create issues for outdated images

PR workflows (ci.yml, code-quality.yml, security-scan.yml) dynamically detect which charts changed and run jobs only for affected charts using a matrix strategy. Changes to docs (README.md, examples/, docs/) are ignored. Scheduled workflows run against the full repository.

The Tests workflow runs for pull requests and pushes to main that affect chart templates, chart metadata, tests, or the workflow itself. The Publish workflow runs on pushes to main and publishes chart releases. Documentation-only changes are intentionally excluded from chart tests and release publishing.

Quality gates include:

  • helm lint and helm lint --strict.
  • helm template with default values and every ci/*.yaml scenario.
  • helm unittest when a chart has a test suite.
  • kubeconform against Kubernetes schemas and CRD schemas from the Datree CRDs catalog.
  • Kubescape security compliance scanning (MITRE, NSA, SOC2 frameworks).
  • Markdown linting and SPDX license header enforcement on changed files.
  • Artifact Hub package lint before release metadata is published.
  • Signed package publishing to GHCR and the HTTPS Helm repository.

Versioning

Versions are calculated automatically from Conventional Commits affecting each chart.

Commit prefix Bump Example
fix:, docs:, refactor: PATCH fix(generic): correct HPA indentation
feat: MINOR feat(generic): add DaemonSet support
feat!: or BREAKING CHANGE MAJOR feat(generic)!: restructure workload config

Tags follow the format {chart}-v{version} (for example generic-v1.2.3).

Release Notes

Every chart release automatically creates a GitHub Release with categorized notes generated from Conventional Commits:

  • Breaking Changes — commits with !: or BREAKING CHANGE
  • Featuresfeat(...):
  • Bug Fixesfix(...):
  • Other Changesdocs, refactor, ci, etc.

Each release includes install instructions for both OCI and Helm repository.

Testing

Each chart can include a ci/ directory with test values files. The pipeline runs helm template and kubeconform against every ci/*.yaml file automatically, in addition to default values, lint, Artifact Hub lint, and chart unit tests when present.

For local chart work:

helm lint charts/<chart-name> --strict
helm template test-release charts/<chart-name>
helm unittest charts/<chart-name>

For runtime validation, use a local k3d cluster instead of a production Kubernetes context.

Kubernetes Compatibility

All charts require Helm 4 (apiVersion: v2) and target Kubernetes 1.26+.

Kubernetes Version Status
1.26.x Supported (minimum)
1.27.x Supported
1.28.x Supported
1.29.x Supported
1.30.x Supported
1.31.x Supported
1.32.x Supported
1.33.x Supported
1.34.x Supported
1.35.x Supported

The Tests workflow validates rendered manifests with kubeconform against the default Kubernetes JSON schemas. Local runtime validation uses k3d clusters.

Charts use standard stable APIs (apps/v1, batch/v1, networking.k8s.io/v1) and avoid alpha/beta API versions to maximize compatibility.

Contributing

Contributions are welcome. Please read the contributing guide for branch flow, validation requirements, commit conventions, and chart standards.

Community and project governance documents:

Contributors

HelmForge Charts contributors

License

Apache License 2.0

About

Open-source Helm charts, forged to last. The alternative to Bitnami — official upstream images, Apache 2.0 licensed, Cosign signed.

helmforge.dev

Topics

kubernetes open-source devops helm self-hosted oci k8s helm-charts production-ready cosign

Resources

Readme

License

View license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

12 stars

Watchers

1 watching

Forks

4 forks
Report repository

Releases 884

discount-bandit v2.0.1 Latest
May 8, 2026
+ 883 releases

Packages

 
 
 

Contributors

Languages