Set container image repository and tag in helm chart

[defo89]

Proposed Changes

• Updating image values in chart for easier chart consumption

Summary by CodeRabbit

• Chores
  • Updated the Helm chart publishing workflow to automatically compute and set the container image repository and a SHA-based tag, and to update chart values accordingly.
  • Added tooling/setup steps in the workflow to support this automation.

[coderabbitai]

Walkthrough

The publish-chart GitHub Actions workflow was updated with two new steps: install a prebuilt yq binary and run yq to update dist/chart/values.yaml, setting the controller image repository and a SHA-based image tag.

Changes

Cohort / File(s)	Summary
Workflow Configuration .github/workflows/publish-chart.yml	Added two CI steps: download+chmod a prebuilt yq binary, and compute/set container image repository and a SHA-based tag in dist/chart/values.yaml using yq.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description includes the required 'Proposed Changes' section but lacks detail and specificity about the actual changes made to the workflow.	Expand the 'Proposed Changes' section to list specific modifications, such as installing yq and updating dist/chart/values.yaml with computed image tags.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: setting container image repository and tag in the Helm chart, which aligns with both the file changes and PR objectives.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chert-image-values

Tip

We've launched Issue Planner and it is currently in beta. Please try it out and share your feedback on Discord!

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/publish-chart.yml:
- Around line 79-81: The "Install yq" workflow step currently downloads from
releases/latest which is unstable; change the download URL to pin yq to the
specific version v4.52.2 (update the step named "Install yq") so the run uses
the release artifact for v4.52.2 and keep chmod a+x; also review the other step
that installs Kustomize and pin it to a known stable tag similarly for
reproducible installs.

🧹 Nitpick comments (1)

.github/workflows/publish-chart.yml (1)

83-86: Consider deriving the image repository from GitHub context variables.

The repository path is hardcoded, while Line 108 already uses ${{ github.repository_owner }} dynamically. If the -controller-manager suffix is a fixed convention, you could derive it:

-          yq -i '.controllerManager.manager.image.repository = "ghcr.io/ironcore-dev/metal-operator-controller-manager"' dist/chart/values.yaml
+          yq -i '.controllerManager.manager.image.repository = "ghcr.io/${{ github.repository }}-controller-manager"' dist/chart/values.yaml

This keeps the chart publishing consistent with forks and repo renames. Skip if the image name intentionally differs from the repo name.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

mikefarah yq latest release version 2025 2026

💡 Result:

• Latest mikefarah/yq release (as of Feb 10, 2026): v4.52.2 — released Jan 31, 2026. [1]
• Latest release in 2025: v4.50.1 — released Dec 14, 2025. [2]

---

🏁 Script executed:

# Check for other workflow files and how they handle tool versions
fd '\.yml$' '.github/workflows' -x grep -l "curl.*releases/latest\|version:" {}

Repository: ironcore-dev/metal-operator

Length of output: 282

---

🏁 Script executed:

# Search for yq usage elsewhere in the repo
rg "yq" --type yaml -A 2 -B 2

Repository: ironcore-dev/metal-operator

Length of output: 53

---

🏁 Script executed:

# Look at the publish-chart.yml file to understand the context better
head -100 .github/workflows/publish-chart.yml | tail -50

Repository: ironcore-dev/metal-operator

Length of output: 2469

---

Pin yq to a specific version for reproducibility and supply chain safety.

Fetching from releases/latest means a future breaking change or compromised release could silently affect chart publishing. Pin to the latest stable release (currently v4.52.2).

Suggested fix

      - name: Install yq
        run: |
-          curl -fsSL https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -o /usr/local/bin/yq && chmod a+x /usr/local/bin/yq
+          YQ_VERSION="v4.52.2"
+          curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -o /usr/local/bin/yq && chmod a+x /usr/local/bin/yq

Note: The same workflow also installs Kustomize from master; consider pinning that version as well.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Install yq
	run: |
	curl -fsSL https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -o /usr/local/bin/yq && chmod a+x /usr/local/bin/yq
	- name: Install yq
	run: |
	YQ_VERSION="v4.52.2"
	curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -o /usr/local/bin/yq && chmod a+x /usr/local/bin/yq

🤖 Prompt for AI Agents

In @.github/workflows/publish-chart.yml around lines 79 - 81, The "Install yq"
workflow step currently downloads from releases/latest which is unstable; change
the download URL to pin yq to the specific version v4.52.2 (update the step
named "Install yq") so the run uses the release artifact for v4.52.2 and keep
chmod a+x; also review the other step that installs Kustomize and pin it to a
known stable tag similarly for reproducible installs.

[asergeant01]

This means we can no longer independently version the chart and software. Do we want that?

[defo89]

This means we can no longer independently version the chart and software. Do we want that?

You can still override the image values via --set controllerManager.manager.image.tag=foo-tag or --values override-values.yaml or am I missing something?