OCI Registry Helm Distribution and Security Enhancements

[vivekr-splunk]

Summary

This PR modernizes the Helm chart distribution strategy and significantly enhances supply chain security by implementing OCI registry-based distribution and pinning all GitHub Actions to commit hashes.

Key Changes

1. 🎯 OCI Registry for Helm Charts (Primary Distribution)

• New primary method: oci://ghcr.io/splunk/charts/splunk-ai-operator
• Charts pushed to GitHub Container Registry as OCI artifacts
• No .tgz files committed to git repository
• GitHub Release .tgz files maintained for backward compatibility (Helm < 3.8)
• Requires Helm 3.8+ for OCI support

Benefits:

• ✅ Modern cloud-native distribution
• ✅ Automatic image verification
• ✅ Native container registry integration
• ✅ Cleaner git repository (no binary artifacts)

2. 🐳 Docker Image Build in Release Workflow

• Critical fix: Added Docker image building to release-package-helm.yml
• Images now built automatically on release tags
• Multi-registry push: GHCR + Docker Hub
• SLSA provenance attestation included
• Multiple tags generated: v0.1.0, 0.1.0, 0.1, latest

Before: Release workflow only packaged Helm charts (images missing!)
After: Complete release automation (Docker + Helm + Manifests)

3. 🔒 Supply Chain Security - Pinned GitHub Actions

All GitHub Actions pinned to commit hashes to prevent supply chain attacks:

Workflows Updated:

• main-unit-tests.yml - All actions pinned
• main-build-image.yml - All Docker actions pinned
• prerelease-update-versions.yml - Third-party actions pinned
• helm-lint-test.yml - All actions pinned
• release-package-helm.yml - All actions pinned
• codeql-analysis.yml - CodeQL actions pinned

Third-party actions secured (highest priority):

• coverallsapp/github-action@v2 → 5cbfd81b...
• jacobtomlinson/gha-find-replace@v3 → 2ff30f64...
• peter-evans/create-pull-request@v3.10.1 → 7380612b...
• azure/setup-helm@v4 → bf6a7d30...
• helm/chart-testing-action@v2.6.1 → e6669bcd...
• helm/kind-action@v1.10.0 → 0025e74a...
• softprops/action-gh-release@v1 → 26994186...

Security benefits:

• ✅ Prevents malicious action updates
• ✅ Immutable action versions
• ✅ Addresses CodeQL security warnings
• ✅ Meets OSSF Scorecard requirements

4. 📚 Documentation Updates

All documentation updated to reflect OCI registry and version 0.1.0:

Files Updated:

• README.md - OCI registry as primary method
• docs/installation.md - Complete rewrite with OCI as Method 1
• docs/deployment/helm-deployment.md - OCI registry examples
• docs/releases.md - Release process with version 0.1.0

Version Correction: Changed all examples from 1.0.0 to 0.1.0 (pre-GA release)

5. 🔧 Workflow Fixes

• CodeQL: Enabled for current branch and result uploads
• CodeQL: Removed deprecated develop branch triggers
• YAML syntax: Fixed multi-line string issues in create-release-tag.yml

Installation Examples

OCI Registry (Recommended - Helm 3.8+)

helm install splunk-ai-operator \
  oci://ghcr.io/splunk/charts/splunk-ai-operator \
  --version 0.1.0 \
  --namespace splunk-ai-operator-system \
  --create-namespace

kubectl (Manifests)

kubectl apply -f https://github.com/splunk/splunk-ai-operator/releases/download/v0.1.0/install-v0.1.0.yaml

Helm (GitHub Release - Backward Compatibility)

helm install splunk-ai-operator \
  https://github.com/splunk/splunk-ai-operator/releases/download/v0.1.0/splunk-ai-operator-0.1.0.tgz \
  --namespace splunk-ai-operator-system \
  --create-namespace

Release Artifacts

When v0.1.0 is released, the following will be published:

OCI Registry (GHCR):

• oci://ghcr.io/splunk/charts/splunk-ai-operator:0.1.0
• oci://ghcr.io/splunk/charts/splunk-ai-platform:0.1.0

Docker Images:

• ghcr.io/splunk/splunk-ai-operator:v0.1.0
• ghcr.io/splunk/splunk-ai-operator:0.1.0
• splunk/splunk-ai-operator:v0.1.0 (Docker Hub)
• splunk/splunk-ai-operator:0.1.0 (Docker Hub)

GitHub Release:

• install-v0.1.0.yaml - Kubernetes manifests
• splunk-ai-operator-0.1.0.tgz - Helm chart
• splunk-ai-platform-0.1.0.tgz - Platform chart
• index.yaml - Helm repository index

Testing

• ✅ All workflows validated
• ✅ YAML syntax checked
• ✅ Action commit hashes verified
• ✅ Documentation consistency verified
• ✅ Helm chart references updated

Breaking Changes

None - backward compatible. GitHub Release .tgz files still available for Helm < 3.8.

Migration Path

For users on Helm 3.8+: Migrate to OCI registry (recommended)
For users on Helm < 3.8: Continue using GitHub Release URLs

Checklist

• OCI registry configured for Helm charts
• Docker images built in release workflow
• All GitHub Actions pinned to commit hashes
• Documentation updated with OCI registry examples
• Version references corrected to 0.1.0
• CodeQL workflow fixed and enabled
• YAML syntax validated
• Backward compatibility maintained

Post-Merge Actions

After this PR is merged:

1. Remove oci-helm-and-security-fixes branch from CodeQL triggers
2. Verify first release workflow (v0.1.0) completes successfully
3. Make GHCR packages public (first release only)

Related Issues

Fixes: CodeQL warning "Unpinned tag for a non-immutable Action"Fixes: PR merge blocked by "Code scanning is waiting for results"Fixes: Docker images not built during releases

[Copilot]

Pull Request Overview

This PR fixes a YAML syntax error in the create-release-tag workflow caused by multi-line strings containing GitHub Actions expressions. The fix refactors the tag message creation to use a heredoc approach with a temporary file.

Key Changes:

• Extract GitHub Actions expressions (steps.commit.outputs.*, github.actor) to shell variables before building the tag message
• Replace inline multi-line string with heredoc writing to /tmp/tag_message.txt
• Update git tag command to read message from file using -F flag instead of inline -m flag

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

[nitpick] Consider adding cleanup for the temporary file after the tag is created. While GitHub Actions runners are ephemeral and this won't cause issues in practice, it's a good practice to clean up temporary resources:

# Create annotated tag
git tag -a "$TAG" -F /tmp/tag_message.txt

# Clean up temporary file
rm -f /tmp/tag_message.txt

Suggested change

	git tag -a "$TAG" -F /tmp/tag_message.txt
	git tag -a "$TAG" -F /tmp/tag_message.txt
	# Clean up temporary file
	rm -f /tmp/tag_message.txt

[coveralls]

Pull Request Test Coverage Report for Build 19475368201

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

• For more information on this, see Tracking coverage changes with pull request builds.
• To avoid this issue with future PRs, see these Recommended CI Configurations.
• For a quick fix, rebase this PR at GitHub. Your next report should be accurate.

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 36.822%

---

Totals
Change from base Build 19474971260:	0.0%
Covered Lines:	2336
Relevant Lines:	6344

---

💛 - Coveralls