---
name: publish-helm
description: Generate a Nebius OCI Helm chart publication flow by creating a chart-local CHANGELOG.md, publish-helm.sh, and .github/workflows/<project>-chart-publish.yml with tag-driven releases and public pull verification.
---

# Publish Helm

Create a repeatable Helm chart publication setup for charts released to Nebius
Container Registry as OCI artifacts.

## Use This Skill For

- Adding a release process to a new Helm chart.
- Standardizing Helm chart publication across chart directories in this repo.
- Enforcing a two-step release flow:
  - `--prep` on branch
  - merge the prep branch to `main`
  - `--publish` on clean synced `main`

## Output Contract

Generate exactly these artifacts for the target chart:

1. `<chart_dir>/CHANGELOG.md`
2. `<chart_dir>/publish-helm.sh`
3. `.github/workflows/<project-name>-chart-publish.yml`

## Inputs to Collect

- `project_name` (for workflow filename/name)
- `project_tag_prefix` (for example `nccl-test-chart`)
- `main_branch` (default `main`)
- `chart_dir` (for example `helm-charts/nccl-test`)
- `chart_name` (the name from `Chart.yaml`)
- `publish_environment` (GitHub Actions environment name)

The templates assume the GitHub Actions environment exposes these Nebius
variables and secret:

- Variables:
  `NB_REGION_ID`, `NB_REGISTRY_ID`, `NB_PROJECT_ID`,
  `NB_SERVICE_ACCOUNT_ID`, `NB_SERVICE_ACCOUNT_PUBLIC_KEY_ID`
- Optional variables:
  `NB_TENANT_ID`, `NB_REGISTRY_NAME`
- Secret:
  `NB_SERVICE_ACCOUNT_PRIVATE_KEY`

## Workflow

1. Copy templates from `assets/` into the target chart and workflow paths.
2. Replace placeholders:
   - `__PROJECT_NAME__`
   - `__PROJECT_TAG_PREFIX__`
   - `__MAIN_BRANCH__`
   - `__CHART_DIR__`
   - `__CHART_NAME__`
   - `__PUBLISH_ENVIRONMENT__`
3. Keep `publish-helm.sh` executable.
4. Validate:
   - `bash -n <chart_dir>/publish-helm.sh`
   - YAML parse for `.github/workflows/<project-name>-chart-publish.yml`
   - `helm lint <chart_dir>`
   - `helm template smoke <chart_dir> --namespace <chart_name> >/dev/null`
5. Document runtime usage in the chart README:
   - `./publish-helm.sh --prep X.Y.Z`
   - `./publish-helm.sh --publish X.Y.Z`
   - note that the prep step updates both the chart-local changelog and
     `Chart.yaml`
   - note that the publish step only tags; CI does the OCI package/push work

## Guardrails

- Keep one canonical release path. Do not add a second manual-release flow
  beside `publish-helm.sh` plus the tag-driven workflow.
- `--prep` should start from a strictly clean worktree, including untracked
  files, so the release-prep commit stays isolated.
- `--prep` should fail before editing files if the target tag already exists
  locally or on `origin`.
- `--prep` should update the chart-local `CHANGELOG.md` and `Chart.yaml`
  together, then validate the chart before committing.
- `--publish` only creates and pushes the tag; no content edits.
- `--publish` must fail if `Chart.yaml` does not already declare version
  `X.Y.Z`, or if the target release section is missing or empty.
- The workflow should publish from the pushed tag only. Do not keep a separate
  workflow-dispatch release version override unless the user explicitly asks
  for one.
- The workflow should verify the published chart is anonymously pullable when
  the target registry is intended to be public.
- Workflow/job check names should include `project_name` to avoid ambiguous
  checks across monorepos.

## Resources

- `assets/CHANGELOG.md.template`
- `assets/publish-helm.sh.template`
- `assets/project-name-chart-publish.yml.template`