Add OCI publishing, ArtifactHub metadata, and security policy

.github/workflows/release.yaml

@@ -0,0 +1,62 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - '*-[0-9]*.[0-9]*.[0-9]*'
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  release:
+    name: Package & Publish
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v4.0.2
+
+      - name: Parse tag
+        id: parse
+        run: |
+          TAG="${GITHUB_REF_NAME}"
+          VERSION=$(echo "$TAG" | grep -oE '[0-9]+\.[0-9]+\.[0-9]+$')
+          CHART="${TAG%-"${VERSION}"}"
+          echo "chart=${CHART}" >> "$GITHUB_OUTPUT"
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+
+      - name: Validate chart exists
+        run: |
+          if [ ! -f "charts/${{ steps.parse.outputs.chart }}/Chart.yaml" ]; then
+            echo "::error::Chart directory charts/${{ steps.parse.outputs.chart }} not found"
+            exit 1
+          fi
+
+      - name: Validate chart version matches tag
+        run: |
+          CHART_VERSION=$(grep '^version:' "charts/${{ steps.parse.outputs.chart }}/Chart.yaml" | awk '{print $2}')
+          if [ "$CHART_VERSION" != "${{ steps.parse.outputs.version }}" ]; then
+            echo "::error::Tag version (${{ steps.parse.outputs.version }}) does not match Chart.yaml version ($CHART_VERSION)"
+            exit 1
+          fi
+
+      - name: Login to GHCR
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u "${{ github.actor }}" --password-stdin
+
+      - name: Package chart
+        run: helm package "charts/${{ steps.parse.outputs.chart }}"
+
+      - name: Push to OCI registry
+        run: helm push "${{ steps.parse.outputs.chart }}-${{ steps.parse.outputs.version }}.tgz" oci://ghcr.io/kitstream/helms
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: "${{ steps.parse.outputs.chart }}-${{ steps.parse.outputs.version }}.tgz"
+          generate_release_notes: true

README.md

@@ -1,55 +1,64 @@
 # Helms
 
-A curated collection of Helm charts maintained by [KitStream](https://github.com/KitStream). This repository serves as a home for both green-field Helm charts and upgraded or improved charts sourced from the community.
+[![CI](https://github.com/KitStream/helms/actions/workflows/ci.yaml/badge.svg)](https://github.com/KitStream/helms/actions/workflows/ci.yaml)
+[![Release](https://github.com/KitStream/helms/actions/workflows/release.yaml/badge.svg)](https://github.com/KitStream/helms/actions/workflows/release.yaml)
+[![License](https://img.shields.io/github/license/KitStream/helms)](LICENSE)
+[![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/kitstream)](https://artifacthub.io/packages/search?repo=kitstream)
 
-## Repository Structure
+Production-ready Helm charts for self-hosted infrastructure, maintained by [KitStream](https://github.com/KitStream).
 
-```
-helms/
-├── charts/           # Individual Helm charts, each in its own subdirectory
-├── CONTRIBUTING.md   # Contribution guidelines
-├── LICENSE           # Apache License 2.0
-└── README.md         # This file
-```
-
-Each chart lives in its own directory under `charts/` and follows the standard [Helm chart structure](https://helm.sh/docs/topics/charts/#the-chart-file-structure):
+## Charts
 
-```
-charts/<chart-name>/
-├── Chart.yaml        # Chart metadata
-├── values.yaml       # Default configuration values
-├── templates/        # Kubernetes manifest templates
-├── charts/           # Sub-chart dependencies
-└── README.md         # Chart-specific documentation
-```
+| Chart                      | Description                                                                                   | Version |
+|----------------------------|-----------------------------------------------------------------------------------------------|---------|
+| [netbird](charts/netbird/) | Deploy [NetBird](https://netbird.io) VPN (management, signal, dashboard, relay) on Kubernetes | `0.1.0` |
 
-## Prerequisites
+## Quick Start
 
-- [Helm](https://helm.sh/docs/intro/install/) v3.x
-- [kubectl](https://kubernetes.io/docs/tasks/tools/) configured for your target cluster
+### Install from OCI Registry
 
-## Usage
+```bash
+helm install netbird oci://ghcr.io/kitstream/helms/netbird \
+  --version 0.1.0 \
+  -n netbird --create-namespace \
+  -f my-values.yaml
+```
 
-To install a chart from this repository:
+### Install from Source
 
 ```bash
-# Clone the repository
 git clone https://github.com/KitStream/helms.git
+helm install netbird helms/charts/netbird \
+  -n netbird --create-namespace \
+  -f my-values.yaml
+```
 
-# Install a chart
-helm install <release-name> helms/charts/<chart-name>
+See each chart's README for detailed configuration.
 
-# Install with custom values
-helm install <release-name> helms/charts/<chart-name> -f my-values.yaml
-```
+## What Makes These Charts Different
+
+- **No shell in init containers** — Uses [Initium](https://github.com/KitStream/initium) (FROM scratch) instead of Alpine + shell scripts. No package manager, no shell escaping issues, smaller attack surface.
+- **Hardened by default** — Non-root, read-only root filesystem, all capabilities dropped, no privilege escalation.
+- **Structured configuration** — No raw DSN strings. Provide `database.host`, `database.user`, etc. and the chart builds it for you.
+- **Automatic database readiness** — Init containers wait for your database and create it if it doesn't exist. No manual setup, no race conditions.
+- **Comprehensive testing** — Unit tests (helm-unittest) + E2E tests across SQLite, PostgreSQL, and MySQL backends on every PR.
+
+## Prerequisites
+
+- [Helm](https://helm.sh/docs/intro/install/) v3.8+ (OCI support)
+- [kubectl](https://kubernetes.io/docs/tasks/tools/) configured for your target cluster
+- Kubernetes 1.24+ (1.28+ for SQLite PAT seeding)
 
 ## Contributing
 
 We welcome contributions! Please read our [Contributing Guide](CONTRIBUTING.md) before submitting pull requests.
 
+## Security
+
+See [SECURITY.md](SECURITY.md) for our security policy and reporting instructions.
+
 ## License
 
-This project is licensed under the Apache License 2.0 — see the [LICENSE](LICENSE) file for details.
+Apache License 2.0 — see [LICENSE](LICENSE).
 
 Copyright 2026 KitStream
-

SECURITY.md

@@ -0,0 +1,42 @@
+# Security Policy
+
+## Supported Versions
+
+| Chart   | Version | Supported |
+|---------|---------|-----------|
+| netbird | 0.1.x   | Yes       |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this project, please report it responsibly.
+
+**Do not open a public GitHub issue for security vulnerabilities.**
+
+Instead, please email security reports to the maintainers via [GitHub's private vulnerability reporting](https://github.com/KitStream/helms/security/advisories/new).
+
+Include:
+
+- A description of the vulnerability
+- Steps to reproduce
+- Affected chart(s) and version(s)
+- Any potential impact
+
+We will acknowledge receipt within 48 hours and aim to provide a fix or mitigation within 7 days for critical issues.
+
+## Security Practices
+
+This project follows security best practices for Helm charts:
+
+- **Non-root containers**: All containers run as non-root by default
+- **Read-only root filesystem**: Init containers use read-only root filesystems
+- **No privilege escalation**: `allowPrivilegeEscalation: false` on all containers
+- **Minimal capabilities**: All Linux capabilities are dropped unless explicitly required
+- **Secret management**: Sensitive values are injected via Kubernetes Secrets, never hardcoded
+- **No shell in init containers**: Uses [Initium](https://github.com/KitStream/initium) (FROM scratch image) instead of shell-based init containers
+- **Pinned image versions**: All image tags are pinned to specific versions
+
+## Upstream Vulnerabilities
+
+For vulnerabilities in the upstream applications (e.g., NetBird), please report them to the respective upstream projects:
+
+- NetBird: https://github.com/netbirdio/netbird/security

artifacthub-repo.yml

@@ -0,0 +1,4 @@
+repositoryID: null  # Assigned by ArtifactHub after registration
+owners:
+  - name: KitStream
+    email: kitstream@users.noreply.github.com

charts/netbird/Chart.yaml

@@ -9,10 +9,33 @@ keywords:
   - vpn
   - wireguard
   - mesh
+  - networking
+  - self-hosted
+  - kubernetes
 home: https://netbird.io
 sources:
   - https://github.com/netbirdio/netbird
+  - https://github.com/KitStream/helms
 maintainers:
   - name: KitStream
     url: https://github.com/KitStream
+icon: https://raw.githubusercontent.com/netbirdio/netbird/main/docs/media/logo-full.png
+annotations:
+  artifacthub.io/license: Apache-2.0
+  artifacthub.io/links: |
+    - name: NetBird
+      url: https://netbird.io
+    - name: Source
+      url: https://github.com/KitStream/helms
+    - name: Initium
+      url: https://github.com/KitStream/initium
+  artifacthub.io/changes: |
+    - kind: added
+      description: PAT seeding with automatic SHA256 hash computation
+    - kind: added
+      description: Structured database configuration (database.*)
+    - kind: added
+      description: Initium init containers for database wait and seed
+    - kind: changed
+      description: "Breaking: removed raw DSN in favor of structured database config"