feat: publish Helm chart as an OCI artifact to ghcr.io

[jabenedicic]

Summary

Publishes the operator's Helm chart as an OCI artifact to GitHub Container Registry, in addition to the existing classic (gh-pages) chart repository. This gives consumers a second, OCI-native distribution channel that can be pulled directly with helm and proxied/mirrored through OCI-aware registries such as JFrog Artifactory or Harbor.

• New release-charts-oci job in release-please.yml that, on a created release:
  • packages the chart (make helm-package),
  • pushes it to oci://ghcr.io/<owner>/charts → ghcr.io/open-feature/charts/open-feature-operator:<version>,
  • signs the OCI artifact with cosign, reusing the existing COSIGN_PRIVATE_KEY/COSIGN_PASSWORD secrets, for parity with the operator image.
• New helm-push-oci Make target + CHART_OCI_REGISTRY variable so the push can be run/overridden locally.
• docs/installation.md: documents the OCI install path (wrapped in release-please version markers so it stays in sync).

The existing classic chart flow (release-charts → gh-pages + index.yaml) and the helm repo add install path are unchanged — both distribution methods are available.

Why a separate OCI path

The container image already occupies ghcr.io/<owner>/open-feature-operator. To avoid a tag collision between the image and the chart, the chart is published under a charts/ sub-namespace: ghcr.io/open-feature/charts/open-feature-operator.

Install example

helm upgrade --install openfeature \
  oci://ghcr.io/open-feature/charts/open-feature-operator \
  --version v0.9.2

Operational note for maintainers

On the first release after merge, GHCR will create a new package charts/open-feature-operator under the open-feature org. It will default to private — a maintainer will need to set its visibility to public and link it to the repo so the published chart is pullable anonymously (same one-time step the image package needed). The GITHUB_TOKEN in the job has packages: write, which is sufficient to create and push to the package.

Test plan

• make -n helm-push-oci resolves to helm push charts/open-feature-operator-v0.9.2.tgz oci://ghcr.io/open-feature/charts (filename matches helm-package output).
• Workflow YAML parses; release-charts-oci mirrors the existing signed build-oci job (pinned action SHAs, packages: write, cosign sign step).
• End-to-end OCI push + cosign sign can only be exercised by the release pipeline post-merge (requires GHCR auth + cosign secrets). Recommend confirming the package is pullable and the signature verifies (cosign verify --key <pub> ghcr.io/open-feature/charts/open-feature-operator:<tag>) after the first release.

🤖 Generated with Claude Code

[gemini-code-assist]

Code Review

This pull request introduces support for publishing and installing the Helm chart via an OCI registry. It adds a CHART_OCI_REGISTRY variable and a helm-push-oci target to the Makefile, and updates the installation documentation with instructions for using the OCI registry. Feedback points out an inconsistency in the GitHub organization namespace used between RELEASE_REGISTRY (without a hyphen) and CHART_OCI_REGISTRY (with a hyphen) in the Makefile, suggesting they be aligned to the correct open-feature namespace.

[gemini-code-assist]

There is an inconsistency in the default organization/registry namespace used in the Makefile:

• RELEASE_REGISTRY (line 1) defaults to ghcr.io/openfeature (no hyphen).
• CHART_OCI_REGISTRY (line 11) defaults to oci://ghcr.io/open-feature/charts (with hyphen).

Since the official GitHub organization is open-feature (with a hyphen), RELEASE_REGISTRY might contain a typo or legacy value. Consider aligning them to use the correct open-feature namespace across both variables to avoid confusion or publishing to the wrong registry namespace.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.42%. Comparing base (499661e) to head (80ecf6b).
⚠️ Report is 104 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff             @@
##             main     #845       +/-   ##
===========================================
- Coverage   86.51%   69.42%   -17.10%     
===========================================
  Files          19       31       +12     
  Lines        1587     2008      +421     
===========================================
+ Hits         1373     1394       +21     
- Misses        173      561      +388     
- Partials       41       53       +12     

see 26 files with indirect coverage changes

Flag	Coverage Δ
unit-tests	69.42% <ø> (∅)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[toddbaert]

Oh this is cool. I will review soon, hopefully in the next day or two!