zelyo-ai
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/ci.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/pages.yml‎
Lines changed: 69 additions & 0 deletions b/‎.github/workflows/pages.yml‎
Lines changed: 69 additions & 0 deletions
diff --git a/‎.github/workflows/release-helm.yml‎
Lines changed: 117 additions & 0 deletions b/‎.github/workflows/release-helm.yml‎
Lines changed: 117 additions & 0 deletions
@@ -87,7 +87,7 @@ jobs:
         run: make build
 
       - name: Build Docker image
-        run: make docker-build IMG=ghcr.io/zelyo-ai/aotanami:ci-${{ github.sha }}
+        run: make docker-build IMG=ghcr.io/aotanami/aotanami:ci-${{ github.sha }}
 
   helm-lint:
     name: Helm Lint
 
@@ -0,0 +1,69 @@
+name: Deploy GitHub Pages
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "docs/**"
+      - "mkdocs.yml"
+      - "CONTRIBUTING.md"
+      - "SECURITY.md"
+      - "assets/**"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+concurrency:
+  group: pages
+  cancel-in-progress: false
+
+jobs:
+  build:
+    name: Build Documentation
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0  # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Set up Python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
+        with:
+          python-version: "3.12"
+
+      - name: Install MkDocs and dependencies
+        run: |
+          pip install \
+            mkdocs-material \
+            mkdocs-minify-plugin \
+            pymdown-extensions
+
+      - name: Build site
+        run: mkdocs build --strict
+
+      - name: Upload pages artifact
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa  # v3.0.1
+        with:
+          path: site
+
+  deploy:
+    name: Deploy to GitHub Pages
+    needs: build
+    runs-on: ubuntu-latest
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac553fd0d31  # v4.0.5
@@ -0,0 +1,117 @@
+name: Release Helm Chart (OCI)
+
+on:
+  push:
+    tags:
+      - "v*"
+
+# Minimal top-level permissions — each job declares only what it needs.
+permissions: {}
+
+env:
+  REGISTRY: ghcr.io
+  HELM_REGISTRY: ghcr.io/aotanami/charts
+  CHART_PATH: deploy/helm/aotanami
+
+jobs:
+  release-helm:
+    name: Package, Push & Sign Helm Chart
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write          # GitHub Release asset upload
+      packages: write          # Push to GHCR
+      id-token: write          # Cosign keyless signing (Fulcio OIDC)
+    steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0  # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Set up Helm
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112  # v4.3.0
+        with:
+          version: v3.17.1
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb  # v3.8.2
+
+      - name: Install Syft
+        uses: anchore/sbom-action/download-syft@e11c554f704a0b820cbf8c51673f6945e0731532  # v0.20.0
+
+      - name: Log in to GHCR (Helm OCI)
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login "${{ env.REGISTRY }}" \
+            --username "${{ github.actor }}" --password-stdin
+
+      # ── Extract and validate version ──
+      - name: Extract version
+        id: version
+        run: |
+          VERSION="${{ github.ref_name }}"
+          VERSION="${VERSION#v}"  # Strip leading 'v' for SemVer
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+          echo "tag=${{ github.ref_name }}" >> "$GITHUB_OUTPUT"
+
+      # ── Lint before packaging ──
+      - name: Lint Helm chart
+        run: helm lint "${{ env.CHART_PATH }}"
+
+      # ── Stamp version into Chart.yaml ──
+      - name: Update chart version
+        run: |
+          sed -i "s/^version:.*/version: ${{ steps.version.outputs.version }}/" \
+            "${{ env.CHART_PATH }}/Chart.yaml"
+          sed -i "s/^appVersion:.*/appVersion: \"${{ steps.version.outputs.version }}\"/" \
+            "${{ env.CHART_PATH }}/Chart.yaml"
+
+      # ── Validate template rendering ──
+      - name: Validate template rendering
+        run: helm template aotanami "${{ env.CHART_PATH }}" --debug > /dev/null
+
+      # ── Package ──
+      - name: Package Helm chart
+        run: |
+          helm package "${{ env.CHART_PATH }}" --destination .helm-packages/
+
+      # ── Push to OCI registry ──
+      - name: Push Helm chart to GHCR (OCI)
+        id: helm-push
+        run: |
+          CHART_PACKAGE=".helm-packages/aotanami-${{ steps.version.outputs.version }}.tgz"
+          helm push "${CHART_PACKAGE}" "oci://${{ env.HELM_REGISTRY }}"
+
+      # ── Cosign keyless signing ──
+      - name: Sign Helm chart OCI artifact
+        run: |
+          cosign sign --yes \
+            "${{ env.HELM_REGISTRY }}/aotanami:${{ steps.version.outputs.version }}"
+
+      # ── SBOM for the chart package ──
+      - name: Generate Helm chart SBOM
+        run: |
+          CHART_PACKAGE=".helm-packages/aotanami-${{ steps.version.outputs.version }}.tgz"
+          syft "${CHART_PACKAGE}" \
+            -o spdx-json=helm-sbom-spdx.json \
+            -o cyclonedx-json=helm-sbom-cyclonedx.json
+
+      # ── Attest SBOM ──
+      - name: Attest Helm chart SBOM
+        run: |
+          CHART_REF="${{ env.HELM_REGISTRY }}/aotanami:${{ steps.version.outputs.version }}"
+          cosign attest --yes \
+            --predicate helm-sbom-spdx.json \
+            --type spdxjson \
+            "${CHART_REF}"
+
+      # ── Upload SBOMs as release assets ──
+      - name: Upload Helm SBOMs to release
+        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda  # v2.2.1
+        with:
+          files: |
+            helm-sbom-spdx.json
+            helm-sbom-cyclonedx.json