feat(helm): migrate kestra and kestra-starter charts to GCS (#15759)

* feat(helm)/migrate-artifacts-with-cicd

* feat(helm): move kestra and kestra-starter charts into repo

Source of truth for charts moves from kestra-io/helm-charts to this
repo. Sources URL updated to kestra-io/kestra in both Chart.yaml files.
Release workflow will manage version bumps and GCS uploads.

* feat(helm): add helm-release workflow for GCS publishing

On tag push (v*) or manual dispatch: bumps version/appVersion in both
Chart.yaml files, packages kestra then kestra-starter (with kestra
bundled as dep), merges into existing GCS index.yaml, uploads.

Uses WIF auth — no SA key. Dry-run mode available for testing.

* feat(helm)/rm-rc-trigger-helm-chart

* feat(helm): run helm release after docker publish instead of on tag push

* fix(helm): grant id-token:write to helm-release caller job

Without explicit permissions on the caller job, GitHub mints the
GITHUB_TOKEN without id-token:write, causing Workload Identity
Federation auth to fail at every real release.

* fix(helm): lint kestra-starter chart before packaging

kestra was linted but kestra-starter was packaged directly, so
template/schema errors in the starter chart could ship silently.

---------

Co-authored-by: YannC. <ycoornaert@kestra.io>

Author: MarcoSaba

.github/workflows/helm-migrate-artifacts.yml

@@ -0,0 +1,85 @@
+name: Helm migrate artifacts to GCS
+
+on:
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: "If true, list files to copy but do not upload"
+        required: true
+        type: boolean
+        default: true
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  migrate:
+    name: Copy gh-pages artifacts to GCS
+    runs-on: ubuntu-latest
+    env:
+      BUCKET: helm-charts-kestra-host
+
+    steps:
+      - name: Checkout helm-charts gh-pages
+        uses: actions/checkout@v5
+        with:
+          repository: kestra-io/helm-charts
+          ref: gh-pages
+          path: gh-pages
+
+      - name: Authenticate to GCP
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: projects/230725787862/locations/global/workloadIdentityPools/github/providers/github
+          service_account: helm-charts-publisher@kestra-host.iam.gserviceaccount.com
+
+      - uses: google-github-actions/setup-gcloud@v2
+
+      - name: List artifacts
+        run: |
+          echo "=== .tgz files ==="
+          ls gh-pages/*.tgz | wc -l
+          echo "=== index.yaml ==="
+          ls gh-pages/index.yaml
+          echo "=== other tracked files ==="
+          ls gh-pages/artifacthub-repo.yml gh-pages/CNAME 2>/dev/null || true
+
+      - name: Dry run — show what would be uploaded
+        if: ${{ inputs.dry_run }}
+        run: |
+          echo "DRY RUN — no upload performed."
+          echo ""
+          echo "Would upload to gs://${BUCKET}/:"
+          gsutil ls gh-pages/*.tgz gh-pages/index.yaml | sed 's|gh-pages/|  |'
+
+      - name: Upload artifacts
+        if: ${{ !inputs.dry_run }}
+        run: |
+          set -euo pipefail
+
+          # Upload .tgz files first so index.yaml never points at a missing tarball.
+          gsutil -m cp gh-pages/*.tgz gs://${BUCKET}/
+          gsutil cp gh-pages/index.yaml gs://${BUCKET}/index.yaml
+          gsutil cp gh-pages/artifacthub-repo.yml gs://${BUCKET}/artifacthub-repo.yml 2>/dev/null || true
+
+      - name: Verify count
+        if: ${{ !inputs.dry_run }}
+        run: |
+          set -euo pipefail
+
+          LOCAL=$(ls gh-pages/*.tgz | wc -l)
+          REMOTE=$(gsutil ls "gs://${BUCKET}/*.tgz" | wc -l)
+
+          echo "Local .tgz:  ${LOCAL}"
+          echo "Remote .tgz: ${REMOTE}"
+
+          if [ "${LOCAL}" != "${REMOTE}" ]; then
+            echo "ERROR: count mismatch — migration incomplete."
+            exit 1
+          fi
+
+          echo "OK: ${REMOTE} .tgz files in bucket."
+          echo ""
+          echo "Spot-check index.yaml:"
+          gsutil cat gs://${BUCKET}/index.yaml | head -20

.github/workflows/helm-release.yml

@@ -0,0 +1,146 @@
+name: Helm release
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Kestra version to release (e.g. 0.21.1, without v prefix)'
+        required: true
+        type: string
+      dry_run:
+        description: 'Dry run — package charts but do not upload to GCS'
+        required: true
+        type: boolean
+        default: true
+  workflow_call:
+    inputs:
+      dry_run:
+        description: 'Dry run — package charts but do not upload to GCS'
+        required: false
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  helm-release:
+    name: Package and publish Helm charts
+    runs-on: ubuntu-latest
+    env:
+      BUCKET: helm-charts-kestra-host
+      REPO_URL: https://helm.kestra.io/
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Resolve version and dry-run flag
+        id: config
+        run: |
+          if [[ -n "${{ inputs.version }}" ]]; then
+            VERSION="${{ inputs.version }}"
+            TAG="v${VERSION}"
+          else
+            TAG="${GITHUB_REF_NAME}"
+            VERSION="${TAG#v}"
+          fi
+          DRY_RUN="${{ inputs.dry_run }}"
+          echo "tag=${TAG}"        >> $GITHUB_OUTPUT
+          echo "version=${VERSION}" >> $GITHUB_OUTPUT
+          echo "dry_run=${DRY_RUN}" >> $GITHUB_OUTPUT
+          echo "Version: ${VERSION} | Tag: ${TAG} | Dry run: ${DRY_RUN}"
+
+      - name: Update Chart.yaml versions
+        env:
+          VERSION: ${{ steps.config.outputs.version }}
+          TAG: ${{ steps.config.outputs.tag }}
+        run: |
+          set -euo pipefail
+          for chart in charts/kestra charts/kestra-starter; do
+            sed -i "s/^version:.*/version: \"${VERSION}\"/" ${chart}/Chart.yaml
+            sed -i "s/^appVersion:.*/appVersion: \"${TAG}\"/" ${chart}/Chart.yaml
+          done
+          # Update kestra dep version in kestra-starter
+          awk -v ver="${VERSION}" '
+            /- name: kestra/ { found=1 }
+            found && /version:/ { sub(/version:.*/, "version: \"" ver "\""); found=0 }
+            { print }
+          ' charts/kestra-starter/Chart.yaml > /tmp/chart-starter.yaml
+          mv /tmp/chart-starter.yaml charts/kestra-starter/Chart.yaml
+
+      - name: Lint kestra chart
+        run: |
+          helm lint charts/kestra \
+            --set "configurations.application=kestra.variable.globals.foo: bar"
+
+      - name: Package kestra chart
+        run: |
+          mkdir -p release/
+          helm package charts/kestra -d release/
+
+      - name: Bundle kestra as kestra-starter dependency
+        env:
+          VERSION: ${{ steps.config.outputs.version }}
+        run: |
+          # Place freshly packaged kestra tgz as bundled dep so helm package
+          # does not need network access to resolve the kestra dependency.
+          mkdir -p charts/kestra-starter/charts/
+          cp release/kestra-${VERSION}.tgz charts/kestra-starter/charts/
+          # Remove stale Chart.lock — version bump makes it invalid
+          rm -f charts/kestra-starter/Chart.lock
+
+      - name: Lint kestra-starter chart
+        run: helm lint charts/kestra-starter
+
+      - name: Package kestra-starter chart
+        run: helm package charts/kestra-starter -d release/
+
+      - name: Verify packaged charts render
+        env:
+          VERSION: ${{ steps.config.outputs.version }}
+        run: |
+          helm template test release/kestra-${VERSION}.tgz \
+            --set "configurations.application=kestra.variable.globals.foo: bar" > /dev/null
+          echo "kestra-${VERSION}.tgz renders OK"
+          helm template test release/kestra-starter-${VERSION}.tgz > /dev/null
+          echo "kestra-starter-${VERSION}.tgz renders OK"
+
+      - name: Show packaged charts
+        run: ls -lh release/*.tgz
+
+      - name: Authenticate to GCP
+        uses: google-github-actions/auth@v2
+        with:
+          workload_identity_provider: projects/230725787862/locations/global/workloadIdentityPools/github/providers/github
+          service_account: helm-charts-publisher@kestra-host.iam.gserviceaccount.com
+
+      - uses: google-github-actions/setup-gcloud@v2
+
+      - name: Download existing index.yaml from GCS
+        run: gsutil cp gs://${BUCKET}/index.yaml existing-index.yaml
+
+      - name: Generate merged index.yaml
+        run: |
+          helm repo index release/ --merge existing-index.yaml --url ${REPO_URL}
+          echo "=== Preview (first 30 lines) ==="
+          head -30 release/index.yaml
+
+      - name: Dry run — show what would be uploaded
+        if: ${{ steps.config.outputs.dry_run == 'true' }}
+        run: |
+          echo "DRY RUN — no upload performed."
+          echo ""
+          echo "Would upload to gs://${BUCKET}/:"
+          ls -lh release/*.tgz release/index.yaml
+
+      - name: Upload to GCS
+        if: ${{ steps.config.outputs.dry_run == 'false' }}
+        run: |
+          set -euo pipefail
+          # Upload .tgz files first — index must never reference a missing artifact
+          gsutil -m cp release/*.tgz gs://${BUCKET}/
+          gsutil cp release/index.yaml gs://${BUCKET}/index.yaml
+          echo "Published:"
+          ls -lh release/*.tgz

.github/workflows/release-docker.yml

@@ -39,4 +39,15 @@ jobs:
       DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
       SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
       SLACK_RELEASES_WEBHOOK_URL: ${{ secrets.SLACK_RELEASES_WEBHOOK_URL }}
-      GH_PERSONAL_TOKEN: ${{ secrets.GH_PERSONAL_TOKEN }}
+      GH_PERSONAL_TOKEN: ${{ secrets.GH_PERSONAL_TOKEN }}
+
+  helm-release:
+    name: Helm release
+    needs: publish-docker
+    if: startsWith(github.ref, 'refs/tags/v')
+    permissions:
+      contents: read
+      id-token: write
+    uses: ./.github/workflows/helm-release.yml
+    with:
+      dry_run: ${{ inputs.dry-run }}

charts/kestra-starter/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/kestra-starter/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: postgres
+  repository: https://groundhog2k.github.io/helm-charts/
+  version: 1.5.7
+- name: kestra
+  repository: https://helm.kestra.io/
+  version: 1.0.28
+digest: sha256:ab414a8c0a141f4ded784b7d37aaaa0153e3413ac7cb394f33b50065afb49592
+generated: "2026-01-21T12:08:57.418806968+01:00"

charts/kestra-starter/Chart.yaml

@@ -0,0 +1,43 @@
+apiVersion: v2
+type: application
+version: "1.1.23"
+appVersion: "v1.3.14"
+name: kestra-starter
+description: Infinitely scalable, event-driven, language-agnostic orchestration and scheduling platform to manage millions of workflows declaratively in code.
+home: https://kestra.io
+icon: https://kestra.io/favicon-192x192.png
+sources:
+  - https://github.com/kestra-io/kestra
+maintainers:
+  - name: tchiotludo
+    email: tchiot.ludo@gmail.com
+annotations:
+  artifacthub.io/links: |
+    - name: Documentation
+      url: https://kestra.io/docs/
+  artifacthub.io/screenshots: |
+    - title: Home page
+      url: https://raw.githubusercontent.com/kestra-io/kestra.io/main/public/docs/user-interface-guide/02-Homepage-Empty.png
+    - title: Flows list
+      url: https://raw.githubusercontent.com/kestra-io/kestra.io/main/public/docs/user-interface-guide/04-Flows.png
+    - title: Flow page
+      url: https://raw.githubusercontent.com/kestra-io/kestra.io/main/public/docs/user-interface-guide/05-Flows-Flow.png
+    - title: Execution list
+      url: https://raw.githubusercontent.com/kestra-io/kestra.io/main/public/docs/user-interface-guide/08-Executions.png
+    - title: Execution page
+      url: https://raw.githubusercontent.com/kestra-io/kestra.io/main/public/docs/user-interface-guide/09-Executions-Execution.png
+    - title: Execution gantt
+      url: https://raw.githubusercontent.com/kestra-io/kestra.io/main/public/docs/user-interface-guide/27-Executions-Gantt.png
+    - title: Namespaces list
+      url: https://raw.githubusercontent.com/kestra-io/kestra.io/main/public/docs/user-interface-guide/14-EE-Namespace.png
+    - title: Global logs
+      url: https://raw.githubusercontent.com/kestra-io/kestra.io/main/public/docs/user-interface-guide/10-Logs.png
+    - title: Documentation
+      url: https://raw.githubusercontent.com/kestra-io/kestra.io/main/public/docs/user-interface-guide/12-Documentations-Plugins-Plugin.png
+dependencies:
+  - name: postgres
+    repository: https://groundhog2k.github.io/helm-charts/
+    version: "1.5.7"
+  - name: kestra
+    repository: https://helm.kestra.io/
+    version: "1.0.53"