fix(chart): add annotation artifacthub.io/signKey

.gitea/workflows/artifacthub-metadata.yaml

@@ -30,7 +30,7 @@ jobs:
         oras push ${GITEA_SERVER_HOSTNAME}/${REPOSITORY_OWNER}/${REPOSITORY_NAME}:artifacthub.io \
           --config /dev/null:application/vnd.cncf.artifacthub.config.v1+yaml \
           artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml
-    - name: Push public cosign key to ${GITEA_SERVER_HOSTNAME}
+    - name: Push public cosign key
       env:
         COSIGN_PUBLIC_KEY: ${{ vars.COSIGN_PUBLIC_KEY }}
       run: |

.gitea/workflows/generate-readme.yaml

@@ -15,7 +15,7 @@ on:
 jobs:
   generate-parameters:
     container:
-      image: docker.io/library/node:25.6.0-alpine
+      image: docker.io/library/node:25.6.1-alpine
     runs-on: ubuntu-latest
     steps:
     - name: Install tooling

.gitea/workflows/markdown-linters.yaml

@@ -15,7 +15,7 @@ on:
 jobs:
   markdown-link-checker:
     container:
-      image: docker.io/library/node:25.6.0-alpine
+      image: docker.io/library/node:25.6.1-alpine
     runs-on: ubuntu-latest
     steps:
     - name: Install tooling
@@ -30,7 +30,7 @@ jobs:
 
   markdown-lint:
     container:
-      image: docker.io/library/node:25.6.0-alpine
+      image: docker.io/library/node:25.6.1-alpine
     runs-on: ubuntu-latest
     steps:
     - name: Install tooling

.gitea/workflows/release.yaml

@@ -1,5 +1,10 @@
 name: Release
 
+env:
+  GPG_PRIVATE_KEY_FILE: ${{ runner.temp }}/private.key
+  GPG_PRIVATE_KEY_FINGERPRINT: ${{ vars.GPG_PRIVATE_KEY_FINGERPRINT }}
+  GPG_PRIVATE_KEY_PASSPHRASE_FILE: ${{ runner.temp }}/passphrase.txt
+
 on:
   push:
     tags:
@@ -28,6 +33,38 @@ jobs:
           helm plugin install --verify=false https://github.com/helm-unittest/helm-unittest.git --version "${HELM_UNITTEST_VERSION}" 1> /dev/null
           helm plugin list
 
+      - name: GPG configuration
+        env:
+          GPG_PRIVATE_KEY_PASSPHRASE: ${{ secrets.GPG_PRIVATE_KEY_PASSPHRASE }}
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+        run: |
+          # Configure GPG and GPG Agent
+          mkdir --parents "${HOME}/.gnupg"
+          chmod 0700 "${HOME}/.gnupg"
+
+          cat > "${HOME}/.gnupg/gpg.conf" <<EOF
+          use-agent
+          pinentry-mode loopback
+          EOF
+
+          cat > "${HOME}/.gnupg/gpg-agent.conf" <<EOF
+          allow-loopback-pinentry
+          max-cache-ttl 86400
+          default-cache-ttl 86400
+          EOF
+
+          gpgconf --kill gpg-agent
+          gpgconf --launch gpg-agent
+
+          # Import GPG private key
+          cat 1> "${GPG_PRIVATE_KEY_PASSPHRASE_FILE}" <<< "${GPG_PRIVATE_KEY_PASSPHRASE}"
+          cat 1> "${GPG_PRIVATE_KEY_FILE}" <<< "${GPG_PRIVATE_KEY}"
+          gpg --batch --yes --passphrase-fd 0 --import "${GPG_PRIVATE_KEY_FILE}" <<< "${GPG_PRIVATE_KEY_PASSPHRASE}"
+
+          # Export GPG keyring
+          gpg --batch --yes --export "${GPG_PRIVATE_KEY_FINGERPRINT}" 1> "${HOME}/.gnupg/pubring.gpg"
+          gpg --batch --yes --passphrase-fd 0 --export-secret-keys "${GPG_PRIVATE_KEY_FINGERPRINT}" 1> "${HOME}/.gnupg/secring.gpg" <<< "${GPG_PRIVATE_KEY_PASSPHRASE}"
+
       - uses: actions/checkout@v6.0.2
         with:
           fetch-depth: 0
@@ -40,10 +77,10 @@ jobs:
 
       - name: Extract meta information
         run: |
-          echo "GITEA_SERVER_HOSTNAME=$(echo "${GITHUB_SERVER_URL}" | cut -d '/' -f 3)" >> $GITHUB_ENV
+          echo "GITEA_SERVER_HOSTNAME=$(echo "${GITHUB_SERVER_URL}" | cut --delimiter '/' --fields 3)" >> $GITHUB_ENV
           echo "PACKAGE_VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
-          echo "REPOSITORY_NAME=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 2 | sed --regexp-extended 's/-charts?//g')" >> $GITHUB_ENV
+          echo "REPOSITORY_NAME=$(echo ${GITHUB_REPOSITORY} | cut --delimiter '/' --fields 2 | sed --regexp-extended 's/-charts?//g')" >> $GITHUB_ENV
-          echo "REPOSITORY_OWNER=$(echo ${GITHUB_REPOSITORY} | cut -d '/' -f 1)" >> $GITHUB_ENV
+          echo "REPOSITORY_OWNER=$(echo ${GITHUB_REPOSITORY} | cut --delimiter '/' --fields 1)" >> $GITHUB_ENV
 
       - name: Update Helm Chart version in README.md
         run: sed -i -E "s/^CHART_VERSION=.*/CHART_VERSION=${PACKAGE_VERSION}/g" README.md
@@ -51,7 +88,12 @@ jobs:
       - name: Package chart
         run: |
           helm dependency build
-          helm package --version "${PACKAGE_VERSION}" ./
+          helm package \
+            --sign \
+            --key "$(gpg --with-colons --list-keys "${GPG_PRIVATE_KEY_FINGERPRINT}" | grep uid | cut --delimiter ':' --fields 10)" \
+            --keyring "${HOME}/.gnupg/secring.gpg" \
+            --passphrase-file "${GPG_PRIVATE_KEY_PASSPHRASE_FILE}" \
+            --version "${PACKAGE_VERSION}" ./
 
       - uses: docker/login-action@v3.7.0
         with:
@@ -71,13 +113,15 @@ jobs:
         env:
           GITEA_REGISTRY_TOKEN: ${{ secrets.GIT_CRYPTIC_SYSTEMS_PACKAGE_REGISTRY_TOKEN }}
         run: |
-          curl \
+          for package in "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz"*; do
-            --fail \
+            curl \
-            --show-error \
+              --fail \
-            --request POST \
+              --show-error \
-            --user "${REPOSITORY_OWNER}:${GITEA_REGISTRY_TOKEN}" \
+              --request POST \
-            --upload-file "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz" \
+              --user "${REPOSITORY_OWNER}:${GITEA_REGISTRY_TOKEN}" \
-              https://git.cryptic.systems/api/packages/${REPOSITORY_OWNER}/helm/api/charts
+              --upload-file "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz" \
+                https://git.cryptic.systems/api/packages/${REPOSITORY_OWNER}/helm/api/charts
+          done
 
       - name: Upload Chart to Chartmuseum (Helm)
         env:
@@ -93,3 +137,13 @@ jobs:
             --user "${CHARTMUSEUM_USERNAME}:${CHARTMUSEUM_PASSWORD}" \
             --upload-file "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz" \
               https://${CHARTMUSEUM_HOSTNAME}/api/${CHARTMUSEUM_REPOSITORY}/charts
+
+          if [ -f "${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz.prov" ]; then
+            curl \
+              --fail \
+              --show-error \
+              --request POST \
+              --user "${CHARTMUSEUM_USERNAME}:${CHARTMUSEUM_PASSWORD}" \
+              --upload-file ${REPOSITORY_NAME}-${PACKAGE_VERSION}.tgz.prov \
+                https://${CHARTMUSEUM_HOSTNAME}/api/${CHARTMUSEUM_REPOSITORY}/prov
+          fi

.vscode/settings.json

@@ -1,8 +1,11 @@
 {
+  "files.associations": {
+    ".gitea/workflows/*.yaml": "github-actions-workflow"
+  },
   "yaml.schemas": {
     "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v1.0.3/schema/helm-testsuite.json": [
       "/unittests/**/*.yaml"
     ]
   },
   "yaml.schemaStore.enable": true
-}
+}

Chart.yaml

@@ -7,8 +7,11 @@ annotations:
       url: https://git.cryptic.systems/volker.raschek/prometheus-postgres-exporter/issues
   artifacthub.io/operator: "false"
   artifacthub.io/prerelease: "false"
+  artifacthub.io/signKey: |
+    fingerprint: 3B0CE9853CAD76076260025383D342258456906E
+    url: https://keys.openpgp.org/vks/v1/by-fingerprint/3B0CE9853CAD76076260025383D342258456906E
 apiVersion: v2
-appVersion: "0.18.1"
+appVersion: "0.19.0"
 description: Prometheus metric exporter for PostgreSQL
 home: https://git.cryptic.systems/volker.raschek/prometheus-postgres-exporter
 # icon: https://annotations.example.com/icon.png

README.md

@@ -23,7 +23,8 @@ separate [chapter](#argocd).
 
 ## Helm: configuration and installation
 
-1. A helm chart repository must be configured, to pull the helm charts from.
+1. A helm chart repository must be configured, to pull the helm charts from. The helm charts can either be pulled from
+   the classic helm chart repository or OCI registry.
 2. All available [parameters](#parameters) are documented in detail below. The parameters can be defined via the helm
    `--set` flag or directly as part of a `values.yaml` file. The following example defines the `prometheus-exporter`
    repository and use the `--set` flag for a basic deployment.
@@ -36,7 +37,7 @@ separate [chapter](#argocd).
 ```bash
 helm repo add prometheus-postgres-exporters https://git.cryptic.systems/prometheus-exporters
 helm repo update
-CHART_VERSION=0.5.5
+CHART_VERSION=0.5.6
 helm install --version "${CHART_VERSION}" prometheus-postgres-exporter prometheus-exporters/prometheus-postgres-exporter \
   --set 'config.database.secret.databaseUsername=postgres' \
   --set 'config.database.secret.databasePassword=postgres' \
@@ -45,13 +46,25 @@ helm install --version "${CHART_VERSION}" prometheus-postgres-exporter prometheu
   --set 'prometheus.metrics.serviceMonitor.enabled=true'
 ```
 
+Alternatively, the deployment of the helm charts can also be done via an OCI registry:
+
+```bash
+CHART_VERSION=0.5.6
+helm install "oci://git.cryptic.systems/volker.raschek/prometheus-postgres-exporter:${CHART_VERSION}" \
+  --set 'config.database.secret.databaseUsername=postgres' \
+  --set 'config.database.secret.databasePassword=postgres' \
+  --set 'config.database.secret.databaseConnectionUrl="postgres.example.local:5432/postgres?ssl=disable"' \
+  --set 'prometheus.metrics.enabled=true' \
+  --set 'prometheus.metrics.serviceMonitor.enabled=true'
+```
+
 Instead of passing all parameters via the *set* flag, it is also possible to define them as part of the `values.yaml`.
 The following command downloads the `values.yaml` for a specific version of this chart. Please keep in mind, that the
 version of the chart must be in sync with the `values.yaml`. Newer *minor* versions can have new features. New *major*
 versions can break something!
 
 ```bash
-CHART_VERSION=0.5.5
+CHART_VERSION=0.5.6
 helm show values --version "${CHART_VERSION}" prometheus-exporters/prometheus-postgres-exporter > values.yaml
 ```
 
@@ -89,7 +102,7 @@ Further information about this topic can be found in one of Kanishk's blog
 > Please take care the a CPU limit < `1000m` can also lead to CPU throttling. Please read the linked documentation carefully.
 
 ```bash
-CHART_VERSION=0.5.5
+CHART_VERSION=0.5.6
 helm install --version "${CHART_VERSION}" prometheus-postgres-exporter prometheus-exporters/prometheus-postgres-exporter \
   --set 'config.database.secret.databaseUsername=postgres' \
   --set 'config.database.secret.databasePassword=postgres' \
@@ -111,7 +124,7 @@ certification will be skipped by Prometheus.
 > `tls.key` and `tls.crt` of the secret can be mounted into the container filesystem for TLS authentication / encryption.
 
 ```bash
-CHART_VERSION=0.5.5
+CHART_VERSION=0.5.6
 helm install --version "${CHART_VERSION}" prometheus-postgres-exporter prometheus-exporters/prometheus-postgres-exporter \
   --set 'config.database.secret.databaseUsername=postgres' \
   --set 'config.database.secret.databasePassword=postgres' \
@@ -135,7 +148,7 @@ certificate for the metrics exporter - TLS certificate verification can be enabl
 replaced:
 
 ```diff
-  CHART_VERSION=0.5.5
+  CHART_VERSION=0.5.6
   helm install --version "${CHART_VERSION}" prometheus-postgres-exporter prometheus-exporters/prometheus-postgres-exporter \
     --set 'config.database.secret.databaseUsername=postgres' \
     --set 'config.database.secret.databasePassword=postgres' \
@@ -189,7 +202,7 @@ the Grafana container file system so that it is subsequently available to the us
 makes this possible.
 
 ```bash
-CHART_VERSION=0.5.5
+CHART_VERSION=0.5.6
 helm install --version "${CHART_VERSION}" prometheus-postgres-exporter prometheus-exporters/prometheus-postgres-exporter \
   --set 'config.database.secret.databaseUsername=postgres' \
   --set 'config.database.secret.databasePassword=postgres' \

renovate.json

@@ -44,13 +44,6 @@
     }
   ],
   "packageRules": [
-    {
-      "groupName": "Update docker.io/volkerraschek/helm",
-      "matchDepNames": [
-        "docker.io/volkerraschek/helm",
-        "volkerraschek/helm"
-      ]
-    },
     {
       "automerge": true,
       "groupName": "Update helm plugin 'unittest'",