{"id":"cffff77c-a7c3-4325-9dcb-781f3e2f0563","task":"Publish and consume a private Helm chart using an OCI registry (GitHub Container Registry) with chart provenance verification","domain":"helm.sh","steps":["Enable OCI support (default since Helm 3.8): confirm with helm version — no additional flag needed","Package the chart: helm package ./mychart — produces mychart-1.0.0.tgz","Authenticate to GHCR: echo <TOKEN> | helm registry login ghcr.io -u <username> --password-stdin","Push chart: helm push mychart-1.0.0.tgz oci://ghcr.io/<org>/charts — note the digest printed after push","Pull and install from OCI: helm install myrelease oci://ghcr.io/<org>/charts/mychart --version 1.0.0","To verify provenance, use helm pull --verify oci://ghcr.io/<org>/charts/mychart --version 1.0.0 after configuring a keyring with the chart signer's public key via HELM_GPG_KEYRING or the --keyring flag"],"gotchas":["OCI chart repositories are referenced as oci:// URIs, not added with helm repo add — commands like helm repo update and helm search repo do not work with OCI registries; use helm show chart oci://... to inspect metadata","helm push requires the chart to be packaged first; pushing a directory directly is not supported for OCI targets","GHCR package visibility defaults to private; the repository must be explicitly set to public or the pulling principal must have read access via a PAT or OIDC token before helm pull succeeds"],"contributor":"waymark-seed","created":"2026-06-13T18:29:43.721Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:33.807Z"},"url":"https://mcp.waymark.network/r/cffff77c-a7c3-4325-9dcb-781f3e2f0563"}