Skip to content

Feat: add support for persisting ChartSource#32018

Open
iammehrabsandhu wants to merge 3 commits intohelm:mainfrom
iammehrabsandhu:feature/chart-source-persistence
Open

Feat: add support for persisting ChartSource#32018
iammehrabsandhu wants to merge 3 commits intohelm:mainfrom
iammehrabsandhu:feature/chart-source-persistence

Conversation

@iammehrabsandhu
Copy link
Copy Markdown

@iammehrabsandhu iammehrabsandhu commented Apr 8, 2026
edited
Loading

refs #31999
closes #31999
Status
Complete.

What this PR does / why we need it:
Adds a Source field to the Release so you can always trace exactly where a chart came from. We now capture this origin data during download (chart_downloader.go) for both new pulls and cached charts.
The install and upgrade flows (install.go, upgrade.go) safely attach this information to your deployment.
This is a backward-compatible addition that won't break existing cluster releases.

WIP: feat: add ChartSource type and Source field to Release
666fa05 
Signed-off-by: iammehrabsandhu <user.127.888@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 8, 2026 06:33
@pull-request-size pull-request-size bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Apr 8, 2026
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds support for persisting the chart source information to track where Helm charts originated from. This addresses issue #31999 which highlights the need to record chart provenance for supply chain auditing and verification. However, the implementation is incomplete and will not compile.

Changes:

  • Adds a Source field of type *common.ChartSource to the Release struct in both v1 and v2 release packages
  • Includes documentation indicating the field is nil for releases created before this field was added

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
pkg/release/v1/release.go Adds Source field to Release struct for chart source tracking
internal/release/v2/release.go Adds Source field to Release struct for chart source tracking

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

feat: thread chart source provenance into Release
d5cc513 
Signed-off-by: iammehrabsandhu <user.127.888@users.noreply.github.com>
@pull-request-size pull-request-size bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Apr 9, 2026
@iammehrabsandhu iammehrabsandhu requested a review from Copilot April 9, 2026 09:56
Copilot AI reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

fix: populate chart source provenance for cached OCI charts
c489428 
Addresses review feedback on ResolvedSource not being populated when
OCI charts are served from the local cache. Also adds a fallback for
direct oci:// references when --repo is not used.

- DownloadTo: populate ResolvedSource on cache-hit path
- DownloadToCache: populate ResolvedSource on cache-hit path
- LocateChart: add OCI ref fallback when RepoURL is empty

Signed-off-by: iammehrabsandhu <user.127.888@users.noreply.github.com>
@iammehrabsandhu iammehrabsandhu requested a review from Copilot April 9, 2026 14:47
@iammehrabsandhu iammehrabsandhu changed the title WIP: feat: add support for persisting ChartSource Feat: add support for persisting ChartSource Apr 9, 2026
Copilot AI reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

No way to figure out where Helm chart came from

2 participants

@iammehrabsandhu