pelotech · Jared-Prime · Jan 8, 2026 · Jan 5, 2026 · Jan 5, 2026 · Jan 5, 2026
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
diff --git a/.github/workflows/helm-publish.yml b/.github/workflows/helm-publish.yml
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -0,0 +1,35 @@
+name: lint
+
+on:
+  pull_request: null
+  push:
+    branches:
+      - main
+    tags:
+      - "v*.*.*"
+
+permissions: {}
+
+jobs:
+  helm:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: '0'
+      - uses: azure/setup-helm@v4.3.1
+        with:
+          version: 'latest'
+      - uses: actions/setup-python@v6
+        with:
+          python-version: '3.x'
+          check-latest: true
+      - uses: helm/chart-testing-action@v2.8.0
+      - id: list-changed
+        run: |
+          changed=$(ct list-changed)
+          if [[ -n "$changed" ]]; then
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+      - if: steps.list-changed.outputs.changed == 'true'
+        run: ct lint --chart-repos cluster=https://cloudnative-pg.io/charts
diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml
@@ -0,0 +1,78 @@
+name: Build and Publish Artifacts
+
+on:
+  pull_request: null
+  push:
+    branches:
+      - main
+    tags: [ "v*.*.*" ]
+
+env:
+  REGISTRY: ghcr.io
+  GOOSE_IMAGE_NAME: pelotech/goose
+  GOOSE_PACKAGE_VERSION: v3.26.0
+
+jobs:
+  charts:
+    if: github.event_name != 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v6
+      - uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: appany/helm-oci-chart-releaser@v0.5.0
+        if: ${{ github.event_name != 'pull_request' }}
+        with:
+          name: postgrest
+          tag: ${{ github.ref }}
+          repository: ${{ github.repository }}
+          registry: ${{ env.REGISTRY }}
+          registry_username: ${{ github.actor }}
+          registry_password: ${{ secrets.GITHUB_TOKEN }}
+
+  images:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@v6
+      - uses: sigstore/cosign-installer@v3.5.0
+        if: ${{ github.event_name != 'pull_request' }}
+        with:
+          cosign-release: 'v2.2.4'
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/metadata-action@v5
+        id: metadata
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.GOOSE_IMAGE_NAME }}
+      - uses: docker/build-push-action@v6
+        id: goose-image
+        with:
+          context: ./images
+          file: ./images/goose.dockerfile
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.metadata.outputs.tags }}
+          labels: ${{ steps.metadata.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          platforms: linux/amd64,linux/arm64
+      - name: sign the published image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          TAGS: ${{ steps.metadata.outputs.tags }}
+          DIGEST: ${{ steps.goose-image.outputs.digest }}
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
diff --git a/charts/postgrest/Chart.lock b/charts/postgrest/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: cluster
-  repository: https://cloudnative-pg.io/charts/
+  repository: https://cloudnative-pg.io/charts
   version: 0.5.0
-digest: sha256:b1926f62c6d6db85689a161c910e31e550970843d33aed3f01159f50d9bddc15
-generated: "2026-01-05T17:38:04.423244-05:00"
+digest: sha256:bd4115e6b9154294c12879f19116e015f1e98563d7f1324f103ed170e3dab69e
+generated: "2026-01-08T14:31:47.621461-05:00"
diff --git a/charts/postgrest/Chart.yaml b/charts/postgrest/Chart.yaml
@@ -1,10 +1,14 @@
 apiVersion: v2
 name: postgrest
-version: 0.2.1
+icon: https://docs.postgrest.org/en/v14/_images/postgrest.png
+version: 0.2.2
+maintainers:
+  - name: jared-prime
+    email: jared.davis@pelo.tech
 description: Helm chart for a PostgREST data api
 
 dependencies:
   - name: cluster
     version: 0.5.0
-    repository: https://cloudnative-pg.io/charts/
+    repository: https://cloudnative-pg.io/charts
     condition: cluster.enabled
diff --git a/charts/postgrest/Quickstart.md b/charts/postgrest/Quickstart.md
@@ -1,32 +1,9 @@
 # quickstart
 
-Login to the GitHub Container Registry
 
-```shell
-username="my user name"
-personal="my personal access token with package read / write permissions"
-docker login ghcr.io -u $username $personal
-```
 
 ```shell
-kind create cluster --name pelotech
-
-docker build -t ghcr.io/pelotech/goose:example example/migrations
-
-kind load docker-image ghcr.io/pelotech/goose:example --name pelotech
-
-helm upgrade --install cnpg \
-  --namespace cnpg-system   \
-  --create-namespace        \
-  --wait                    \
-  --timeout 1m              \
-  cnpg/cloudnative-pg
-
-helm dependency build ./charts/postgrest
-
-helm upgrade --install postgrest \
-  --namespace default            \
-  ./charts/postgrest
+./example/build.sh
 ```
 
 ## usage

diff --git a/charts/postgrest/templates/_helpers.tpl b/charts/postgrest/templates/_helpers.tpl
@@ -1,15 +1,15 @@
-{{ define "database.connection" }}
-{{ $username := .Values.database.connection.username }}
-{{ $password := .Values.database.connection.password }}
-{{ $database := .Values.database.connection.database }}
-{{ $hostname := .Values.database.connection.hostname }}
-{{ printf "user=%s password=%s host=%s dbname=%s sslmode=disable" $username $password $hostname $database }}
-{{ end }}
+{{- define "database.connection" -}}
+{{- $username := .Values.database.connection.username }}
+{{- $password := .Values.database.connection.password }}
+{{- $database := .Values.database.connection.database }}
+{{- $hostname := .Values.database.connection.hostname }}
+{{- printf "user=%s password=%s host=%s dbname=%s sslmode=disable" $username $password $hostname $database }}
+{{- end -}}
 
-{{ define "database.migrations" }}
-{{ $username := .Values.database.migrations.username }}
-{{ $password := .Values.database.migrations.password }}
-{{ $database := .Values.database.migrations.database }}
-{{ $hostname := .Values.database.migrations.hostname }}
-{{ printf "user=%s password=%s host=%s dbname=%s sslmode=disable" $username $password $hostname $database }}
-{{ end }}
+{{- define "database.migrations" -}}
+{{- $username := .Values.database.migrations.username }}
+{{- $password := .Values.database.migrations.password }}
+{{- $database := .Values.database.migrations.database }}
+{{- $hostname := .Values.database.migrations.hostname }}
+{{- printf "user=%s password=%s host=%s dbname=%s sslmode=disable" $username $password $hostname $database }}
+{{- end -}}
diff --git a/charts/postgrest/templates/database.yaml b/charts/postgrest/templates/database.yaml
@@ -0,0 +1,12 @@
+{{- if (not .Values.cluster.enabled) }}
+{{- range $database := .Values.cluster.databases }}
+apiVersion: postgresql.cnpg.io/v1
+kind: Database
+metadata:
+  name: postgrest
+  namespace: "{{ .Release.Namespace }}"
+spec:
+  {{ $database | toYaml | nindent 2 }}
+---
+{{- end }}
+{{- end }}
diff --git a/charts/postgrest/templates/deployment.yaml b/charts/postgrest/templates/deployment.yaml
@@ -2,26 +2,43 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: postgrest
-
+  namespace: "{{ .Release.Namespace }}"
 spec:
   replicas: 1
   selector:
     matchLabels:
-      name: postgrest
+      app.kubernetes.io/component: postgrest
+      app.kubernetes.io/instance: "{{ .Release.Namespace }}"
+      app.kubernetes.io/name: postgrest
   template:
     metadata:
       labels:
-        name: postgrest
+        app.kubernetes.io/component: postgrest
+        app.kubernetes.io/instance: "{{ .Release.Namespace }}"
+        app.kubernetes.io/name: postgrest
     spec:
       initContainers:
+        - name: wait-for-databases
+          image: alpine:3.23
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/sh
+            - -c
+            - |
+              apk add postgresql-client &&
+              while ! psql {{ include "database.connection" . | quote }} -c "SELECT 1;" 2>/dev/null; do
+                echo "awaiting connection - retrying in 5 seconds"
+                sleep 5
+              done
+              echo "connection succeeded"
         {{ if not (empty .Values.application.jwk.public) }}
-        - name: jwks
-          image: alpine/curl
+        - name: curl-the-jwks
+          image: alpine:3.23
           imagePullPolicy: IfNotPresent
           command:
             - /bin/sh
             - -c
-            - "curl --location {{ .Values.application.jwk.public }} > /etc/opt/postgrest/certificates/jwk.json"
+            - curl --location {{ .Values.application.jwk.public | quote }} > /etc/opt/postgrest/certificates/jwk.json
         - volumeMounts:
             - mountPath: /etc/opt/postgrest/certificates
               name: certificates
@@ -44,6 +61,10 @@ spec:
         - name: postgrest
           image: postgrest/postgrest
           imagePullPolicy: IfNotPresent
+          ports:
+            - name: postgrest
+              containerPort: 3000
+              protocol: TCP
           env:
             - name: PGRST_DB_URI
               valueFrom: