{"id":51038622,"url":"https://github.com/quenchworks/charts","last_synced_at":"2026-06-22T09:00:39.485Z","repository":{"id":364018891,"uuid":"1266030118","full_name":"quenchworks/charts","owner":"quenchworks","description":"Clean-room Helm charts for the QuenchWorks catalog: each pinned to a signed, 0-CVE image digest, published as OCI to GHCR and listed on ArtifactHub.","archived":false,"fork":false,"pushed_at":"2026-06-19T21:55:47.000Z","size":891,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-19T22:12:44.755Z","etag":null,"topics":["artifacthub","cosign","devsecops","digest-pinned","hardened","helm","helm-charts","k8s","kubernetes","oci","security","sigstore"],"latest_commit_sha":null,"homepage":"https://quench-works.com/","language":"Go Template","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/quenchworks.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":".github/ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-11T09:11:42.000Z","updated_at":"2026-06-19T21:55:51.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/quenchworks/charts","commit_stats":null,"previous_names":["quenchworks/charts"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/quenchworks/charts","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quenchworks%2Fcharts","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quenchworks%2Fcharts/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quenchworks%2Fcharts/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quenchworks%2Fcharts/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/quenchworks","download_url":"https://codeload.github.com/quenchworks/charts/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quenchworks%2Fcharts/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34630094,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-21T02:00:05.568Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["artifacthub","cosign","devsecops","digest-pinned","hardened","helm","helm-charts","k8s","kubernetes","oci","security","sigstore"],"created_at":"2026-06-22T09:00:26.620Z","updated_at":"2026-06-22T09:00:39.471Z","avatar_url":"https://github.com/quenchworks.png","language":"Go Template","funding_links":[],"categories":[],"sub_categories":[],"readme":"# QuenchWorks charts\n\nClean-room Helm charts for the [QuenchWorks](https://github.com/quenchworks) catalog. Every chart deploys a hardened, 0-CVE image from the [images](https://quench-works.com/images) factory, pins it strictly by `sha256` digest, ships as a cosign-signed OCI artifact on GHCR, and is listed on ArtifactHub as a **verified publisher** with a Values schema.\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://quench-works.com\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/quenchworks/.github/main/profile/assets/demo.gif\" alt=\"QuenchWorks in a terminal: run a 0-CVE image, verify it with cosign, deploy the Helm chart, and watch the pod reach Running.\" width=\"760\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n**54 charts.** No paywall, no account, no vendor lock. Browse them all at [quench-works.com/charts](https://quench-works.com/charts).\n\n```bash\nhelm install cache oci://ghcr.io/quenchworks/charts/redis\n```\n\nThat's the whole install. The image it deploys is already signed and pinned to a digest, so you don't have to track image security yourself.\n\n## The security model\n\nThree guarantees, baked into every chart:\n\n- **Digest-pinned, always.** Charts resolve images by `repository@sha256:...`, never by tag. A tag-only reference is refused on purpose, so a chart physically can't ship an unpinned image.\n- **One hardened baseline.** Every chart inherits the same pod and container security context from the [`quench-common`](https://github.com/quenchworks/common) library chart: nonroot, read-only root filesystem, no privilege escalation, all capabilities dropped, seccomp `RuntimeDefault`. Fix it once, fix it everywhere.\n- **Verifiable provenance.** Charts are cosign keyless-signed, and the images they point at are signed and SBOM-carrying. You can check it all yourself.\n\n## The catalog\n\n| Category | Charts |\n|----------|--------|\n| Relational | `postgresql` · `mariadb` · `mysql` · `cockroachdb` ⚠️ |\n| Document | `couchdb` · `ferretdb` · `documentdb` · `postgres-documentdb` · `mongodb` ⚠️ |\n| Wide-column | `cassandra` · `scylladb` |\n| Key-value / cache | `valkey` · `redis` · `memcached` · `dragonfly` ⚠️ |\n| Search / vector | `opensearch` · `solr` · `meilisearch` · `qdrant` · `elasticsearch` ⚠️ |\n| Time series | `influxdb` · `victoriametrics` |\n| Analytical | `clickhouse` |\n| Graph | `neo4j` |\n| Messaging / streaming | `kafka` · `nats` · `rabbitmq` · `pulsar` |\n| Coordination | `etcd` · `zookeeper` · `temporal` |\n| Observability | `prometheus` · `grafana` · `loki` · `tempo` · `otel-collector` · `vector` · `fluent-bit` |\n| Gateways / proxies | `nginx` · `caddy` · `traefik` · `haproxy` |\n| Object storage | `garage` · `rustfs` · `seaweedfs` |\n| Secrets / identity | `openbao` · `keycloak` |\n| Registry · Git · CI/IaC | `harbor` · `gitea` · `atlantis` |\n\n⚠️ = source-available, **not** OSI-approved open source (see [licensing](#a-note-on-licensing)).\n\n## Verify a chart\n\n```bash\ncosign verify ghcr.io/quenchworks/charts/postgresql@sha256:DIGEST \\\n  --certificate-identity-regexp 'https://github.com/quenchworks/.+' \\\n  --certificate-oidc-issuer https://token.actions.githubusercontent.com\n```\n\n## Per-chart docs\n\nGitHub shows this single repo README on every chart's package page; it can't render a per-chart README for OCI artifacts. Each chart's own docs (values, examples, security notes) live on **ArtifactHub** and ship inside the chart itself:\n\n```bash\nhelm show readme oci://ghcr.io/quenchworks/charts/\u003cchart\u003e\n```\n\n## Layout\n\n```\nquench/\u003capp\u003e/             one app chart per directory, e.g. quench/postgresql\n.github/workflows/        release (lint, install, package, push) and digest repin\n```\n\nThe shared `quench-common` library chart lives in its own repo, [quenchworks/common](https://github.com/quenchworks/common), published at `oci://ghcr.io/quenchworks/charts/quench-common`. App charts depend on it and pull it at build time, so it isn't vendored here.\n\n## How releases work\n\nThe image factory builds and signs an image, then fires an `image-published` dispatch to this repo. `on-digest.yml` repins the chart's `values.yaml` to the new digest and commits. That push triggers `release-\u003capp\u003e.yml`, which lints, templates, installs into a kind cluster and runs a real client roundtrip as a gate, then packages and pushes the cosign-signed OCI chart and publishes the ArtifactHub metadata.\n\n## The clean-room rule\n\nCharts here are written from each application's own upstream documentation. They are not copied or adapted from any other vendor's charts. See [CONTRIBUTING](https://github.com/quenchworks/.github/blob/main/CONTRIBUTING.md).\n\n## A note on licensing\n\nMost of the catalog is OSI-clean. Four charts wrap source-available datastores and carry a loud license banner in their README, NOTES, and on the website, because these are **not** OSI-approved open source. Each names the clean alternative we recommend instead:\n\n| Chart | License | Clean alternative |\n|-------|---------|-------------------|\n| `mongodb` | SSPL-1.0 | `ferretdb` + `documentdb` (MongoDB-wire compatible, truly open) |\n| `elasticsearch` | SSPL-1.0 | `opensearch` (Apache-2.0 drop-in fork) |\n| `cockroachdb` | BUSL-1.1 | `postgresql` for single-region SQL (BUSL converts to Apache after 3 years) |\n| `dragonfly` | BUSL-1.1 | `valkey` (BSD-3-Clause, Redis-compatible) |\n\n## License\n\nMIT for the chart templates and tooling. Each deployed application carries its own upstream license.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fquenchworks%2Fcharts","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fquenchworks%2Fcharts","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fquenchworks%2Fcharts/lists"}