{"id":51039263,"url":"https://github.com/quenchworks/common","last_synced_at":"2026-06-22T09:06:22.716Z","repository":{"id":364120024,"uuid":"1266497097","full_name":"quenchworks/common","owner":"quenchworks","description":"quench-common: the shared Helm library chart for the QuenchWorks catalog (hardened pod/container security contexts + a digest-only image resolver).","archived":false,"fork":false,"pushed_at":"2026-06-17T07:11:38.000Z","size":13,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-22T00:18:12.816Z","etag":null,"topics":["hardened","helm","helm-charts","helm-library-chart","kubernetes","security"],"latest_commit_sha":null,"homepage":"https://quench-works.com/","language":"Go Template","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/quenchworks.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-11T17:11:05.000Z","updated_at":"2026-06-17T07:11:42.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/quenchworks/common","commit_stats":null,"previous_names":["quenchworks/common"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/quenchworks/common","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quenchworks%2Fcommon","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quenchworks%2Fcommon/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quenchworks%2Fcommon/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quenchworks%2Fcommon/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/quenchworks","download_url":"https://codeload.github.com/quenchworks/common/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/quenchworks%2Fcommon/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34641671,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-22T02:00:06.391Z","response_time":106,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hardened","helm","helm-charts","helm-library-chart","kubernetes","security"],"created_at":"2026-06-22T09:06:21.722Z","updated_at":"2026-06-22T09:06:22.705Z","avatar_url":"https://github.com/quenchworks.png","language":"Go Template","funding_links":[],"categories":[],"sub_categories":[],"readme":"# quench-common\n\nThe shared Helm **library chart** behind the [QuenchWorks](https://github.com/quenchworks) catalog. It's the one place the security baseline is defined, so all 54 app charts inherit the exact same hardening: identical labels, identical pod and container security contexts, and a digest-only image resolver that makes shipping an unpinned image impossible.\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://quench-works.com\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/quenchworks/.github/main/profile/assets/demo.gif\" alt=\"QuenchWorks in a terminal: run a 0-CVE image, verify it with cosign, deploy the Helm chart, and watch the pod reach Running.\" width=\"760\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\nHarden it once here, and every chart in the catalog moves together.\n\nPublished as an OCI artifact and consumed by the charts in [quenchworks/charts](https://github.com/quenchworks/charts):\n\n```\noci://ghcr.io/quenchworks/charts/quench-common\n```\n\n## How charts depend on it\n\n```yaml\n# Chart.yaml\ndependencies:\n  - name: quench-common\n    version: 0.0.1\n    repository: oci://ghcr.io/quenchworks/charts\n```\n\n## What it provides\n\n- **Naming and labels**: `quench-common.fullname` / `name` / `labels` / `selectorLabels`, consistent across the whole catalog.\n- **The digest-only image resolver**: `quench-common.image` resolves an image strictly by `repository@sha256:digest`. A tag-only reference is refused on purpose, so a chart can never ship an unpinned image.\n- **Hardened pod security context**: `quench-common.podSecurityContext` sets `runAsNonRoot`, uid/gid/fsGroup 1001, seccomp `RuntimeDefault`.\n- **Hardened container security context**: `quench-common.containerSecurityContext` sets a read-only root filesystem, no privilege escalation, drop ALL capabilities.\n- **A shared knob surface**: the override points every chart exposes the same way, including scheduling, probes, extra env/volumes/volumeMounts, init containers, sidecars, lifecycle hooks, and security-context overrides.\n\n## Versioning\n\nPatch-bump the chart `version` on every change, and never overwrite a published version. App charts then move to the new version on their next release. This is a library chart, so there's nothing to `helm install` directly.\n\n## Release\n\nPushing to `main` runs `.github/workflows/release-common.yml`: lint, package, push the OCI chart to GHCR, and cosign-sign it (keyless).\n\n## License\n\nMIT.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fquenchworks%2Fcommon","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fquenchworks%2Fcommon","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fquenchworks%2Fcommon/lists"}