feat: consolidate Helm chart distribution to OCI-only and drop GitHub Pages

.github/actions/setup-test-environment/action.yml

@@ -78,7 +78,7 @@ inputs:
     required: false
     default: 'v1.35.0'
   released-chart-version:
-    description: 'Install operator from public Helm repo instead of built artifacts. Use "latest" for latest version or a specific version string.'
+    description: 'Install operator from the public GHCR OCI Helm chart instead of built artifacts. Use "latest" to resolve the highest stable SemVer tag published to GHCR, or pass an explicit version (e.g. "0.2.0") for reproducible installs (recommended).'
     required: false
     default: ''
 
@@ -609,32 +609,62 @@ runs:
     - name: Install DocumentDB Operator (released chart)
       if: inputs.released-chart-version != ''
       shell: bash
+      env:
+        GHCR_LOGIN_TOKEN: ${{ inputs.github-token }}
+        GHCR_LOGIN_USERNAME: ${{ github.actor }}
       run: |
-        echo "Installing DocumentDB Operator from public Helm repo..."
+        echo "Installing DocumentDB Operator from public GHCR OCI Helm chart..."
         echo "Requested chart version: ${{ inputs.released-chart-version }}"
-
-        # Add the public DocumentDB Helm repository
-        helm repo add documentdb https://documentdb.github.io/documentdb-kubernetes-operator
-        helm repo update
-
-        # Install the released chart
-        # If version is 'latest', omit --version to get the latest available
+
+        # The released chart is published from the canonical documentdb org regardless of
+        # which repository owner is running CI. Forks consume the same upstream chart.
+        OCI_CHART="oci://ghcr.io/documentdb/documentdb-operator"
+
+        # Public charts can be pulled anonymously; use registry auth only when it works.
+        if [[ -n "$GHCR_LOGIN_TOKEN" ]]; then
+          if printf '%s' "$GHCR_LOGIN_TOKEN" | helm registry login ghcr.io --username "$GHCR_LOGIN_USERNAME" --password-stdin; then
+            echo "Authenticated to GHCR for Helm chart pull."
+          else
+            echo "⚠️ GHCR Helm registry login failed; continuing with anonymous pull for the public chart."
+          fi
+        else
+          echo "No GHCR login token provided; installing public chart anonymously."
+        fi
+
+        # Resolve the chart version. OCI registries do not support `helm search repo`, so
+        # "latest" is resolved by listing the GHCR OCI tags (the actual source of truth for
+        # what is installable) and picking the highest stable SemVer. Reproducible installs
+        # should pass an explicit version instead of "latest".
         CHART_VERSION="${{ inputs.released-chart-version }}"
         if [[ "$CHART_VERSION" == "latest" ]]; then
-          echo "Installing latest released version..."
-          helm install documentdb-operator documentdb/documentdb-operator \
-            --namespace ${{ inputs.operator-namespace }} \
-            --create-namespace \
-            --wait --timeout=15m
-        else
-          echo "Installing version $CHART_VERSION..."
-          helm install documentdb-operator documentdb/documentdb-operator \
-            --namespace ${{ inputs.operator-namespace }} \
-            --create-namespace \
-            --version "$CHART_VERSION" \
-            --wait --timeout=15m
+          echo "Resolving latest released chart version from GHCR OCI tags..."
+          GHCR_TOKEN=$(curl -sSL 'https://ghcr.io/token?scope=repository:documentdb/documentdb-operator:pull' | jq -r '.token // empty' 2>/dev/null || true)
+          CURL_ARGS=(-sSL "https://ghcr.io/v2/documentdb/documentdb-operator/tags/list")
+          if [[ -n "$GHCR_TOKEN" ]]; then
+            CURL_ARGS+=(-H "Authorization: Bearer ${GHCR_TOKEN}")
+          fi
+          RESOLVED_VERSION=$(curl "${CURL_ARGS[@]}" 2>/dev/null \
+            | jq -r '.tags[]?' 2>/dev/null \
+            | grep -E '^[0-9]+\.[0-9]+\.[0-9]+$' \
+            | sort -V \
+            | tail -1 \
+            || echo "")
+          if [[ -z "$RESOLVED_VERSION" ]]; then
+            echo "❌ Failed to resolve latest released chart version from GHCR OCI tags."
+            echo "   Pass an explicit released-chart-version (e.g. '0.2.0') to avoid this dependency."
+            exit 1
+          fi
+          CHART_VERSION="$RESOLVED_VERSION"
+          echo "Resolved 'latest' to chart version: $CHART_VERSION"
         fi
-
+
+        echo "Installing $OCI_CHART --version $CHART_VERSION..."
+        helm install documentdb-operator "$OCI_CHART" \
+          --namespace ${{ inputs.operator-namespace }} \
+          --create-namespace \
+          --version "$CHART_VERSION" \
+          --wait --timeout=15m
+
         # Log resolved version
         echo "Installed Helm releases:"
         helm list -n ${{ inputs.operator-namespace }}

.github/workflows/deploy_docs.yml

@@ -43,10 +43,16 @@ jobs:
         if: github.ref == 'refs/heads/main' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch')
         run: mike deploy dev --push --update-aliases
 
-      # On release: deploy versioned docs and update "latest" alias
-      - name: Deploy release docs
-        if: github.event_name == 'release'
-        run: |
-          VERSION=${{ github.event.release.tag_name }}
-          mike deploy ${VERSION} latest --push --update-aliases
+      # On release: deploy versioned docs and update "latest" alias
+      - name: Stamp release version into docs
+        if: github.event_name == 'release'
+        run: |
+          VERSION=${{ github.event.release.tag_name }}
+          find docs/operator-public-documentation -name '*.md' -exec sed -i "s|<release-version>|${VERSION}|g" {} +
+
+      - name: Deploy release docs
+        if: github.event_name == 'release'
+        run: |
+          VERSION=${{ github.event.release.tag_name }}
+          mike deploy ${VERSION} latest --push --update-aliases
           mike set-default latest --push

.github/workflows/release_images.yml

@@ -149,22 +149,3 @@ jobs:
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "**Note**: Images promoted from \`${{ github.event.inputs.candidate_version }}\` to \`${{ github.event.inputs.version }}\` and Helm chart published" >> $GITHUB_STEP_SUMMARY
 
-  publish-helm-pages:
-    name: Publish Helm Repository
-    needs: publish-helm-chart
-    if: ${{ always() && needs.publish-helm-chart.result == 'success' }}
-    permissions:
-      contents: write
-    uses: ./.github/workflows/repair_helm_pages_release.yml
-    with:
-      version: ${{ inputs.version }}
-      release_ref: ${{ inputs.source_ref }}
-      publish_branch: gh-pages
-      repo_url: https://documentdb.github.io/documentdb-kubernetes-operator
-      dry_run: false
-      confirm_version: ${{ inputs.version }}
-      normalize_chart_metadata: true
-      # Follow the same gh-pages branch used by mike in deploy_docs.yml.
-      allow_pages_source_mismatch: true
-    secrets: inherit
-

.github/workflows/release_operator.yml

@@ -156,23 +156,3 @@ jobs:
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "**Note**: Database images (documentdb, gateway) are released independently via \`release_documentdb_images.yml\`." >> $GITHUB_STEP_SUMMARY
 
-  # ---------------------------------------------------------------------------
-  # Publish Helm repository to GitHub Pages
-  # ---------------------------------------------------------------------------
-  publish-helm-pages:
-    name: Publish Helm Repository
-    needs: publish-helm-chart
-    if: ${{ always() && needs.publish-helm-chart.result == 'success' }}
-    permissions:
-      contents: write
-    uses: ./.github/workflows/repair_helm_pages_release.yml
-    with:
-      version: ${{ inputs.version }}
-      release_ref: ${{ inputs.source_ref }}
-      publish_branch: gh-pages
-      repo_url: https://documentdb.github.io/documentdb-kubernetes-operator
-      dry_run: false
-      confirm_version: ${{ inputs.version }}
-      normalize_chart_metadata: true
-      allow_pages_source_mismatch: true
-    secrets: inherit