From source to a signed install

We compile each application from source with melange, then apko assembles a small nonroot image on top of Wolfi. There are no Dockerfiles and nothing inherited from another distro, so the image carries only what the app needs. A Trivy gate fails the build on any fixable CVE, and a scheduled rebuild keeps the result clean over time.

Each Helm chart is written from the upstream documentation for that application, never copied from another vendor. A shared library chart provides the labels, hardened security contexts, and a resolver that references images strictly by digest. Charts run nonroot on a read-only root filesystem with all capabilities dropped.

Images and charts publish to GHCR as OCI artifacts and are signed with cosign using GitHub OIDC, so there is no long-lived key. When an image is rebuilt, a digest contract updates the chart to the new signed digest automatically. Everything is listed on ArtifactHub, and anyone can verify a signature from their own terminal.