feat(helm): add Helm chart for self-hosted openconcho web UI

[offendingcommit]

Summary

• Adds a production-grade Helm 3 chart at charts/openconcho/ for self-hosting the openconcho SPA on Kubernetes
• Publishes the chart as an OCI artifact to GHCR (oci://ghcr.io/offendingcommit/charts/openconcho) on every tagged release via a new publish-chart job in the existing Docker publish workflow
• Includes full security hardening (nginx-unprivileged UID 101, read-only root FS, dropped capabilities, seccomp RuntimeDefault) and optional HPA, PDB, NetworkPolicy, and Ingress resources

Resources included

Template	Notes
Deployment	Read-only FS, tmpfs mounts, named port http on 8080, rolling update
Service	ClusterIP by default, targetPort: http
ServiceAccount	automountServiceAccountToken: false
Ingress	Disabled by default; ingressClassName optional
HorizontalPodAutoscaler	autoscaling/v2, CPU utilization
PodDisruptionBudget	policy/v1, mutually-exclusive minAvailable/maxUnavailable
NetworkPolicy	Same-namespace ingress only on port 8080
NOTES.txt	Access instructions + NetworkPolicy/Ingress cross-namespace warning
Helm tests	test-healthz (body check) and test-spa-root (HTTP 200 spider)

Publishing pipeline

publish-chart job in .github/workflows/docker-publish.yml:

• Runs only on refs/tags/*, after the Docker image push succeeds
• Strips the v prefix from release tags (v0.14.0 → 0.14.0) so chart version matches image tag
• Pushes to oci://ghcr.io/offendingcommit/charts

Note: First push to a new GHCR package creates it as private. Flip visibility to public in GitHub Package settings after the first release.

Merge note

Main has stale partial chart files (Chart.yaml, _helpers.tpl, values.yaml, values.schema.json) from a previous session. The feature branch contains the complete, correct versions. Merge will require resolving conflicts in those 3 files by accepting the feature branch versions.

Test plan

• helm lint charts/openconcho — passes (0 failures)
• helm template test-release charts/openconcho — all resources render cleanly
• All optional resources enabled: HPA, PDB, NetworkPolicy, Ingress all appear
• 107 unit tests passing
• After merge and tagging: verify publish-chart job runs and pushes chart to GHCR