chore(helm): generate values.schema.json from values.yaml (#41780)

This PR has two coordinated parts: (1) a complete rewrite of the chart's
`values.schema.json` (auto-generated from `values.yaml`), and (2) a
publish-workflow restructure to add a release channel, PR pre-flight
checks, and schema URL hosting.

They're together because the workflow surfaces and validates the new
schema, and would conflict on `helm-release.yml` if split into separate
PRs.

---

## Part 1: values.schema.json — full coverage, auto-generated

### What changed

- Annotates `deploy/helm/values.yaml` with `# @schema` comments so the
[helm-values-schema-json](https://github.com/losisin/helm-values-schema-json)
plugin can generate `values.schema.json` with full top-level coverage
(43/43 keys vs. 4/43 previously).
- Dependency pass-throughs (`redis`, `mongodb`, `postgresql`,
`prometheus`, `mongodbOperator`) use `additionalProperties: true` with
their internals hidden — only the chart-owned `enabled` condition flag
is typed (boolean).
- `applicationConfig` accepts any scalar type (`string`, `boolean`,
`integer`, `number`) for any key, since Helm/K8s stringify env-var
values when rendering. Earlier draft enforced string-only, which
rejected natural YAML like `APPSMITH_DISABLE_TELEMETRY: true`.
- New CI workflow `.github/workflows/helm-schema.yml` regenerates the
schema on PR and fails on drift between `values.yaml` and
`values.schema.json`. Pinned to Helm 4.1.4.
- New `tests/values_schema_test.yaml` helm-unittest suite (14 cases)
exercises rejection of invalid input and acceptance of pass-through
values. Picked up automatically by the existing `Helm Unit Tests`
workflow.
- Cursor rule (`.cursor/rules/regen-helm-schema.mdc`) auto-attaches when
editing `values.yaml` or `values.schema.json` to remind contributors how
to regenerate.

### Behavior changes worth flagging

1. **`mongodbOperator.enabled`** was previously the only validated key
under `mongodbOperator`. It still is — the rest of the block stays
opaque (any subchart values pass through unvalidated). Same model now
applied uniformly to all five dependency pass-throughs.

2. **`persistence.existingClaim.{enabled,name,claimName}` and
`persistence.efs.{enabled,driver,volumeHandle}`** had bare `null`
defaults in `values.yaml` (e.g. `enabled:` with no value). The
auto-generated schema initially typed these as `null`-only, which would
have rejected real-world overrides like
`persistence.existingClaim.enabled: true`. They are now annotated as
multi-type (`[boolean, \"null\"]` or `[string, \"null\"]`) so they
accept both the empty default and a concrete override. Tightening of a
previously-empty schema, not a loosening.

3. **`applicationConfig`**: enumerated `APPSMITH_*` keys are no longer
typed individually (they're hidden from the schema and serve as in-file
documentation). The block validates via `additionalProperties` only,
accepting any scalar value for any key. Trade-off: IDEs no longer
auto-complete the specific known keys, but the block is now permissive
for the real-world shapes that Helm renders fine.

### How to regenerate the schema locally

```
cd deploy/helm && helm schema \
  --schema-root.title 'Appsmith Helm chart values' \
  --schema-root.id 'https://helm.appsmith.com/values.schema.json' \
  -o values.schema.json
```

Plugin install (one-time):

```
helm plugin install --verify=false https://github.com/losisin/helm-values-schema-json.git
```

The Cursor rule provides this as on-demand context when editing the
relevant files.

---

## Part 2: helm-release.yml — release channel + PR pre-flight + schema
hosting

### What changed

- **Adds a release channel.** Pushes to the `release` branch publish as
`<chart-yaml-version>-release.<short-sha>` (e.g.
`3.8.0-release.abc1234`). SemVer treats the `-release.SHA` suffix as a
pre-release, so default `helm install yourrepo/appsmith` skips these —
clients must pass `--devel` to opt in. Master keeps publishing the
on-disk version verbatim as stable.

- **PR pre-flight version check.** PRs touching `deploy/helm/**` now run
a `curl HEAD` against the public chart URL for the on-disk version. If a
tarball at that version already exists, CI fails with an actionable
message:

  ```
Error: Chart version 3.7.0 is already published at
https://helm.appsmith.com/appsmith-3.7.0.tgz.
  Error: Bump 'version:' in deploy/helm/Chart.yaml before merging.
  ```

Catches \"I forgot to bump the version\" before the PR lands. No AWS
creds needed — works on fork PRs.

- **Single combined job** (was two): version-collision check is shared
between PR and push paths. Same code, same logic, same failure mode.

- **`index.yaml` regenerated from bucket state** on every publish rather
than `--merge` appended. This decouples cleanup from publish: any S3
lifecycle rule that expires `-release.*` tarballs is automatically
reflected in the next published index, with no separate cleanup workflow
needed.

- **`values.schema.json` is now uploaded alongside the chart on stable
publishes.** Enables IDE schema validation via `# yaml-language-server:
$schema=https://helm.appsmith.com/values.schema.json` in any values.yaml
file.

- **`Cache-Control: public, max-age=60`** on `index.yaml` and
`values.schema.json` so `helm repo update` and IDE schema fetches pick
up new versions promptly even if the bucket is fronted by a CDN.
Tarballs (content-addressed via digest in index) keep default caching.

- **Helm 4.1.4** (was v3.6.3) via `setup-helm@v4` (was v1).

- **`HELM_S3_BUCKET` and `HELM_REPO_URL` are now repository variables,
not secrets.** Both values are public (bucket name and chart URL).
Variables are accessible to fork PRs (unlike secrets), which is required
for the version-check path. Naming matches what each value represents:
  - `vars.HELM_S3_BUCKET` — bucket name for `aws s3 …` operations
- `vars.HELM_REPO_URL` — full URL (incl. scheme) clients fetch charts
from

- **Drops `workflow_dispatch`** (Actions UI re-runs cover the rare
manual case) and the unused `helm repo add bitnami` step (`helm dep
build` resolves all dependencies from Chart.yaml URLs without needing
repos pre-registered).

### Behavior matrix

| Trigger | ref | Version check | Publish |
|---|---|---|---|
| PR (any target) | `refs/pull/N/merge` | yes | no |
| push to master | `refs/heads/master` | yes | yes (publishes base
version as stable) |
| push to release | `refs/heads/release` | no (release channel) | yes
(publishes `base-release.SHA`) |

---

## Test plan

- [x] CI: `Helm Values Schema` workflow passes (regenerates schema,
finds no drift) — passing on most recent run
- [x] CI: `Helm Unit Tests` workflow passes (existing 53 tests + new 14
schema cases = 67 total)
- [x] Local: `helm lint deploy/helm/` succeeds
- [x] Manual smoke test: chart deployed via ArgoCD against a homelab
cluster from a personal S3 bucket, including the `applicationConfig`
boolean/integer regressions that drove the multi-type fix
- [x] Pre-merge: confirm `vars.HELM_S3_BUCKET` and `vars.HELM_REPO_URL`
are set in the repo Actions settings
- [x] Pre-merge: confirm AWS publish role has `s3:PutObjectTagging`
permission (needed for the channel tag on release-channel uploads)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added a comprehensive, stricter Helm values schema with richer
annotations and a chart version bump.

* **Tests**
* Added a test suite validating schema enforcement with passing and
failing value sets.

* **Chores**
* CI: added automated schema-check workflow, refined chart publish
workflow (stable/release channel handling, immutability check, packaging
and index update), renamed Helm unit-test job, and adjusted publish
triggers.

* **Documentation**
* Added a rule documenting how to regenerate and validate the values
schema.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

<!-- This is an auto-generated comment: Cypress test results  -->
> [!WARNING]
> Tests have not run on the HEAD
f2fc338da888b51ea1962fcf876ce89cdf43a300 yet
> <hr>Fri, 08 May 2026 17:01:09 UTC
<!-- end of auto-generated comment: Cypress test results  -->