From c2bd195bfaa0b55ccfa318d1a447f574544b1cb8 Mon Sep 17 00:00:00 2001
From: Josh Baird <jbaird@galileo.io>
Date: Wed, 14 Jan 2026 09:29:57 -0500
Subject: [PATCH] WIP: helm-release CI workflow.

Signed-off-by: Josh Baird <jbaird@galileo.io>
---
 .github/workflows/GETTING_STARTED.md   | 278 ++++++++++++++++++
 .github/workflows/GITHUB_APP_SETUP.md  | 332 +++++++++++++++++++++
 .github/workflows/GITHUB_APP_VS_PAT.md | 268 +++++++++++++++++
 .github/workflows/HELM_SYNC_README.md  | 352 ++++++++++++++++++++++
 .github/workflows/README.md            | 198 +++++++++++++
 .github/workflows/SETUP_CHECKLIST.md   | 189 ++++++++++++
 .github/workflows/WORKFLOW_FLOW.md     | 387 +++++++++++++++++++++++++
 .github/workflows/helm-release.yaml    | 263 +++++++++++++++++
 .github/workflows/test-sync.sh         | 209 +++++++++++++
 9 files changed, 2476 insertions(+)
 create mode 100644 .github/workflows/GETTING_STARTED.md
 create mode 100644 .github/workflows/GITHUB_APP_SETUP.md
 create mode 100644 .github/workflows/GITHUB_APP_VS_PAT.md
 create mode 100644 .github/workflows/HELM_SYNC_README.md
 create mode 100644 .github/workflows/README.md
 create mode 100644 .github/workflows/SETUP_CHECKLIST.md
 create mode 100644 .github/workflows/WORKFLOW_FLOW.md
 create mode 100644 .github/workflows/helm-release.yaml
 create mode 100755 .github/workflows/test-sync.sh

diff --git a/.github/workflows/GETTING_STARTED.md b/.github/workflows/GETTING_STARTED.md
new file mode 100644
index 000000000..15a9f8616
--- /dev/null
+++ b/.github/workflows/GETTING_STARTED.md
@@ -0,0 +1,278 @@
+# Getting Started: Helm Charts Sync with GitHub App
+
+**Updated to use GitHub App authentication** 🚀
+
+This guide will get you from zero to a working automated Helm chart sync in ~15 minutes.
+
+## 🎯 What You're Setting Up
+
+An automated workflow that:
+- Syncs Helm charts from `fluent/fluent-operator` → `fluent/helm-charts`
+- Creates pull requests automatically
+- Runs on releases, tags, or manually
+- Uses secure GitHub App authentication
+
+## ⚡ Quick Start (15 minutes)
+
+### Step 1: Create GitHub App (5 min)
+
+1. **Go to:** https://github.com/organizations/fluent/settings/apps/new
+
+2. **Fill in:**
+   - **Name:** `Fluent Helm Charts Sync`
+   - **Homepage:** `https://github.com/fluent/fluent-operator`
+   - **Webhook:** ❌ Uncheck "Active"
+
+3. **Permissions:**
+   - Contents: `Read and write`
+   - Pull requests: `Read and write`
+
+4. **Click:** "Create GitHub App"
+
+5. **Generate private key:**
+   - Scroll to "Private keys"
+   - Click "Generate a private key"
+   - Save the downloaded `.pem` file
+
+6. **Note your App ID:**
+   - At the top of the page: "App ID: 123456"
+   - Write it down!
+
+### Step 2: Install App (2 min)
+
+1. **Click:** "Install App" (left sidebar)
+2. **Select:** Only `fluent/helm-charts` repository
+3. **Click:** "Install"
+
+### Step 3: Add Secrets (3 min)
+
+1. **Go to:** https://github.com/fluent/fluent-operator/settings/secrets/actions
+
+2. **Add Secret #1:**
+   - Click "New repository secret"
+   - Name: `HELM_SYNC_APP_ID`
+   - Value: Your App ID from Step 1.6
+   - Click "Add secret"
+
+3. **Add Secret #2:**
+   - Click "New repository secret"
+   - Name: `HELM_SYNC_APP_PRIVATE_KEY`
+   - Value: Entire contents of `.pem` file (including BEGIN/END lines)
+   - Click "Add secret"
+
+### Step 4: Test It! (5 min)
+
+```bash
+# Test the workflow manually
+gh workflow run sync-helm-charts.yaml \
+  -f pr_title="[TEST] Initial sync test" \
+  -f charts_to_sync="fluentd-crds"
+
+# Watch it run
+gh run watch
+
+# Expected: PR created in fluent/helm-charts by "fluent-helm-charts-sync[bot]"
+```
+
+**Success indicators:**
+- ✅ Workflow completes without errors
+- ✅ PR created in fluent/helm-charts
+- ✅ PR author shows as your app bot
+- ✅ PR has properly formatted description
+
+**If it works:** Close the test PR and celebrate! 🎉
+
+**If it fails:** See [Troubleshooting](#-troubleshooting) below
+
+## 📖 Detailed Documentation
+
+### For Complete Setup Instructions
+👉 **[GITHUB_APP_SETUP.md](GITHUB_APP_SETUP.md)** - Step-by-step with screenshots
+
+### For Daily Usage
+👉 **[HELM_SYNC_README.md](HELM_SYNC_README.md)** - How to use the workflow
+
+### For Understanding the Flow
+👉 **[WORKFLOW_FLOW.md](WORKFLOW_FLOW.md)** - Visual diagrams and explanations
+
+### For Quick Reference
+👉 **[SETUP_CHECKLIST.md](SETUP_CHECKLIST.md)** - Checklist format
+
+### For Decision-Making
+👉 **[GITHUB_APP_VS_PAT.md](GITHUB_APP_VS_PAT.md)** - Why GitHub App vs PAT
+
+## 🚀 Daily Usage
+
+Once set up, using the workflow is simple:
+
+### Automatic Sync (Recommended)
+
+```bash
+# Just create a release - workflow triggers automatically!
+gh release create v3.5.0 \
+  --title "Release v3.5.0" \
+  --notes-file RELEASE_NOTES.md
+
+# Or push a version tag
+git tag v3.5.0
+git push origin v3.5.0
+```
+
+The workflow will:
+1. Detect the release/tag
+2. Sync all charts
+3. Create a PR in fluent/helm-charts
+4. Wait for your review
+
+### Manual Sync
+
+```bash
+# Sync all charts
+gh workflow run sync-helm-charts.yaml
+
+# Sync specific charts only
+gh workflow run sync-helm-charts.yaml \
+  -f charts_to_sync="fluent-operator,fluentd-crds"
+
+# Custom PR title
+gh workflow run sync-helm-charts.yaml \
+  -f pr_title="Update charts for v3.5.0"
+```
+
+### Monitoring
+
+```bash
+# List recent runs
+gh run list --workflow=sync-helm-charts.yaml --limit 5
+
+# Watch current run
+gh run watch
+
+# View specific run
+gh run view <run-id> --log
+```
+
+## 🐛 Troubleshooting
+
+### "Resource not accessible by integration"
+
+**Fix:**
+1. Check app is installed on helm-charts:
+   ```
+   https://github.com/organizations/fluent/settings/installations
+   ```
+2. Verify "fluent/helm-charts" is in the access list
+3. Check permissions: Contents + Pull requests both set to "Write"
+
+### "Bad credentials"
+
+**Fix:**
+1. Verify `HELM_SYNC_APP_ID` is just the number (e.g., `123456`)
+2. Verify `HELM_SYNC_APP_PRIVATE_KEY` includes:
+   ```
+   -----BEGIN RSA PRIVATE KEY-----
+   [key content]
+   -----END RSA PRIVATE KEY-----
+   ```
+3. No extra spaces or formatting in secrets
+
+### "Could not resolve to a Repository"
+
+**Fix:**
+1. App not installed on helm-charts repository
+2. Go to installations → Configure → Add helm-charts
+
+### Workflow runs but no PR created
+
+**Possible causes:**
+- No changes detected (charts already synced) ✅ This is OK!
+- Missing "Pull requests: Write" permission
+- Branch already exists in helm-charts
+
+## 📊 Files Created
+
+Here's everything that was created for you:
+
+```
+.github/workflows/
+├── sync-helm-charts.yaml      (12K) ← The main workflow
+├── test-sync.sh              (6.5K) ← Local testing script
+│
+├── GETTING_STARTED.md        (THIS FILE) ← Start here!
+├── GITHUB_APP_SETUP.md       (9.9K) ← Detailed setup guide
+├── SETUP_CHECKLIST.md        (5.5K) ← Quick checklist
+│
+├── HELM_SYNC_README.md       (9.7K) ← Complete usage docs
+├── WORKFLOW_FLOW.md          (15K)  ← Visual flow diagrams
+├── GITHUB_APP_VS_PAT.md      (7.8K) ← Why we chose GitHub App
+└── README.md                 (5.6K) ← Workflows overview
+```
+
+**Total:** 72KB of documentation to make your life easier! 📚
+
+## ✅ What Changed from PAT Approach
+
+If you're familiar with Personal Access Tokens:
+
+| Aspect | Old (PAT) | New (GitHub App) |
+|--------|-----------|------------------|
+| **Secrets** | 1 secret (token) | 2 secrets (app ID + key) |
+| **Setup time** | 5 min | 15 min |
+| **Expiration** | 1 year | Never |
+| **User-tied** | Yes | No |
+| **Security** | Good | Better |
+| **Attribution** | User | Bot |
+| **Maintenance** | Annual renewal | Optional key rotation |
+
+**Bottom line:** 10 extra minutes now saves hours later + better security.
+
+## 🎓 Learning Path
+
+1. **Today:** Follow this quick start
+2. **Tomorrow:** Read [HELM_SYNC_README.md](HELM_SYNC_README.md) for details
+3. **Later:** Review [WORKFLOW_FLOW.md](WORKFLOW_FLOW.md) to understand internals
+4. **Ongoing:** Reference [GITHUB_APP_SETUP.md](GITHUB_APP_SETUP.md) for management
+
+## 🔒 Security Checklist
+
+Before going to production:
+
+- [ ] App has minimum permissions (only Contents + Pull requests)
+- [ ] App installed only on helm-charts (not all repos)
+- [ ] Private key stored as secret (never committed)
+- [ ] Local `.pem` file deleted after adding to secrets
+- [ ] Both secrets added correctly
+- [ ] Test workflow completed successfully
+- [ ] Team knows how to manage the app
+
+## 🎉 Success Criteria
+
+You know it's working when:
+
+✅ Workflow runs without errors
+✅ PR created automatically in helm-charts
+✅ PR author shows as "fluent-helm-charts-sync[bot]"
+✅ PR has formatted description with versions
+✅ Charts are synced correctly
+✅ Merging PR triggers helm-charts CI
+
+## 🆘 Need Help?
+
+**Read in order:**
+1. This file's [Troubleshooting](#-troubleshooting) section
+2. [GITHUB_APP_SETUP.md](GITHUB_APP_SETUP.md#troubleshooting)
+3. [HELM_SYNC_README.md](HELM_SYNC_README.md#troubleshooting)
+4. GitHub Actions logs in the failed workflow
+5. Ask maintainers: @wenchajun @marcofranssen @joshuabaird
+
+## 🚀 Ready?
+
+Let's do this! Start with Step 1 above. ⬆️
+
+---
+
+**Created:** November 2025
+**Status:** Production Ready
+**Estimated Setup Time:** 15 minutes
+**Difficulty:** Beginner-friendly 🟢
+
diff --git a/.github/workflows/GITHUB_APP_SETUP.md b/.github/workflows/GITHUB_APP_SETUP.md
new file mode 100644
index 000000000..e8ed664f1
--- /dev/null
+++ b/.github/workflows/GITHUB_APP_SETUP.md
@@ -0,0 +1,332 @@
+# GitHub App Setup for Helm Charts Sync
+
+This guide walks you through creating and configuring a GitHub App for automated chart synchronization.
+
+## 🎯 Why GitHub App?
+
+✅ **More secure** - Fine-grained permissions
+✅ **Not tied to user** - Survives team changes
+✅ **Better audit trail** - Clear attribution
+✅ **Longer lived** - No expiration concerns
+✅ **Organization-level** - Centralized management
+
+## 📋 Prerequisites
+
+- Admin access to the `fluent` GitHub organization (or both repos)
+- Ability to create GitHub Apps in the organization
+- Access to repository secrets in `fluent/fluent-operator`
+
+## 🚀 Step-by-Step Setup
+
+### Step 1: Create the GitHub App
+
+1. **Navigate to GitHub App creation page:**
+   - **For Organization**: https://github.com/organizations/fluent/settings/apps/new
+   - **For Personal**: https://github.com/settings/apps/new
+
+2. **Fill in basic information:**
+
+   | Field | Value |
+   |-------|-------|
+   | **GitHub App name** | `Fluent Helm Charts Sync` |
+   | **Homepage URL** | `https://github.com/fluent/fluent-operator` |
+   | **Webhook** | ❌ Uncheck "Active" (not needed) |
+
+3. **Set Repository permissions:**
+
+   Navigate to "Repository permissions" section and set:
+
+   | Permission | Access Level | Why Needed |
+   |------------|--------------|------------|
+   | **Contents** | `Read and write` | Clone repos, push commits |
+   | **Pull requests** | `Read and write` | Create and manage PRs |
+   | **Metadata** | `Read-only` | Required (auto-selected) |
+
+   > **Note:** We only need these 3 permissions - keep everything else at "No access"
+
+4. **Set "Where can this GitHub App be installed?"**
+   - ✅ Select: **"Only on this account"**
+   - This restricts the app to the `fluent` organization
+
+5. **Click "Create GitHub App"**
+
+### Step 2: Generate and Save Private Key
+
+After creating the app:
+
+1. **Scroll to "Private keys" section** (bottom of app settings page)
+
+2. **Click "Generate a private key"**
+   - A `.pem` file will download automatically
+   - **⚠️ IMPORTANT**: This is the only time you'll see this key!
+
+3. **Save the file securely:**
+   ```bash
+   # The file will be named something like:
+   # fluent-helm-charts-sync.2024-11-20.private-key.pem
+
+   # Store it securely - you'll need it in the next step
+   ```
+
+4. **Note the App ID:**
+   - At the top of the page, you'll see "App ID: 123456"
+   - Copy this number - you'll need it
+
+### Step 3: Install the App on Repositories
+
+1. **Go to "Install App" tab** (left sidebar of app settings)
+
+2. **Click "Install" next to your organization/account**
+
+3. **Select repository access:**
+   - ✅ Select: **"Only select repositories"**
+   - Choose: **`fluent/helm-charts`** (the target repository)
+
+   > **Important**: The app only needs access to `helm-charts`, not `fluent-operator`
+
+4. **Click "Install"**
+
+5. **Note the Installation ID (Optional but helpful):**
+   - Look at the URL after installation: `https://github.com/organizations/fluent/settings/installations/XXXXX`
+   - The number is your installation ID (useful for debugging)
+
+### Step 4: Add Secrets to fluent-operator Repository
+
+Now add the App credentials as secrets in the `fluent-operator` repository:
+
+1. **Navigate to:**
+   ```
+   https://github.com/fluent/fluent-operator/settings/secrets/actions
+   ```
+
+2. **Add Secret #1: App ID**
+   - Click "New repository secret"
+   - **Name**: `HELM_SYNC_APP_ID`
+   - **Value**: The App ID from Step 2.4 (e.g., `123456`)
+   - Click "Add secret"
+
+3. **Add Secret #2: Private Key**
+   - Click "New repository secret"
+   - **Name**: `HELM_SYNC_APP_PRIVATE_KEY`
+   - **Value**: The complete contents of the `.pem` file from Step 2.3
+
+   ```bash
+   # To get the contents on macOS/Linux:
+   cat fluent-helm-charts-sync.2024-11-20.private-key.pem | pbcopy
+   # (copies to clipboard)
+
+   # Or simply open the file and copy all contents including:
+   # -----BEGIN RSA PRIVATE KEY-----
+   # [all the key content]
+   # -----END RSA PRIVATE KEY-----
+   ```
+
+   - Click "Add secret"
+
+### Step 5: Verify Secrets
+
+Confirm both secrets are added:
+
+```
+Repository secrets for fluent/fluent-operator:
+✓ HELM_SYNC_APP_ID
+✓ HELM_SYNC_APP_PRIVATE_KEY
+```
+
+## ✅ Verification Checklist
+
+Before proceeding, verify:
+
+- [ ] GitHub App created successfully
+- [ ] App has correct permissions (Contents: Write, Pull requests: Write)
+- [ ] Private key generated and downloaded
+- [ ] App installed on `fluent/helm-charts` repository
+- [ ] `HELM_SYNC_APP_ID` secret added to fluent-operator
+- [ ] `HELM_SYNC_APP_PRIVATE_KEY` secret added to fluent-operator
+- [ ] Both secrets are visible in repository settings
+
+## 🧪 Testing the Setup
+
+Test that the app authentication works:
+
+```bash
+# Run the workflow manually
+gh workflow run sync-helm-charts.yaml
+
+# Watch the run
+gh run watch
+
+# Check for any authentication errors
+```
+
+**Expected behavior:**
+- ✅ Workflow authenticates successfully
+- ✅ Can clone helm-charts repository
+- ✅ Can create branch in helm-charts
+- ✅ Can create PR in helm-charts
+
+**If you see authentication errors:**
+- Verify app is installed on helm-charts repository
+- Check that secrets are correctly named
+- Ensure private key includes BEGIN/END lines
+- Verify App ID is correct
+
+## 🔄 App Management
+
+### View App Activity
+
+Monitor app usage:
+```
+https://github.com/organizations/fluent/settings/installations
+```
+
+Click on "Fluent Helm Charts Sync" to see:
+- Recent deliveries (API calls)
+- Events
+- Repository access
+
+### Modify Permissions
+
+If you need to change permissions:
+
+1. Go to: `https://github.com/organizations/fluent/settings/apps`
+2. Click on "Fluent Helm Charts Sync"
+3. Click "Edit" (top right)
+4. Modify "Repository permissions"
+5. Click "Save changes"
+
+**⚠️ Note:** Permission changes require reinstallation on repositories
+
+### Rotate Private Key
+
+To rotate the key for security:
+
+1. Go to app settings
+2. Scroll to "Private keys"
+3. Click "Generate a private key" (new key)
+4. Update `HELM_SYNC_APP_PRIVATE_KEY` secret in fluent-operator
+5. Test workflow
+6. Revoke old key (click "Revoke" next to old key)
+
+### Add to More Repositories
+
+To grant access to additional repositories:
+
+1. Go to: `https://github.com/organizations/fluent/settings/installations`
+2. Click "Configure" next to "Fluent Helm Charts Sync"
+3. Update "Repository access"
+4. Save
+
+## 🔒 Security Best Practices
+
+### ✅ Do's
+
+- ✅ Keep private key secure (never commit to git)
+- ✅ Use organization-level apps when possible
+- ✅ Grant minimum required permissions
+- ✅ Regular security audits of app activity
+- ✅ Document app purpose and owners
+- ✅ Rotate keys annually
+- ✅ Monitor app events for unusual activity
+
+### ❌ Don'ts
+
+- ❌ Never commit `.pem` file to repository
+- ❌ Don't share private key via unsecured channels
+- ❌ Don't grant more permissions than needed
+- ❌ Don't install on repositories that don't need it
+- ❌ Don't forget to revoke old keys after rotation
+
+## 🆚 GitHub App vs PAT
+
+| Feature | GitHub App | Personal Access Token |
+|---------|------------|----------------------|
+| **User-independent** | ✅ Yes | ❌ No |
+| **Fine-grained permissions** | ✅ Yes | ⚠️ Limited |
+| **Audit trail** | ✅ Excellent | ⚠️ Good |
+| **Rate limits** | ✅ Higher | ⚠️ Standard |
+| **Expiration** | ✅ Never | ❌ Max 1 year |
+| **Setup complexity** | ⚠️ Medium | ✅ Easy |
+| **Revocation** | ✅ Instant | ✅ Instant |
+| **Organization control** | ✅ Centralized | ❌ Per-user |
+
+## 📚 Additional Resources
+
+- [GitHub Apps Documentation](https://docs.github.com/en/apps)
+- [About GitHub App permissions](https://docs.github.com/en/apps/creating-github-apps/setting-up-a-github-app/choosing-permissions-for-a-github-app)
+- [GitHub Actions: create-github-app-token](https://github.com/actions/create-github-app-token)
+- [Authenticating with GitHub Apps](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/about-authentication-with-a-github-app)
+
+## 🐛 Troubleshooting
+
+### Error: "Resource not accessible by integration"
+
+**Cause:** App doesn't have required permissions or isn't installed on target repo
+
+**Solution:**
+1. Verify app is installed on `fluent/helm-charts`
+2. Check app has "Contents: Write" and "Pull requests: Write" permissions
+3. If permissions changed, reinstall app on repository
+
+### Error: "Bad credentials"
+
+**Cause:** App ID or private key is incorrect
+
+**Solution:**
+1. Verify `HELM_SYNC_APP_ID` matches App ID in GitHub
+2. Verify `HELM_SYNC_APP_PRIVATE_KEY` is complete (including BEGIN/END lines)
+3. Ensure no extra whitespace in secrets
+4. Try regenerating private key
+
+### Error: "Could not resolve to a Repository"
+
+**Cause:** App not installed on target repository
+
+**Solution:**
+1. Go to app installations
+2. Verify `fluent/helm-charts` is in the access list
+3. If not, add it via "Configure" → "Repository access"
+
+### Workflow runs but can't create PR
+
+**Cause:** Missing "Pull requests: Write" permission
+
+**Solution:**
+1. Edit app permissions
+2. Add "Pull requests: Read and write"
+3. Reinstall app on helm-charts repository
+
+## 👥 Team Handoff
+
+When sharing this setup with team:
+
+1. **Document the app:**
+   - App name: `Fluent Helm Charts Sync`
+   - Purpose: Automated Helm chart synchronization
+   - Repositories: fluent-operator → helm-charts
+   - Owner: [Your team/person]
+
+2. **Share access:**
+   - Organization admins can manage the app
+   - App settings: `https://github.com/organizations/fluent/settings/apps`
+
+3. **Backup information:**
+   - App ID (can regenerate if lost)
+   - Private key (generate new if lost)
+   - Installation URLs
+   - This documentation!
+
+## 📞 Support
+
+Questions? Check:
+1. This guide's troubleshooting section
+2. [HELM_SYNC_README.md](HELM_SYNC_README.md) for workflow details
+3. GitHub's [App troubleshooting guide](https://docs.github.com/en/apps/creating-github-apps/troubleshooting/troubleshooting-github-apps)
+4. Contact maintainers: @wenchajun @marcofranssen @joshuabaird
+
+---
+
+**Created**: November 2025
+**Last Updated**: November 2025
+**Next Review**: November 2026 (or when rotating keys)
+
diff --git a/.github/workflows/GITHUB_APP_VS_PAT.md b/.github/workflows/GITHUB_APP_VS_PAT.md
new file mode 100644
index 000000000..97d9b28e4
--- /dev/null
+++ b/.github/workflows/GITHUB_APP_VS_PAT.md
@@ -0,0 +1,268 @@
+# GitHub App vs Personal Access Token
+
+Quick comparison to understand why we chose GitHub App authentication for the Helm charts sync workflow.
+
+## 📊 Feature Comparison
+
+| Feature | GitHub App ✅ | Personal Access Token |
+|---------|---------------|----------------------|
+| **User Independence** | ✅ Not tied to any user | ❌ Tied to user account |
+| **Expiration** | ✅ Never expires | ❌ Max 1 year (classic) / 2 years (fine-grained) |
+| **Permissions** | ✅ Fine-grained per-repo | ⚠️ Broad across all repos |
+| **Rate Limits** | ✅ 5,000 req/hr (org) | ⚠️ 5,000 req/hr (personal) |
+| **Audit Trail** | ✅ Excellent (shows as "bot") | ⚠️ Shows as user |
+| **Revocation Impact** | ✅ Only affects app | ⚠️ User loses access everywhere |
+| **Organization Control** | ✅ Centralized management | ❌ User-controlled |
+| **Setup Complexity** | ⚠️ Moderate (one-time) | ✅ Simple |
+| **Maintenance** | ✅ Low (no expiration) | ⚠️ Annual renewal required |
+| **Team Handoff** | ✅ Easy (org-level) | ⚠️ Requires PAT transfer |
+| **Security** | ✅ Scoped to specific repos | ⚠️ Access to all user repos |
+
+## 🎯 Why GitHub App Wins for This Use Case
+
+### 1. **User Independence** 🏢
+
+**Problem with PAT:**
+```
+Alice creates PAT → Workflow uses Alice's PAT → Alice leaves company
+                                                           ↓
+                                              Workflow breaks! 💥
+```
+
+**Solution with GitHub App:**
+```
+Org creates App → Workflow uses App → Alice leaves company
+                                                  ↓
+                                      Workflow still works! ✅
+```
+
+### 2. **No Expiration Headaches** 📅
+
+**PAT Timeline:**
+```
+Month 1:  Create PAT (1 year expiration)
+Month 6:  Set calendar reminder
+Month 11: Warning emails from GitHub
+Month 12: PAT expires → Workflow breaks
+          Create new PAT, update secret, test again
+```
+
+**GitHub App Timeline:**
+```
+Day 1:    Create App
+          ↓
+          Works forever (optional annual key rotation for security)
+```
+
+### 3. **Better Security** 🔒
+
+**PAT Access:**
+```yaml
+PAT with "repo" scope gives access to:
+- All user's repositories ⚠️
+- All private repos user can access ⚠️
+- Full control over all repos ⚠️
+
+If PAT leaks:
+  → Attacker has access to EVERYTHING
+```
+
+**GitHub App Access:**
+```yaml
+App with specific permissions:
+- Only fluent/helm-charts ✅
+- Only Contents + Pull requests ✅
+- No access to other repos ✅
+
+If private key leaks:
+  → Attacker only affects helm-charts
+  → Can't access other repos
+  → Easy to revoke and rotate
+```
+
+### 4. **Perfect Attribution** 🤖
+
+**With PAT:**
+```
+Git commit author: Alice <alice@example.com>
+PR author: Alice
+GitHub audit: Action by Alice
+
+Problem: Looks like Alice did it manually!
+```
+
+**With GitHub App:**
+```
+Git commit author: fluent-helm-charts-sync[bot]
+PR author: fluent-helm-charts-sync[bot]
+GitHub audit: Action by app
+
+Benefit: Clear it's automated! Everyone knows it's the bot.
+```
+
+### 5. **Organization Ownership** 🏛️
+
+**PAT Scenario:**
+```
+- Alice owns the PAT
+- Alice leaves company
+- New person needs Alice to share PAT (impossible)
+- OR: Create new PAT with different permissions
+- Update all workflows
+- Test everything again
+```
+
+**GitHub App Scenario:**
+```
+- Organization owns the app
+- App visible in org settings
+- Any org admin can manage it
+- Seamless team transitions
+- Centralized access control
+```
+
+## 🔄 Migration Path
+
+If you already have a PAT-based setup:
+
+### Before (PAT):
+```yaml
+steps:
+  - uses: actions/checkout@v5
+    with:
+      repository: fluent/helm-charts
+      token: ${{ secrets.HELM_CHARTS_SYNC_TOKEN }}  # PAT
+```
+
+### After (GitHub App):
+```yaml
+steps:
+  - name: Generate token from GitHub App
+    id: generate-token
+    uses: actions/create-github-app-token@v1
+    with:
+      app-id: ${{ secrets.HELM_SYNC_APP_ID }}
+      private-key: ${{ secrets.HELM_SYNC_APP_PRIVATE_KEY }}
+      repositories: helm-charts
+
+  - uses: actions/checkout@v5
+    with:
+      repository: fluent/helm-charts
+      token: ${{ steps.generate-token.outputs.token }}  # App token
+```
+
+**Migration steps:**
+1. Create GitHub App (5 minutes)
+2. Install on helm-charts (1 minute)
+3. Add app secrets (2 minutes)
+4. Update workflow (done!)
+5. Test workflow (2 minutes)
+6. Remove old PAT secret
+7. Revoke PAT on GitHub
+
+**Total time:** ~15 minutes
+
+## 📈 Real-World Scenarios
+
+### Scenario 1: Team Member Leaves
+
+| Approach | Impact | Recovery Time |
+|----------|--------|---------------|
+| PAT | ❌ Workflow breaks | 30-60 min |
+| GitHub App | ✅ No impact | 0 min |
+
+### Scenario 2: Security Audit
+
+| Question | PAT Answer | GitHub App Answer |
+|----------|-----------|-------------------|
+| Who has access? | "The person who created the PAT" | "The organization via centralized app" |
+| What can it access? | "All repos the user can access" | "Only helm-charts repository" |
+| When does it expire? | "In 8 months" | "Never (with annual key rotation)" |
+| Can we revoke it? | "Yes, but affects user's other tools" | "Yes, only affects this workflow" |
+
+### Scenario 3: Compliance Requirements
+
+**Requirement:** Automated systems must not use personal credentials
+
+| Approach | Compliant? | Reason |
+|----------|------------|--------|
+| PAT | ❌ No | Tied to personal account |
+| GitHub App | ✅ Yes | Organization-level service account |
+
+## 💰 Cost-Benefit Analysis
+
+### Setup Cost
+
+| Phase | PAT | GitHub App |
+|-------|-----|------------|
+| Initial setup | 5 min | 15 min |
+| Learning curve | Low | Medium |
+| Documentation | Minimal | Comprehensive (but we did it for you!) |
+
+### Ongoing Cost
+
+| Activity | PAT | GitHub App |
+|----------|-----|------------|
+| Renewal | 30 min/year | 0 min |
+| Team handoff | 15 min each time | 0 min |
+| Security audit | Medium effort | Low effort |
+| Troubleshooting | Medium | Low |
+
+### Total Cost Over 3 Years
+
+```
+PAT:
+  Setup:        5 min
+  Renewals:     90 min (3 years × 30 min)
+  Handoffs:     30 min (2 team members × 15 min)
+  Incidents:    60 min (expiration issues)
+  ─────────────────────
+  Total:        185 minutes (~3 hours)
+
+GitHub App:
+  Setup:        15 min
+  Maintenance:  30 min (optional key rotation)
+  ─────────────────────
+  Total:        45 minutes
+
+Savings:      140 minutes (2.3 hours)
+```
+
+## 🎓 Learning Resources
+
+### GitHub App Docs
+- [Creating a GitHub App](https://docs.github.com/en/apps/creating-github-apps)
+- [Authenticating with GitHub Apps](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app)
+- [Best practices for creating a GitHub App](https://docs.github.com/en/apps/creating-github-apps/about-creating-github-apps/best-practices-for-creating-a-github-app)
+
+### Our Docs
+- [GITHUB_APP_SETUP.md](GITHUB_APP_SETUP.md) - Complete setup guide
+- [SETUP_CHECKLIST.md](SETUP_CHECKLIST.md) - Quick start checklist
+- [HELM_SYNC_README.md](HELM_SYNC_README.md) - Full workflow documentation
+
+## ✅ Decision Summary
+
+For the **Fluent Operator** project, we chose **GitHub App** because:
+
+1. ✅ We're an organization with multiple maintainers
+2. ✅ We need long-term reliability (no expiration)
+3. ✅ We want clear attribution (bot commits/PRs)
+4. ✅ We need organization-level control
+5. ✅ We want minimal maintenance overhead
+6. ✅ We care about security (least privilege)
+
+The 10 extra minutes of initial setup saves hours of future maintenance and provides better security and team collaboration.
+
+## 🚀 Next Steps
+
+Ready to set up your GitHub App?
+
+1. **Read:** [GITHUB_APP_SETUP.md](GITHUB_APP_SETUP.md)
+2. **Follow:** [SETUP_CHECKLIST.md](SETUP_CHECKLIST.md)
+3. **Test:** Run the workflow
+4. **Celebrate:** You now have secure, maintainable automation! 🎉
+
+---
+
+**Questions?** Check the [troubleshooting guide](GITHUB_APP_SETUP.md#troubleshooting) or ask the maintainers.
+
diff --git a/.github/workflows/HELM_SYNC_README.md b/.github/workflows/HELM_SYNC_README.md
new file mode 100644
index 000000000..f5497959f
--- /dev/null
+++ b/.github/workflows/HELM_SYNC_README.md
@@ -0,0 +1,352 @@
+# Helm Charts Sync Workflow
+
+This document explains how to set up and use the automated Helm charts sync workflow that synchronizes charts from this development repository to the [fluent/helm-charts](https://github.com/fluent/helm-charts) release repository.
+
+## Overview
+
+The workflow automatically:
+1. ✅ Syncs Helm charts from `charts/` to fluent/helm-charts
+2. ✅ Creates a new branch in the helm-charts repository
+3. ✅ Opens a pull request with detailed changelog
+4. ✅ Validates charts with `helm lint`
+5. ✅ Updates chart dependencies to use proper repository URLs
+
+## Setup Instructions
+
+### 1. Create and Configure GitHub App
+
+The workflow uses a GitHub App for authentication, which is more secure than Personal Access Tokens.
+
+**Quick Steps:**
+1. Create GitHub App in the `fluent` organization
+2. Grant permissions: **Contents** (Write) and **Pull requests** (Write)
+3. Generate and download private key
+4. Install app on `fluent/helm-charts` repository
+5. Add app credentials as secrets
+
+**📖 Detailed Guide:** See [GITHUB_APP_SETUP.md](GITHUB_APP_SETUP.md) for complete step-by-step instructions.
+
+### 2. Add Secrets to This Repository
+
+1. Go to this repository's Settings → Secrets and variables → Actions
+2. Add two secrets:
+
+   **Secret 1:**
+   - Name: `HELM_SYNC_APP_ID`
+   - Value: Your GitHub App ID (e.g., `123456`)
+
+   **Secret 2:**
+   - Name: `HELM_SYNC_APP_PRIVATE_KEY`
+   - Value: Complete contents of the `.pem` file (including BEGIN/END lines)
+
+### 3. Verify Setup
+
+Ensure the app is configured correctly:
+- ✅ App created in `fluent` organization
+- ✅ App has **Contents: Write** and **Pull requests: Write** permissions
+- ✅ App installed on `fluent/helm-charts` repository
+- ✅ Both secrets added to `fluent/fluent-operator`
+- ✅ Private key file includes `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----`
+
+## Usage
+
+### Automatic Triggers
+
+The workflow runs automatically on:
+
+1. **New Release**: When you publish a release via GitHub Releases
+   ```bash
+   gh release create v3.5.0 --title "Release v3.5.0" --notes "Release notes..."
+   ```
+
+2. **Version Tags**: When you push tags matching version patterns
+   ```bash
+   git tag v3.5.0
+   git push origin v3.5.0
+   ```
+   
+   Or chart-specific tags:
+   ```bash
+   git tag chart-fluent-operator-3.5.0
+   git push origin chart-fluent-operator-3.5.0
+   ```
+
+### Manual Trigger
+
+You can also run the workflow manually with custom options:
+
+#### Via GitHub UI
+
+1. Go to Actions → "Sync Helm Charts to Release Repository"
+2. Click "Run workflow"
+3. Configure options:
+   - **Target branch**: Branch in helm-charts repo (default: `main`)
+   - **PR title**: Custom title for the PR (optional)
+   - **Charts to sync**: `all`, or comma-separated list (e.g., `fluent-operator,fluentd-crds`)
+4. Click "Run workflow"
+
+#### Via GitHub CLI
+
+```bash
+# Sync all charts (default)
+gh workflow run sync-helm-charts.yaml
+
+# Sync specific charts
+gh workflow run sync-helm-charts.yaml \
+  -f charts_to_sync="fluent-operator,fluentd-crds"
+
+# Use custom PR title and target branch
+gh workflow run sync-helm-charts.yaml \
+  -f target_branch="main" \
+  -f pr_title="Update charts for v3.5.0 release"
+```
+
+## Workflow Details
+
+### Charts Synced
+
+The workflow syncs these charts:
+
+| Chart | Source Path | Destination |
+|-------|-------------|-------------|
+| fluent-operator | `charts/fluent-operator/` | `fluent/helm-charts/charts/fluent-operator/` |
+| fluent-bit-crds | `charts/fluent-operator/charts/fluent-bit-crds/` | `fluent/helm-charts/charts/fluent-bit-crds/` |
+| fluentd-crds | `charts/fluentd-crds/` | `fluent/helm-charts/charts/fluentd-crds/` |
+
+### What Gets Synced
+
+✅ **Included:**
+- Chart.yaml
+- values.yaml
+- templates/
+- crds/
+- README.md
+- All chart files and directories
+
+❌ **Excluded:**
+- .git directories
+- Local chart dependencies (replaced with proper repo URLs)
+
+### Chart Modifications
+
+The workflow automatically:
+1. Updates `fluent-operator/Chart.yaml` dependency references
+   - Changes `file://charts/fluent-bit-crds` → `https://fluent.github.io/helm-charts`
+2. Validates all charts with `helm lint`
+3. Extracts version numbers for PR metadata
+
+### Pull Request Content
+
+The created PR includes:
+- 📦 Chart versions being synced
+- 🔗 Link to source commit
+- 📝 Workflow run details
+- ✅ Review checklist
+- 🏷️ Labels: `automated`, `helm-sync`
+
+## Troubleshooting
+
+### Issue: "Resource not accessible by integration"
+
+**Cause**: The GitHub App doesn't have required permissions or isn't installed
+
+**Solution**:
+1. Verify app is installed on `fluent/helm-charts`:
+   - Go to: https://github.com/organizations/fluent/settings/installations
+   - Check "Fluent Helm Charts Sync" shows `helm-charts` in access list
+2. Verify app has required permissions:
+   - Go to app settings
+   - Ensure "Contents: Read and write" is enabled
+   - Ensure "Pull requests: Read and write" is enabled
+3. If permissions were changed, reinstall the app on helm-charts repository
+
+### Issue: "No changes detected"
+
+**Cause**: Charts in helm-charts repo are already up to date
+
+**Solution**:
+- This is normal! The workflow is idempotent
+- Bump chart versions in Chart.yaml if you need to force an update
+- Check that you've made actual changes to chart files
+
+### Issue: Helm lint failures
+
+**Cause**: Chart validation errors
+
+**Solution**:
+- CRD-only charts may show lint warnings (expected)
+- Fix actual errors before syncing:
+  ```bash
+  helm lint charts/fluent-operator/
+  helm lint charts/fluentd-crds/
+  ```
+
+### Issue: PR creation fails
+
+**Cause**: Branch or PR might already exist
+
+**Solution**:
+1. Check if a similar PR is already open in helm-charts
+2. Close/merge existing PR before re-running
+3. Delete the branch in helm-charts if it exists:
+   ```bash
+   cd /tmp && git clone https://github.com/fluent/helm-charts.git
+   cd helm-charts
+   git push origin --delete sync/fluent-operator-X.X.X-YYYYMMDD
+   ```
+
+## Monitoring
+
+### Check Workflow Status
+
+```bash
+# List recent workflow runs
+gh run list --workflow=sync-helm-charts.yaml
+
+# View specific run
+gh run view <run-id>
+
+# Watch live run
+gh run watch
+```
+
+### Notifications
+
+Configure GitHub notifications:
+1. Watch the helm-charts repository
+2. Settings → Notifications → Actions
+3. Enable "Pull requests" notifications
+
+## Best Practices
+
+### 1. Version Bumping
+
+Always bump chart versions before syncing:
+```yaml
+# charts/fluent-operator/Chart.yaml
+version: 3.5.1  # Increment according to semver
+```
+
+Follow [Semantic Versioning](https://semver.org/):
+- **MAJOR**: Incompatible API changes
+- **MINOR**: Backwards-compatible functionality
+- **PATCH**: Backwards-compatible bug fixes
+
+### 2. Testing Before Release
+
+Test charts locally before syncing:
+```bash
+# Install chart locally
+helm install test-release ./charts/fluent-operator \
+  --dry-run --debug
+
+# Run helm tests
+make helm-e2e
+```
+
+### 3. Review PR in helm-charts
+
+Even though automated:
+- ✅ Review the PR created in helm-charts
+- ✅ Ensure CI passes
+- ✅ Check for unintended changes
+- ✅ Get approval from maintainers
+
+### 4. Sync Timing
+
+Best times to sync:
+- ✅ After successful CI runs in this repo
+- ✅ After release notes are prepared
+- ✅ During normal working hours (easier to respond to issues)
+- ❌ Not right before weekends/holidays
+
+## Release Process
+
+Recommended end-to-end process:
+
+```bash
+# 1. Update versions in Chart.yaml files
+vim charts/fluent-operator/Chart.yaml
+vim charts/fluentd-crds/Chart.yaml
+
+# 2. Test locally
+make helm-e2e
+
+# 3. Commit and push
+git add charts/
+git commit -m "chore: bump chart versions to 3.5.1"
+git push origin master
+
+# 4. Create release (triggers workflow automatically)
+gh release create v3.5.1 \
+  --title "Release v3.5.1" \
+  --notes-file RELEASE_NOTES.md
+
+# 5. Monitor workflow
+gh run watch
+
+# 6. Review and merge PR in helm-charts
+# Once merged, CI there will publish to Helm repo
+```
+
+## Manual Sync (Fallback)
+
+If the workflow fails, you can sync manually:
+
+```bash
+# Clone both repos
+git clone https://github.com/fluent/fluent-operator.git
+git clone https://github.com/fluent/helm-charts.git
+
+# Copy charts
+cd fluent-operator
+rsync -av --exclude='charts/' charts/fluent-operator/ ../helm-charts/charts/fluent-operator/
+rsync -av charts/fluent-operator/charts/fluent-bit-crds/ ../helm-charts/charts/fluent-bit-crds/
+rsync -av charts/fluentd-crds/ ../helm-charts/charts/fluentd-crds/
+
+# Update Chart.yaml
+cd ../helm-charts
+sed -i 's|file://charts/fluent-bit-crds|https://fluent.github.io/helm-charts|g' \
+  charts/fluent-operator/Chart.yaml
+
+# Create PR
+git checkout -b sync/manual-$(date +%Y%m%d)
+git add .
+git commit -m "Sync charts from fluent-operator"
+git push origin sync/manual-$(date +%Y%m%d)
+gh pr create --title "Manual chart sync" --body "Manual sync of charts"
+```
+
+## Security Considerations
+
+### GitHub App Security
+- 🔒 Never commit private key to git
+- 🔒 Store credentials as repository secrets only
+- 🔒 Rotate private key annually (see [GITHUB_APP_SETUP.md](GITHUB_APP_SETUP.md#rotate-private-key))
+- 🔒 Use minimum required permissions (Contents + Pull requests only)
+- 🔒 Install app only on required repositories
+- 🔒 Monitor app activity via GitHub's installation logs
+
+### Audit Trail
+- All syncs are tracked in workflow runs
+- PR descriptions include source commit SHA
+- Git history preserved in helm-charts
+- GitHub App provides attribution: commits/PRs show as "app-name[bot]"
+- App activity visible in organization installations page
+
+## Support
+
+If you encounter issues:
+
+1. Check this documentation
+2. Review workflow logs in Actions tab
+3. Check existing Issues in this repository
+4. Contact maintainers: @wenchajun, @marcofranssen, @joshuabaird
+
+## References
+
+- [GitHub Actions Documentation](https://docs.github.com/en/actions)
+- [Helm Documentation](https://helm.sh/docs/)
+- [fluent/helm-charts Repository](https://github.com/fluent/helm-charts)
+- [Semantic Versioning](https://semver.org/)
+
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
new file mode 100644
index 000000000..0e5cfadc5
--- /dev/null
+++ b/.github/workflows/README.md
@@ -0,0 +1,198 @@
+# GitHub Actions Workflows
+
+This directory contains automated workflows for the Fluent Operator project.
+
+## 📋 Available Workflows
+
+### Active Workflows
+
+| Workflow | Description | Trigger |
+|----------|-------------|---------|
+| [sync-helm-charts.yaml](sync-helm-charts.yaml) | Syncs Helm charts to fluent/helm-charts for release | Release, Tags, Manual |
+| [helm-ci.yaml](helm-ci.yaml) | Helm chart testing and validation | PR to master/release-* |
+| [build-op-image.yaml](build-op-image.yaml) | Builds operator Docker images | Push to master |
+| [build-fluentbit-image.yaml](build-fluentbit-image.yaml) | Builds Fluent Bit Docker images | Push to master |
+| [build-fluentd-image.yaml](build-fluentd-image.yaml) | Builds Fluentd Docker images | Push to master |
+| [test-e2e.yml](test-e2e.yml) | End-to-end integration tests | PR |
+| [lint.yml](lint.yml) | Code linting and formatting | PR |
+
+## 🔄 Helm Charts Sync Workflow
+
+The **sync-helm-charts** workflow automates the process of syncing development Helm charts to the release repository at https://github.com/fluent/helm-charts.
+
+### Quick Start
+
+1. **Setup** (one-time):
+   ```bash
+   # Follow the setup checklist
+   cat SETUP_CHECKLIST.md
+   ```
+
+2. **Test locally**:
+   ```bash
+   # Run the test script to validate sync process
+   ./test-sync.sh
+   ```
+
+3. **Trigger sync**:
+   ```bash
+   # Automatic on release
+   gh release create v3.5.0
+
+   # Or manual trigger
+   gh workflow run sync-helm-charts.yaml
+   ```
+
+### Documentation
+
+- **[SETUP_CHECKLIST.md](SETUP_CHECKLIST.md)** - Step-by-step setup guide ⭐ Start here!
+- **[HELM_SYNC_README.md](HELM_SYNC_README.md)** - Complete documentation with troubleshooting
+- **[test-sync.sh](test-sync.sh)** - Local testing script
+
+### Key Features
+
+✅ **Automatic Sync**: Triggered on releases and version tags  
+✅ **Manual Control**: Run manually with custom options  
+✅ **Validation**: Helm lint checks on all charts  
+✅ **PR Automation**: Creates formatted PRs with changelogs  
+✅ **Safe**: No changes without review - always creates PR first  
+✅ **Idempotent**: Safe to run multiple times  
+
+### What Gets Synced
+
+| Chart | Source | Destination |
+|-------|--------|-------------|
+| fluent-operator | `charts/fluent-operator/` | `fluent/helm-charts` |
+| fluent-bit-crds | `charts/fluent-operator/charts/fluent-bit-crds/` | `fluent/helm-charts` |
+| fluentd-crds | `charts/fluentd-crds/` | `fluent/helm-charts` |
+
+## 🔐 Secrets Required
+
+### GitHub App Credentials (Recommended)
+
+Required for: `sync-helm-charts.yaml`
+
+**HELM_SYNC_APP_ID**: GitHub App ID number  
+**HELM_SYNC_APP_PRIVATE_KEY**: GitHub App private key (`.pem` file contents)
+
+**What it is**: GitHub App authentication for cross-repository operations
+
+**Permissions needed**:
+- Contents: Read and write
+- Pull requests: Read and write
+
+**Setup**: See [GITHUB_APP_SETUP.md](GITHUB_APP_SETUP.md) for detailed instructions
+
+**Why GitHub App?**
+- ✅ More secure than Personal Access Tokens
+- ✅ Not tied to individual user accounts
+- ✅ Better audit trail and attribution
+- ✅ No expiration concerns
+- ✅ Organization-level management
+
+## 📚 Additional Resources
+
+### Testing
+
+```bash
+# Test helm chart sync locally
+./test-sync.sh
+
+# Run helm lint
+helm lint charts/fluent-operator/
+helm lint charts/fluentd-crds/
+
+# Test workflow syntax (requires actionlint)
+actionlint sync-helm-charts.yaml
+```
+
+### Monitoring
+
+```bash
+# List workflow runs
+gh run list --workflow=sync-helm-charts.yaml
+
+# Watch a running workflow
+gh run watch
+
+# View workflow logs
+gh run view <run-id> --log
+```
+
+### Common Commands
+
+```bash
+# Manually trigger helm sync
+gh workflow run sync-helm-charts.yaml
+
+# Sync specific charts only
+gh workflow run sync-helm-charts.yaml \
+  -f charts_to_sync="fluent-operator,fluentd-crds"
+
+# Use custom PR title
+gh workflow run sync-helm-charts.yaml \
+  -f pr_title="Release v3.5.0 charts"
+
+# Target different branch
+gh workflow run sync-helm-charts.yaml \
+  -f target_branch="main"
+```
+
+## 🐛 Troubleshooting
+
+### Workflow Fails
+
+1. Check workflow logs in Actions tab
+2. Verify secrets exist:
+   - `HELM_SYNC_APP_ID` (should be a number)
+   - `HELM_SYNC_APP_PRIVATE_KEY` (should be large text with BEGIN/END lines)
+3. Verify GitHub App is installed on `fluent/helm-charts`
+4. Check app has required permissions (Contents + Pull requests)
+5. See [GITHUB_APP_SETUP.md](GITHUB_APP_SETUP.md#troubleshooting) for detailed troubleshooting
+
+### PR Not Created
+
+1. Verify branch doesn't already exist in helm-charts
+2. Check that there are actual changes to commit
+3. Ensure token has PR creation permissions
+4. Review workflow logs for error messages
+
+### Helm Lint Fails
+
+```bash
+# Test locally first
+helm lint charts/fluent-operator/
+helm lint charts/fluentd-crds/
+
+# CRD-only charts may show warnings (expected)
+```
+
+## 🤝 Contributing
+
+When adding or modifying workflows:
+
+1. Test locally when possible
+2. Use pinned action versions (with SHA)
+3. Add documentation to this README
+4. Update CONTRIBUTING.md if process changes
+5. Test on a fork first for major changes
+
+## 📞 Support
+
+- **Documentation**: Start with [HELM_SYNC_README.md](HELM_SYNC_README.md)
+- **Issues**: Check existing issues or create new one
+- **Maintainers**: @wenchajun @marcofranssen @joshuabaird
+- **Community**: Fluent Slack / GitHub Discussions
+
+## 🔗 Related Links
+
+- [Fluent Operator Docs](https://github.com/fluent/fluent-operator/blob/master/README.md)
+- [Helm Charts Repository](https://github.com/fluent/helm-charts)
+- [GitHub Actions Documentation](https://docs.github.com/en/actions)
+- [Helm Documentation](https://helm.sh/docs/)
+
+---
+
+**Last Updated**: November 2025  
+**Maintained By**: Fluent Operator Team
+
diff --git a/.github/workflows/SETUP_CHECKLIST.md b/.github/workflows/SETUP_CHECKLIST.md
new file mode 100644
index 000000000..ad8e20535
--- /dev/null
+++ b/.github/workflows/SETUP_CHECKLIST.md
@@ -0,0 +1,189 @@
+# Helm Charts Sync - Setup Checklist
+
+Follow these steps to set up the automated Helm chart sync workflow.
+
+## ✅ Setup Steps
+
+### Step 1: Create GitHub App
+
+⭐ **See [GITHUB_APP_SETUP.md](GITHUB_APP_SETUP.md) for detailed instructions**
+
+- [ ] Create GitHub App in fluent organization
+- [ ] Name: `Fluent Helm Charts Sync`
+- [ ] Set permissions:
+  - [ ] Contents: Read and write
+  - [ ] Pull requests: Read and write
+- [ ] Disable webhook (not needed)
+- [ ] Generate private key (downloads `.pem` file)
+- [ ] **Save App ID** (shown at top of page)
+- [ ] **Save private key file** securely
+
+### Step 2: Install GitHub App
+- [ ] Go to "Install App" tab in app settings
+- [ ] Install on fluent organization
+- [ ] Grant access to: `fluent/helm-charts` (only)
+- [ ] Complete installation
+
+### Step 3: Add Secrets to Repository
+- [ ] Go to https://github.com/fluent/fluent-operator/settings/secrets/actions
+- [ ] Add first secret:
+  - [ ] Name: `HELM_SYNC_APP_ID`
+  - [ ] Value: The App ID from Step 1
+- [ ] Add second secret:
+  - [ ] Name: `HELM_SYNC_APP_PRIVATE_KEY`
+  - [ ] Value: Complete contents of `.pem` file (including BEGIN/END lines)
+
+### Step 3: Test Locally (Optional but Recommended)
+```bash
+# Run the test script
+cd /Users/jbaird/code/fluent-operator
+./.github/workflows/test-sync.sh
+```
+
+- [ ] Test script runs successfully
+- [ ] No missing files reported
+- [ ] Helm lint passes (or expected warnings only)
+
+### Step 4: Test the Workflow
+```bash
+# Test with manual trigger
+gh workflow run sync-helm-charts.yaml \
+  -f pr_title="[TEST] Chart sync test" \
+  -f charts_to_sync="fluentd-crds"
+
+# Watch the run
+gh run watch
+```
+
+- [ ] Workflow starts successfully
+- [ ] GitHub App authentication succeeds (check logs)
+- [ ] Check workflow run: https://github.com/fluent/fluent-operator/actions
+- [ ] PR created in fluent/helm-charts
+- [ ] PR shows app as author (e.g., "fluent-helm-charts-sync[bot]")
+- [ ] PR content looks correct
+- [ ] Close the test PR after verification
+
+### Step 5: Set Up Notifications (Optional)
+- [ ] Watch the fluent/helm-charts repository
+- [ ] Configure notification preferences
+- [ ] Consider setting up Slack/Discord webhook for PR notifications
+
+### Step 6: Document for Team
+- [ ] Share setup instructions with maintainers
+- [ ] Add workflow to release checklist
+- [ ] Update CONTRIBUTING.md if needed
+
+## 🔐 Security Verification
+
+- [ ] App credentials stored as repository secrets (not committed to code)
+- [ ] App has minimum required permissions (Contents + Pull requests only)
+- [ ] App installed only on `fluent/helm-charts` (not all repos)
+- [ ] Private key file deleted from local machine after adding to secrets
+- [ ] Only trusted maintainers have access to secrets
+- [ ] App ownership documented for team
+
+## 📋 Testing Checklist
+
+After setup, verify:
+- [ ] Can sync all charts manually
+- [ ] Can sync individual charts
+- [ ] PR is created with correct format
+- [ ] PR labels are applied
+- [ ] Workflow summary is generated
+- [ ] No sensitive data exposed in logs
+
+## 🚀 First Real Sync
+
+Ready to do your first production sync:
+
+```bash
+# 1. Bump chart versions if needed
+vim charts/fluent-operator/Chart.yaml
+# Update version: 3.5.1
+
+# 2. Commit changes
+git add charts/
+git commit -m "chore: bump fluent-operator chart to 3.5.1"
+git push origin master
+
+# 3. Create a release (triggers workflow automatically)
+gh release create v3.5.1 \
+  --title "Release v3.5.1" \
+  --notes "See CHANGELOG.md for details"
+
+# 4. Monitor workflow
+gh run watch
+
+# 5. Review PR in helm-charts
+# Check: https://github.com/fluent/helm-charts/pulls
+
+# 6. Merge PR once CI passes
+# Charts will be automatically released!
+```
+
+## 📚 Documentation
+
+After setup is complete, reference these documents:
+
+- [HELM_SYNC_README.md](./HELM_SYNC_README.md) - Complete documentation
+- [sync-helm-charts.yaml](./sync-helm-charts.yaml) - The workflow file
+- [test-sync.sh](./test-sync.sh) - Local testing script
+
+## ⚠️ Troubleshooting
+
+If something doesn't work:
+
+1. **Check GitHub App installation**
+   - Go to: https://github.com/organizations/fluent/settings/installations
+   - Verify "Fluent Helm Charts Sync" is installed
+   - Check it has access to `fluent/helm-charts`
+
+2. **Verify app permissions**
+   - Go to app settings
+   - Ensure "Contents: Read and write" is set
+   - Ensure "Pull requests: Read and write" is set
+
+3. **Check workflow logs**
+   - Go to Actions tab
+   - Click on failed workflow
+   - Look for "Generate token" step errors
+   - Review step logs for authentication errors
+
+4. **Verify secrets are set**
+   - Settings → Secrets → Actions
+   - Ensure `HELM_SYNC_APP_ID` exists (should be a number like 123456)
+   - Ensure `HELM_SYNC_APP_PRIVATE_KEY` exists (should be large text)
+
+5. **Common errors**
+   - "Resource not accessible" → App not installed on helm-charts
+   - "Bad credentials" → Check App ID or private key is correct
+   - "Could not resolve to a Repository" → App not granted access to helm-charts
+
+## 🎉 Success Indicators
+
+You'll know everything is working when:
+- ✅ Workflow runs without errors
+- ✅ PR is created in fluent/helm-charts automatically
+- ✅ PR has correct content and labels
+- ✅ Charts pass validation
+- ✅ Merging PR triggers helm-charts CI
+- ✅ Charts are published to https://fluent.github.io/helm-charts
+
+## 📞 Support
+
+Need help?
+- Check workflow logs first
+- Review HELM_SYNC_README.md
+- Ask in #fluent-operator channel
+- Tag maintainers: @wenchajun @marcofranssen @joshuabaird
+
+---
+
+**Setup Date**: _________________
+
+**Setup By**: _________________
+
+**GitHub App**: _________________
+
+**Next Key Rotation**: _________________ (recommended annually)
+
diff --git a/.github/workflows/WORKFLOW_FLOW.md b/.github/workflows/WORKFLOW_FLOW.md
new file mode 100644
index 000000000..dfcc0c87f
--- /dev/null
+++ b/.github/workflows/WORKFLOW_FLOW.md
@@ -0,0 +1,387 @@
+# Helm Charts Sync - Workflow Flow
+
+Visual guide to understand how the sync workflow operates.
+
+## 📊 High-Level Flow
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                    TRIGGER (One of three ways)                  │
+├─────────────────────────────────────────────────────────────────┤
+│  1. Release Published     2. Version Tag Pushed    3. Manual    │
+│     gh release create        git push v3.5.0         GitHub UI  │
+└────────────────┬────────────────────────────────────────────────┘
+                 │
+                 ▼
+┌─────────────────────────────────────────────────────────────────┐
+│                   GITHUB ACTIONS WORKFLOW                       │
+│              (sync-helm-charts.yaml executes)                   │
+└────────────────┬────────────────────────────────────────────────┘
+                 │
+                 ▼
+        ┌────────────────┐
+        │ Checkout Repos │
+        │  • source      │
+        │  • helm-charts │
+        └────────┬───────┘
+                 │
+                 ▼
+     ┌───────────────────────┐
+     │ Extract Chart Info    │
+     │  • Versions           │
+     │  • Metadata           │
+     │  • Create branch name │
+     └──────────┬────────────┘
+                │
+                ▼
+     ┌───────────────────────┐
+     │ Sync Charts           │
+     │  ✓ fluent-operator    │
+     │  ✓ fluent-bit-crds    │
+     │  ✓ fluentd-crds       │
+     └──────────┬────────────┘
+                │
+                ▼
+     ┌───────────────────────┐
+     │ Update References     │
+     │  • Fix dependencies   │
+     │  • Update repo URLs   │
+     └──────────┬────────────┘
+                │
+                ▼
+     ┌───────────────────────┐
+     │ Validate Charts       │
+     │  • Helm lint          │
+     │  • File checks        │
+     └──────────┬────────────┘
+                │
+                ▼
+     ┌───────────────────────┐
+     │ Commit & Push         │
+     │  • Create commit      │
+     │  • Push to branch     │
+     └──────────┬────────────┘
+                │
+                ▼
+     ┌───────────────────────┐
+     │ Create Pull Request   │
+     │  • Generate PR body   │
+     │  • Add labels         │
+     │  • Target main branch │
+     └──────────┬────────────┘
+                │
+                ▼
+┌─────────────────────────────────────────────────────────────────┐
+│                   PR CREATED IN HELM-CHARTS                     │
+│              https://github.com/fluent/helm-charts              │
+└────────────────┬────────────────────────────────────────────────┘
+                 │
+                 ▼
+        ┌────────────────┐
+        │ Manual Review  │
+        │  by maintainer │
+        └────────┬───────┘
+                 │
+                 ▼
+        ┌────────────────┐
+        │   Merge PR     │
+        └────────┬───────┘
+                 │
+                 ▼
+┌─────────────────────────────────────────────────────────────────┐
+│              HELM-CHARTS CI PUBLISHES CHARTS                    │
+│          Charts available at fluent.github.io/helm-charts       │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+## 🔄 Detailed Step-by-Step
+
+### Phase 1: Trigger
+
+**Automatic Triggers:**
+```bash
+# Release trigger
+gh release create v3.5.0 --title "v3.5.0" --notes "..."
+# → Workflow starts automatically
+
+# Tag trigger
+git tag v3.5.0 && git push origin v3.5.0
+# → Workflow starts automatically
+```
+
+**Manual Trigger:**
+```bash
+gh workflow run sync-helm-charts.yaml
+# → Workflow starts on demand
+```
+
+### Phase 2: Repository Checkout
+
+```
+fluent-operator/            helm-charts/
+    ├── charts/                ├── charts/
+    │   ├── fluent-operator/   │   ├── fluent-operator/
+    │   └── fluentd-crds/      │   ├── fluent-bit-crds/
+    └── .git/                  │   └── fluentd-crds/
+                               └── .git/
+
+         Both cloned into workflow runner
+```
+
+### Phase 3: Chart Analysis
+
+```yaml
+# Workflow extracts:
+fluent-operator: v4.0.0-rc1   # from charts/fluent-operator/Chart.yaml
+fluent-bit-crds: v3.5.0       # from charts/fluent-operator/charts/...
+fluentd-crds: v0.1.0          # from charts/fluentd-crds/Chart.yaml
+
+# Creates branch name:
+sync/fluent-operator-4.0.0-rc1-20251120-143022
+```
+
+### Phase 4: Sync Operations
+
+```
+SOURCE                                    DESTINATION
+charts/fluent-operator/                   helm-charts/charts/fluent-operator/
+    ├── Chart.yaml            ─────►          ├── Chart.yaml (modified)
+    ├── values.yaml           ─────►          ├── values.yaml
+    ├── README.md             ─────►          ├── README.md
+    ├── templates/            ─────►          ├── templates/
+    │   ├── deployment.yaml                   │   ├── deployment.yaml
+    │   └── ...                               │   └── ...
+    └── charts/                               └── (dependencies remote)
+        └── fluent-bit-crds/  ─────►
+                                          helm-charts/charts/fluent-bit-crds/
+charts/fluentd-crds/          ─────►      helm-charts/charts/fluentd-crds/
+```
+
+### Phase 5: Transformations
+
+**Before (in fluent-operator):**
+```yaml
+# charts/fluent-operator/Chart.yaml
+dependencies:
+  - name: fluent-bit-crds
+    repository: "file://charts/fluent-bit-crds"  # Local reference
+    version: 3.5.0
+```
+
+**After (in helm-charts):**
+```yaml
+# charts/fluent-operator/Chart.yaml
+dependencies:
+  - name: fluent-bit-crds
+    repository: "https://fluent.github.io/helm-charts"  # Remote reference
+    version: 3.5.0
+```
+
+### Phase 6: Validation
+
+```bash
+helm lint charts/fluent-operator/
+# ==> Linting charts/fluent-operator
+# [INFO] Chart.yaml: icon is recommended
+# 1 chart(s) linted, 0 chart(s) failed
+
+helm lint charts/fluent-bit-crds/
+# ==> Linting charts/fluent-bit-crds
+# 1 chart(s) linted, 0 chart(s) failed
+
+helm lint charts/fluentd-crds/
+# ==> Linting charts/fluentd-crds
+# 1 chart(s) linted, 0 chart(s) failed
+```
+
+### Phase 7: Git Operations
+
+```bash
+cd helm-charts
+git checkout main
+git checkout -b sync/fluent-operator-4.0.0-rc1-20251120-143022
+
+git add charts/
+git commit -m "Sync charts from fluent-operator
+
+- fluent-operator: v4.0.0-rc1
+- fluent-bit-crds: v3.5.0
+- fluentd-crds: v0.1.0
+
+Source: fluent/fluent-operator@abc1234"
+
+git push origin sync/fluent-operator-4.0.0-rc1-20251120-143022
+```
+
+### Phase 8: PR Creation
+
+**Generated PR:**
+
+```markdown
+Title: Sync Helm charts (fluent-operator v4.0.0-rc1)
+Labels: automated, helm-sync
+Base: main
+Head: sync/fluent-operator-4.0.0-rc1-20251120-143022
+
+## 🔄 Helm Charts Sync
+
+This PR syncs Helm charts from the development repository.
+
+### 📦 Charts Updated
+- **fluent-operator**: `v4.0.0-rc1`
+- **fluent-bit-crds**: `v3.5.0`
+- **fluentd-crds**: `v0.1.0`
+
+### 📝 Details
+- **Source Repository**: `fluent/fluent-operator`
+- **Source Commit**: `abc1234`
+- **Triggered By**: `release`
+
+### ✅ Checklist
+- [ ] Chart versions bumped
+- [ ] Release notes reviewed
+- [ ] Breaking changes documented
+- [ ] CI tests pass
+```
+
+## 🔀 Decision Flow
+
+```
+                    ┌─────────────┐
+                    │  Workflow   │
+                    │   Starts    │
+                    └──────┬──────┘
+                           │
+                           ▼
+                    ┌──────────────┐
+                    │ Extract      │
+                    │ Chart Info   │
+                    └──────┬───────┘
+                           │
+                    ┌──────▼───────┐
+                    │ Charts to    │
+                    │ sync = "all" │
+                    │     OR       │
+                    │  specific?   │
+                    └──────┬───────┘
+                           │
+              ┌────────────┼────────────┐
+              │                         │
+         "all" or empty            specific list
+              │                         │
+              ▼                         ▼
+    ┌─────────────────┐       ┌────────────────┐
+    │  Sync all 3     │       │  Sync only     │
+    │  charts         │       │  listed charts │
+    └────────┬────────┘       └────────┬───────┘
+             │                         │
+             └──────────┬──────────────┘
+                        │
+                        ▼
+              ┌─────────────────┐
+              │  Any changes?   │
+              └────────┬────────┘
+                       │
+           ┌───────────┼───────────┐
+           │                       │
+          Yes                      No
+           │                       │
+           ▼                       ▼
+    ┌──────────────┐      ┌──────────────┐
+    │ Commit &     │      │ Exit with    │
+    │ Create PR    │      │ "No changes" │
+    └──────────────┘      └──────────────┘
+```
+
+## 📊 Timeline Example
+
+Real-world example of workflow execution:
+
+```
+Time    Action                               Duration
+─────────────────────────────────────────────────────
+00:00   Workflow triggered (release)         -
+00:01   Checkout source repo                 ~10s
+00:11   Checkout helm-charts repo            ~8s
+00:19   Setup Git config                     ~1s
+00:20   Install Helm                         ~5s
+00:25   Extract chart versions               ~2s
+00:27   Create sync branch                   ~1s
+00:28   Sync fluent-operator                 ~3s
+00:31   Sync fluent-bit-crds                 ~2s
+00:33   Sync fluentd-crds                    ~2s
+00:35   Update Chart.yaml refs               ~1s
+00:36   Validate charts (helm lint)          ~8s
+00:44   Generate PR body                     ~1s
+00:45   Commit changes                       ~2s
+00:47   Push to branch                       ~5s
+00:52   Create Pull Request                  ~3s
+00:55   Post summary                         ~1s
+─────────────────────────────────────────────────────
+Total: ~55-60 seconds
+```
+
+## 🔄 Idempotency
+
+The workflow is safe to run multiple times:
+
+```
+Run 1: Changes detected → PR created ✓
+Run 2: No changes       → Exit gracefully ✓
+Run 3: No changes       → Exit gracefully ✓
+
+(Make chart changes)
+
+Run 4: Changes detected → PR created ✓
+```
+
+## 🎯 Success Criteria
+
+Workflow succeeds when:
+
+✅ All specified charts are synced
+✅ Chart dependencies are updated correctly
+✅ Helm lint passes (or expected warnings only)
+✅ Commit is created with proper message
+✅ Branch is pushed successfully
+✅ PR is created with complete information
+✅ Labels are applied correctly
+✅ Summary is generated
+
+## 🔗 Integration Points
+
+```
+fluent-operator repo
+    │
+    ├─► GitHub Actions (this workflow)
+    │       │
+    │       ├─► Checks out both repos
+    │       ├─► Syncs files
+    │       └─► Creates PR
+    │
+    └─► fluent/helm-charts repo
+            │
+            ├─► PR awaits review
+            │
+            ├─► Maintainer approves & merges
+            │
+            └─► helm-charts CI runs
+                    │
+                    └─► Charts published to
+                        https://fluent.github.io/helm-charts
+                            │
+                            └─► Users can helm install
+```
+
+## 📚 Related Documentation
+
+- [SETUP_CHECKLIST.md](SETUP_CHECKLIST.md) - Initial setup
+- [HELM_SYNC_README.md](HELM_SYNC_README.md) - Complete guide
+- [test-sync.sh](test-sync.sh) - Local testing
+- [README.md](README.md) - Workflows overview
+
+---
+
+**Last Updated**: November 2025
+**Questions?** Check [HELM_SYNC_README.md](HELM_SYNC_README.md) or ask maintainers
+
diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml
new file mode 100644
index 000000000..23fddfebf
--- /dev/null
+++ b/.github/workflows/helm-release.yaml
@@ -0,0 +1,263 @@
+name: Release Helm Charts
+on:
+  workflow_dispatch:
+    inputs:
+      target_branch:
+        description: 'Target branch in helm-charts repo'
+        required: false
+        default: 'main'
+      pr_title:
+        description: 'Custom PR title (optional)'
+        required: false
+      charts_to_sync:
+        description: 'Comma-separated list of charts to sync (or "all")'
+        required: false
+        default: 'all'
+
+env:
+  HELM_CHARTS_REPO: fluent/helm-charts
+  HELM_CHARTS_REPO_URL: https://github.com/fluent/helm-charts.git
+
+jobs:
+  sync-charts:
+    name: Sync Helm Charts
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout fluent/fluent-operator repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+          path: source
+
+      - name: Generate token from GitHub App
+        id: generate-token
+        uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+        with:
+          app-id: ${{ secrets.HELM_SYNC_APP_ID }}
+          private-key: ${{ secrets.HELM_SYNC_APP_PRIVATE_KEY }}
+          repositories: helm-charts
+
+      - name: Checkout fluent/helm-charts repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          repository: ${{ env.HELM_CHARTS_REPO }}
+          token: ${{ steps.generate-token.outputs.token }}
+          path: helm-charts
+          fetch-depth: 0
+
+      - name: Setup Git
+        run: |
+          git config --global user.name "github-actions[bot]"
+          git config --global user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Install Helm
+        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
+        with:
+          version: v3.17.2
+
+      - name: Determine chart versions and metadata
+        id: chart-info
+        working-directory: source
+        run: |
+          # Extract versions from Chart.yaml files
+          FLUENT_OP_VERSION=$(grep '^version:' charts/fluent-operator/Chart.yaml | awk '{print $2}')
+          FLUENTD_CRDS_VERSION=$(grep '^version:' charts/fluentd-crds/Chart.yaml | awk '{print $2}')
+          FLUENT_BIT_CRDS_VERSION=$(grep '^version:' charts/fluent-bit-crds/Chart.yaml | awk '{print $2}')
+
+          echo "fluent_operator_version=${FLUENT_OP_VERSION}" >> $GITHUB_OUTPUT
+          echo "fluentd_crds_version=${FLUENTD_CRDS_VERSION}" >> $GITHUB_OUTPUT
+          echo "fluent_bit_crds_version=${FLUENT_BIT_CRDS_VERSION}" >> $GITHUB_OUTPUT
+
+          # Create a branch name based on version
+          BRANCH_NAME="sync/fluent-operator-${FLUENT_OP_VERSION}-$(date +%Y%m%d-%H%M%S)"
+          echo "branch_name=${BRANCH_NAME}" >> $GITHUB_OUTPUT
+
+          # Get current commit SHA for reference
+          COMMIT_SHA=$(git rev-parse --short HEAD)
+          echo "source_commit=${COMMIT_SHA}" >> $GITHUB_OUTPUT
+
+      - name: Create sync branch in helm-charts repo
+        working-directory: helm-charts
+        run: |
+          TARGET_BRANCH="${{ github.event.inputs.target_branch || 'main' }}"
+          git checkout "${TARGET_BRANCH}"
+          git checkout -b "${{ steps.chart-info.outputs.branch_name }}"
+
+      - name: Sync fluent-operator chart
+        if: ${{ github.event.inputs.charts_to_sync == 'all' || contains(github.event.inputs.charts_to_sync, 'fluent-operator') || github.event.inputs.charts_to_sync == '' }}
+        run: |
+          # Create charts directory if it doesn't exist
+          mkdir -p helm-charts/charts/fluent-operator
+
+          # Remove old chart content (but preserve .git)
+          find helm-charts/charts/fluent-operator -mindepth 1 -maxdepth 1 ! -name '.git*' -exec rm -rf {} +
+
+          # Copy new chart content (excluding subchart dependency charts)
+          rsync -av --exclude='charts/' source/charts/fluent-operator/ helm-charts/charts/fluent-operator/
+
+          echo "✅ Synced fluent-operator chart (v${{ steps.chart-info.outputs.fluent_operator_version }})"
+
+      - name: Sync fluent-bit-crds chart
+        if: ${{ github.event.inputs.charts_to_sync == 'all' || contains(github.event.inputs.charts_to_sync, 'fluent-bit-crds') || github.event.inputs.charts_to_sync == '' }}
+        run: |
+          # Create charts directory if it doesn't exist
+          mkdir -p helm-charts/charts/fluent-bit-crds
+
+          # Remove old chart content
+          find helm-charts/charts/fluent-bit-crds -mindepth 1 -maxdepth 1 ! -name '.git*' -exec rm -rf {} +
+
+          # Copy new chart content from subchart location
+          rsync -av source/charts/fluent-operator/charts/fluent-bit-crds/ helm-charts/charts/fluent-bit-crds/
+
+          echo "✅ Synced fluent-bit-crds chart (v${{ steps.chart-info.outputs.fluent_bit_crds_version }})"
+
+      - name: Sync fluentd-crds chart
+        if: ${{ github.event.inputs.charts_to_sync == 'all' || contains(github.event.inputs.charts_to_sync, 'fluentd-crds') || github.event.inputs.charts_to_sync == '' }}
+        run: |
+          # Create charts directory if it doesn't exist
+          mkdir -p helm-charts/charts/fluentd-crds
+
+          # Remove old chart content
+          find helm-charts/charts/fluentd-crds -mindepth 1 -maxdepth 1 ! -name '.git*' -exec rm -rf {} +
+
+          # Copy new chart content
+          rsync -av source/charts/fluentd-crds/ helm-charts/charts/fluentd-crds/
+
+          echo "✅ Synced fluentd-crds chart (v${{ steps.chart-info.outputs.fluentd_crds_version }})"
+
+      - name: Update Chart.yaml repository references
+        working-directory: helm-charts
+        run: |
+          # Update fluent-operator Chart.yaml to use proper repository reference
+          if [ -f "charts/fluent-operator/Chart.yaml" ]; then
+            sed -i 's|repository: "file://charts/fluent-bit-crds"|repository: "https://fluent.github.io/helm-charts"|g' charts/fluent-operator/Chart.yaml
+            sed -i 's|repository: "file://charts/fluentd-crds"|repository: "https://fluent.github.io/helm-charts"|g' charts/fluent-operator/Chart.yaml
+          fi
+
+      - name: Validate Helm charts
+        working-directory: helm-charts
+        run: |
+          echo "Validating synced charts..."
+
+          for chart in charts/*/Chart.yaml; do
+            chart_dir=$(dirname "$chart")
+            echo "Validating $chart_dir..."
+            helm lint "$chart_dir" || echo "⚠️  Linting failed for $chart_dir (may be expected for CRD-only charts)"
+          done
+
+          echo "✅ Chart validation complete"
+
+      - name: Generate PR body
+        id: pr-body
+        run: |
+          cat << 'EOF' > pr-body.md
+          ## Helm Charts Sync
+
+          This PR syncs Helm charts from the [development](https://github.com/fluent/fluent-operator/tree/master/charts/fluent-operator) repository to the [release](https://github.com/fluent/helm-charts/tree/main/charts/fluent-operator) repository.
+
+          ### Charts Updated
+
+          - **fluent-operator**: `v${{ steps.chart-info.outputs.fluent_operator_version }}`
+          - **fluent-bit-crds**: `v${{ steps.chart-info.outputs.fluent_bit_crds_version }}`
+          - **fluentd-crds**: `v${{ steps.chart-info.outputs.fluentd_crds_version }}`
+
+          ### Details
+
+          - **Source Repository**: `${{ github.repository }}`
+          - **Source Commit**: `${{ steps.chart-info.outputs.source_commit }}`
+          - **Triggered By**: `${{ github.event_name }}`
+          - **Workflow Run**: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+
+          ### Checklist
+
+          - [ ] Chart versions have been bumped appropriately
+          - [ ] CHANGELOG/release notes have been reviewed
+          - [ ] No breaking changes, or breaking changes are documented
+          - [ ] CI tests pass
+
+          ### Automation
+
+          This PR was automatically created by the [sync-helm-charts workflow](${{ github.server_url }}/${{ github.repository }}/blob/master/.github/workflows/sync-helm-charts.yaml).
+
+          Once merged, CI in this repository will automatically release the charts to the Helm repository.
+          EOF
+
+          echo "pr_body_file=pr-body.md" >> $GITHUB_OUTPUT
+
+      - name: Commit and push changes
+        id: commit
+        working-directory: helm-charts
+        run: |
+          git add .
+
+          # Check if there are changes to commit
+          if git diff --staged --quiet; then
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+            echo "No changes detected"
+            exit 0
+          fi
+
+          echo "has_changes=true" >> $GITHUB_OUTPUT
+
+          git commit -m "Sync charts from fluent-operator
+
+          - fluent-operator: v${{ steps.chart-info.outputs.fluent_operator_version }}
+          - fluent-bit-crds: v${{ steps.chart-info.outputs.fluent_bit_crds_version }}
+          - fluentd-crds: v${{ steps.chart-info.outputs.fluentd_crds_version }}
+
+          Source: ${{ github.repository }}@${{ steps.chart-info.outputs.source_commit }}"
+
+          git push origin "${{ steps.chart-info.outputs.branch_name }}"
+
+          echo "✅ Changes committed and pushed"
+
+      - name: Create Pull Request
+        if: steps.commit.outputs.has_changes == 'true'
+        env:
+          GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+        working-directory: helm-charts
+        run: |
+          PR_TITLE="${{ github.event.inputs.pr_title }}"
+          if [ -z "$PR_TITLE" ]; then
+            PR_TITLE="Sync Helm charts (fluent-operator v${{ steps.chart-info.outputs.fluent_operator_version }})"
+          fi
+
+          TARGET_BRANCH="${{ github.event.inputs.target_branch || 'main' }}"
+
+          pr_url=$(gh pr create \
+            --title "$PR_TITLE" \
+            --body-file ../pr-body.md \
+            --base "$TARGET_BRANCH" \
+            --head "${{ steps.chart-info.outputs.branch_name }}" \
+            --label "automated" \
+            --label "helm-sync")
+
+          echo "✅ Pull request created: $pr_url"
+          echo "PR_URL=$pr_url" >> $GITHUB_ENV
+
+      - name: Summary
+        if: always()
+        run: |
+          echo "## 📊 Sync Summary" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+
+          if [ "${{ steps.commit.outputs.has_changes }}" == "true" ]; then
+            echo "**Status**: Charts synced successfully" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "### Charts Synced" >> $GITHUB_STEP_SUMMARY
+            echo "- fluent-operator: \`v${{ steps.chart-info.outputs.fluent_operator_version }}\`" >> $GITHUB_STEP_SUMMARY
+            echo "- fluent-bit-crds: \`v${{ steps.chart-info.outputs.fluent_bit_crds_version }}\`" >> $GITHUB_STEP_SUMMARY
+            echo "- fluentd-crds: \`v${{ steps.chart-info.outputs.fluentd_crds_version }}\`" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+
+            if [ -n "${{ env.PR_URL }}" ]; then
+              echo "### Pull Request" >> $GITHUB_STEP_SUMMARY
+              echo "[${{ env.PR_URL }}](${{ env.PR_URL }})" >> $GITHUB_STEP_SUMMARY
+            fi
+          else
+            echo "**Status**: No changes detected" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "The charts are already up to date in the helm-charts repository." >> $GITHUB_STEP_SUMMARY
+          fi
+
diff --git a/.github/workflows/test-sync.sh b/.github/workflows/test-sync.sh
new file mode 100755
index 000000000..88c680977
--- /dev/null
+++ b/.github/workflows/test-sync.sh
@@ -0,0 +1,209 @@
+#!/bin/bash
+set -e
+
+# Test script for validating helm chart sync locally
+# This simulates what the GitHub Actions workflow will do
+
+COLOR_GREEN='\033[0;32m'
+COLOR_YELLOW='\033[1;33m'
+COLOR_RED='\033[0;31m'
+COLOR_BLUE='\033[0;34m'
+COLOR_RESET='\033[0m'
+
+log_info() {
+    echo -e "${COLOR_BLUE}ℹ️  $1${COLOR_RESET}"
+}
+
+log_success() {
+    echo -e "${COLOR_GREEN}✅ $1${COLOR_RESET}"
+}
+
+log_warning() {
+    echo -e "${COLOR_YELLOW}⚠️  $1${COLOR_RESET}"
+}
+
+log_error() {
+    echo -e "${COLOR_RED}❌ $1${COLOR_RESET}"
+}
+
+# Check if we're in the right directory
+if [ ! -f "charts/fluent-operator/Chart.yaml" ]; then
+    log_error "Must be run from the root of the fluent-operator repository"
+    exit 1
+fi
+
+log_info "Starting local helm chart sync test..."
+echo ""
+
+# Create temporary directory for testing
+TEST_DIR=$(mktemp -d)
+trap "rm -rf $TEST_DIR" EXIT
+
+log_info "Test directory: $TEST_DIR"
+
+# Create mock helm-charts directory structure
+mkdir -p "$TEST_DIR/helm-charts/charts"
+
+log_info "Extracting chart versions..."
+
+# Extract versions
+FLUENT_OP_VERSION=$(grep '^version:' charts/fluent-operator/Chart.yaml | awk '{print $2}')
+FLUENTD_CRDS_VERSION=$(grep '^version:' charts/fluentd-crds/Chart.yaml | awk '{print $2}')
+FLUENT_BIT_CRDS_VERSION=$(grep '^version:' charts/fluent-operator/charts/fluent-bit-crds/Chart.yaml | awk '{print $2}')
+
+echo "  • fluent-operator: v${FLUENT_OP_VERSION}"
+echo "  • fluentd-crds: v${FLUENTD_CRDS_VERSION}"
+echo "  • fluent-bit-crds: v${FLUENT_BIT_CRDS_VERSION}"
+echo ""
+
+# Sync fluent-operator chart
+log_info "Syncing fluent-operator chart..."
+mkdir -p "$TEST_DIR/helm-charts/charts/fluent-operator/charts"
+rsync -av --exclude='charts/' charts/fluent-operator/ "$TEST_DIR/helm-charts/charts/fluent-operator/" > /dev/null
+log_success "fluent-operator synced"
+
+# Sync fluent-bit-crds chart
+log_info "Syncing fluent-bit-crds chart..."
+mkdir -p "$TEST_DIR/helm-charts/charts/fluent-bit-crds"
+rsync -av charts/fluent-operator/charts/fluent-bit-crds/ "$TEST_DIR/helm-charts/charts/fluent-bit-crds/" > /dev/null
+log_success "fluent-bit-crds synced"
+
+# Sync fluentd-crds chart
+log_info "Syncing fluentd-crds chart..."
+mkdir -p "$TEST_DIR/helm-charts/charts/fluentd-crds"
+rsync -av charts/fluentd-crds/ "$TEST_DIR/helm-charts/charts/fluentd-crds/" > /dev/null
+log_success "fluentd-crds synced"
+
+# Update Chart.yaml repository references
+log_info "Updating Chart.yaml repository references..."
+sed -i.bak 's|repository: "file://charts/fluent-bit-crds"|repository: "https://fluent.github.io/helm-charts"|g' \
+    "$TEST_DIR/helm-charts/charts/fluent-operator/Chart.yaml"
+log_success "Repository references updated"
+echo ""
+
+# Check for helm
+if ! command -v helm &> /dev/null; then
+    log_warning "Helm is not installed, skipping validation"
+    log_info "Install helm: https://helm.sh/docs/intro/install/"
+else
+    log_info "Validating charts with helm lint..."
+    echo ""
+    
+    # Validate each chart
+    for chart_dir in "$TEST_DIR/helm-charts/charts/"*/; do
+        chart_name=$(basename "$chart_dir")
+        echo -n "  Linting ${chart_name}... "
+        
+        if helm lint "$chart_dir" > "$TEST_DIR/${chart_name}-lint.log" 2>&1; then
+            log_success ""
+        else
+            log_warning "has warnings (may be expected for CRD charts)"
+            if [ -f "$TEST_DIR/${chart_name}-lint.log" ]; then
+                echo "    Log: $TEST_DIR/${chart_name}-lint.log"
+            fi
+        fi
+    done
+    echo ""
+fi
+
+# Show file tree
+log_info "Synced chart structure:"
+if command -v tree &> /dev/null; then
+    tree -L 3 "$TEST_DIR/helm-charts/charts/" -I '.git*'
+else
+    find "$TEST_DIR/helm-charts/charts/" -type f | head -20
+    log_warning "Install 'tree' for better output: brew install tree"
+fi
+echo ""
+
+# Compare key files
+log_info "Checking critical files..."
+
+check_file() {
+    local file=$1
+    local chart=$2
+    
+    if [ -f "$TEST_DIR/helm-charts/charts/$chart/$file" ]; then
+        echo -e "  ${COLOR_GREEN}✓${COLOR_RESET} $chart/$file"
+    else
+        echo -e "  ${COLOR_RED}✗${COLOR_RESET} $chart/$file (MISSING)"
+    fi
+}
+
+check_file "Chart.yaml" "fluent-operator"
+check_file "values.yaml" "fluent-operator"
+check_file "README.md" "fluent-operator"
+check_file "Chart.yaml" "fluent-bit-crds"
+check_file "Chart.yaml" "fluentd-crds"
+echo ""
+
+# Show dependency changes
+log_info "Checking Chart.yaml dependency changes..."
+if [ -f "$TEST_DIR/helm-charts/charts/fluent-operator/Chart.yaml" ]; then
+    if grep -q "https://fluent.github.io/helm-charts" "$TEST_DIR/helm-charts/charts/fluent-operator/Chart.yaml"; then
+        log_success "fluent-bit-crds dependency uses remote repository"
+    else
+        log_error "fluent-bit-crds dependency still references local file"
+    fi
+fi
+echo ""
+
+# Statistics
+log_info "Sync statistics:"
+file_count=$(find "$TEST_DIR/helm-charts/charts/" -type f | wc -l | xargs)
+echo "  • Total files synced: $file_count"
+
+for chart in fluent-operator fluent-bit-crds fluentd-crds; do
+    if [ -d "$TEST_DIR/helm-charts/charts/$chart" ]; then
+        count=$(find "$TEST_DIR/helm-charts/charts/$chart" -type f | wc -l | xargs)
+        echo "  • $chart: $count files"
+    fi
+done
+echo ""
+
+# Show what would be in the PR
+log_info "Generated PR body preview:"
+cat << EOF
+
+═══════════════════════════════════════════════════════════
+
+## 🔄 Helm Charts Sync
+
+This PR syncs Helm charts from the development repository to the release repository.
+
+### 📦 Charts Updated
+
+- **fluent-operator**: \`v${FLUENT_OP_VERSION}\`
+- **fluent-bit-crds**: \`v${FLUENT_BIT_CRDS_VERSION}\`
+- **fluentd-crds**: \`v${FLUENTD_CRDS_VERSION}\`
+
+### 📝 Details
+
+- **Source Repository**: \`fluent/fluent-operator\`
+- **Triggered By**: local test
+
+### ✅ Checklist
+
+- [ ] Chart versions have been bumped appropriately
+- [ ] CHANGELOG/release notes have been reviewed
+- [ ] No breaking changes, or breaking changes are documented
+- [ ] CI tests pass
+
+═══════════════════════════════════════════════════════════
+
+EOF
+
+# Final summary
+echo ""
+log_success "Test completed successfully!"
+echo ""
+log_info "Next steps:"
+echo "  1. Review the synced files in: $TEST_DIR/helm-charts/"
+echo "  2. Ensure chart versions are correct"
+echo "  3. Run the GitHub Actions workflow: gh workflow run sync-helm-charts.yaml"
+echo ""
+log_info "To keep the test directory for inspection:"
+echo "  cp -r $TEST_DIR/helm-charts /tmp/helm-charts-test"
+echo "  cd /tmp/helm-charts-test"
+echo ""
+