# helm-deploy

Deploy a service to Kubernetes via Helm over SSH.

## Inputs

| Input | Required | Default | Description |
|-------|----------|---------|-------------|
| `service-name` | Yes | — | Helm release name |
| `helm-cluster` | Yes | — | Cluster to deploye to (one of `internal_stage` or `internal_prod`) |
| `image-tag` | Yes | — | Docker image tag to deploy |
| `ssh-key` | Yes | — | Private SSH key content |
| `overrides-file` | No | `kubernetes/overrides-pu.yaml` | Local path to Helm values override file |
| `namespace` | No | `dsp` | Kubernetes namespace |
| `helm-repo` | No | `nexus-helm-repository` | Helm chart repository name |
| `helm-chart` | No | `DSP-Blueprint` | Chart name in the repository |

## Usage

```yaml
- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/helm-deploy@helm-deploy-v1
  with:
    service-name: my-service
    helm-host: dsp1-stage.schmalzgroup.net
    image-tag: ${{ github.sha }}
    ssh-key: ${{ secrets.HELM_SSH_KEY }}
```

## Notes

- The SSH key is written to a temporary file with `600` permissions and removed after the job, even on failure.
- The overrides file is copied to the remote host via `scp` before the Helm upgrade.
- `helm upgrade --install` is run with `--atomic` so a failed release is automatically rolled back.
- `StrictHostKeyChecking=no` is used; ensure the host is trusted within your network or add host verification as needed.