feat: add chart with an example and ci

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+* @JossWhittle
+.github/ @SwanseaUniversityMedical/devops-maintainers

.github/commitlint.config.mjs

@@ -0,0 +1,16 @@
+import { RuleConfigSeverity } from '@commitlint/types';
+
+export default {
+  extends: ['@commitlint/config-conventional'],
+  parserPreset: 'conventional-changelog-conventionalcommits',
+  rules: {
+    'scope-enum': [RuleConfigSeverity.Error, 'always', [
+        '',
+        'ci',
+        'deps',
+        'kargo-pipelines',
+        'kargo-pipelines-chart',
+    ]],
+    'subject-case': [RuleConfigSeverity.Error, 'never', []],
+  }
+};

.github/pull_request_template.md

@@ -0,0 +1,14 @@
+## :construction: Suggest a change
+
+A clear and concise description of what you are changing.
+
+## :memo: Pre-merge checklist
+
+Ready to merge? Do not merge until all checks are satisfied.
+- [ ] :chart: Have all `required` CI checks passed on the most recent commit?
+- [ ] :black_nib: Is the PR title a valid and meaningful conventional-commit message? ie. `type(scope): summary`
+- [ ] :boom: Are `breaking changes` declared in the PR title in conventional-commit style? ie. `type!(scope): summary`
+- [ ] :art: Does new code follow the code style of this project? 
+- [ ] :mag: Has new code been spellchecked and linted?
+- [ ] :book: Have docs been updated where necessary?
+- [ ] :poop: Have commits been checked for accidental file inclusions?

.github/renovate.js

@@ -0,0 +1,78 @@
+module.exports = {
+
+  // Uncomment dryRun to test exotic config options without spamming dozens of
+  // pull requests onto a repo that you would then need to clean up...
+  //dryRun: "full",
+
+  // Inherit default config options
+  extends: ["config:base"],
+  configMigration: true,
+
+  // Force use of Conventional Commit messages to avoid Renovate not detecting them
+  semanticCommits: "enabled",
+
+  // Disable limits on the number of pull requests that can be managed simultaneously
+  // since this can sometimes prevent security patches being suggested!
+  prHourlyLimit: 0,
+  prConcurrentLimit: 0,
+
+  // Tell Renovate to re-create or rebase old pull requests when new commits have
+  // since been merged into main...
+  rebaseWhen: "behind-base-branch",
+
+  // Set the default schedule for when pull requests will be created or updated.
+  // If Renovate is run outside of this schedule then it will skip updating pull
+  // requests for dependencies unless they override the schedule.
+  updateNotScheduled: false,
+  timezone: "Europe/London",
+  schedule: [
+    "after 10pm",
+    "before 5am"
+  ],
+
+  // This setting helps handle breaking changes to Renovate bot when its version changes.
+  ignorePrAuthor: true,
+
+  // Automatically assign reviewers to pull requests based on who "owns" the source files
+  // that need to be updated as listed in the CODEOWNERS file in the project repo.
+  reviewersFromCodeOwners: true,
+
+  // Auto discovery is dangerous, never blindly trust the scope of the token!
+  autodiscover: false,
+  // Instead, explicitly list the repos that we should manage pull requests on.
+  // This should realistically only be one repo, the project repo you are currently in.
+  // The default token "should" only have access to this repo...
+  repositories: [
+    "SwanseaUniversityMedical/kargo-pipelines",
+  ],
+
+  packageRules: [
+    {
+      // Group all otherwise ungrouped minor and patch updates into a single PR
+      groupName: "all non-major dependencies",
+      groupSlug: "all-minor-patch",
+      matchPackageNames: ["*"],
+      matchUpdateTypes: ["minor", "patch"]
+    },
+    {
+      // By default all major updates won't create PRs unless checked in the dep dashboard
+      matchUpdateTypes: ["major"],
+      dependencyDashboardApproval: true
+    },
+    {
+      // Group all minor and patch workflows updates into a single PR
+      groupName: "workflows non-major dependencies",
+      groupSlug: "workflows-minor-patch",
+      matchPackageNames: ["SwanseaUniversityMedical/workflows"],
+      matchUpdateTypes: ["minor", "patch"],
+      schedule: ["at any time"]
+    },
+    {
+      // Force major workflows updates to create PRs without dep dashboard being checked
+      matchPackageNames: ["SwanseaUniversityMedical/workflows"],
+      matchUpdateTypes: ["major"],
+      dependencyDashboardApproval: false,
+      schedule: ["at any time"]
+    }
+  ],
+};

.github/workflows/kargo-pipelines-chart.yaml

@@ -0,0 +1,51 @@
+name: kargo-pipelines chart
+
+on:
+  pull_request:
+    # Only consider PRs that change files for this asset, including ci scripts
+    paths:
+      - '.github/workflows/kargo-pipelines-chart.yaml'
+      - 'charts/kargo-pipelines/**'
+  push:
+    # Only release off of release and maintenance branches for this asset
+    branches:
+      - 'main'
+    # Only consider pushes that change files for this asset, including ci scripts
+    paths:
+      - '.github/workflows/kargo-pipelines-chart.yaml'
+      - 'charts/kargo-pipelines/**'
+
+permissions:
+  contents: write
+  pull-requests: write
+  actions: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  # Cancel early on pull requests if new commits are added,
+  # Don't cancel on release pushes
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  # Job name must be unique across repo to target
+  # branch protection rules "required checks" properly!
+  kargo-pipelines-chart:
+    uses: SwanseaUniversityMedical/workflows/.github/workflows/[email protected]
+    with:
+      job-name: kargo-pipelines-chart
+      comment-pr: "true"
+      comment-release: "true"
+      registry: ${{ vars.HARBOR_REGISTRY }}
+      registry-user: ${{ vars.HARBOR_USER }}
+      registry-project: ${{ vars.HARBOR_PROJECT }}
+      registry-repo: kargo-pipelines
+      release-tag-format: 'v${version}-kargo-pipelines-chart'
+      cosign-public-key: ${{ vars.COSIGN_PUBLIC_KEY }}
+      chart: charts/kargo-pipelines
+      test-command: |
+        helm template $CHART --debug
+
+    secrets:
+      cosign-private-key: ${{ secrets.COSIGN_PRIVATE_KEY }}
+      cosign-password: ${{ secrets.COSIGN_PASSWORD }}
+      registry-token: ${{ secrets.HARBOR_TOKEN }}

.github/workflows/pr-title-commitlint.yaml

@@ -0,0 +1,19 @@
+name: Commit Lint PR Title
+
+on:
+  pull_request:
+    # Run on all PRs whenever the title could have changed
+    types:
+      - opened
+      - reopened
+      - edited
+      - synchronize
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  # This linting can be cancelled if there is a newer commit to lint
+  cancel-in-progress: true
+
+jobs:
+  pr-title-commitlint:
+    uses: SwanseaUniversityMedical/workflows/.github/workflows/[email protected]

.github/workflows/renovate.yaml

@@ -0,0 +1,23 @@
+name: Renovate
+on:
+  workflow_dispatch:
+  repository_dispatch:
+    types: [renovate]
+  schedule:
+    - cron: '0 * * * *'
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
+jobs:
+  renovate:
+    runs-on:
+      labels: [ self-hosted, linux, x64 ]
+      group: heavy
+
+    steps:
+      - uses: SwanseaUniversityMedical/workflows/.github/actions/[email protected]
+        with:
+          token: ${{ secrets.RENOVATE_TOKEN }}
+          config: '.github/renovate.js'

.gitignore

@@ -1,162 +1,2 @@
-# Byte-compiled / optimized / DLL files
-__pycache__/
-*.py[cod]
-*$py.class
-
-# C extensions
-*.so
-
-# Distribution / packaging
-.Python
-build/
-develop-eggs/
-dist/
-downloads/
-eggs/
-.eggs/
-lib/
-lib64/
-parts/
-sdist/
-var/
-wheels/
-share/python-wheels/
-*.egg-info/
-.installed.cfg
-*.egg
-MANIFEST
-
-# PyInstaller
-#  Usually these files are written by a python script from a template
-#  before PyInstaller builds the exe, so as to inject date/other infos into it.
-*.manifest
-*.spec
-
-# Installer logs
-pip-log.txt
-pip-delete-this-directory.txt
-
-# Unit test / coverage reports
-htmlcov/
-.tox/
-.nox/
-.coverage
-.coverage.*
-.cache
-nosetests.xml
-coverage.xml
-*.cover
-*.py,cover
-.hypothesis/
-.pytest_cache/
-cover/
-
-# Translations
-*.mo
-*.pot
-
-# Django stuff:
-*.log
-local_settings.py
-db.sqlite3
-db.sqlite3-journal
-
-# Flask stuff:
-instance/
-.webassets-cache
-
-# Scrapy stuff:
-.scrapy
-
-# Sphinx documentation
-docs/_build/
-
-# PyBuilder
-.pybuilder/
-target/
-
-# Jupyter Notebook
-.ipynb_checkpoints
-
-# IPython
-profile_default/
-ipython_config.py
-
-# pyenv
-#   For a library or package, you might want to ignore these files since the code is
-#   intended to run in multiple environments; otherwise, check them in:
-# .python-version
-
-# pipenv
-#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
-#   However, in case of collaboration, if having platform-specific dependencies or dependencies
-#   having no cross-platform support, pipenv may install dependencies that don't work, or not
-#   install all needed dependencies.
-#Pipfile.lock
-
-# poetry
-#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
-#   This is especially recommended for binary packages to ensure reproducibility, and is more
-#   commonly ignored for libraries.
-#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
-#poetry.lock
-
-# pdm
-#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
-#pdm.lock
-#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
-#   in version control.
-#   https://pdm.fming.dev/latest/usage/project/#working-with-version-control
-.pdm.toml
-.pdm-python
-.pdm-build/
-
-# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
-__pypackages__/
-
-# Celery stuff
-celerybeat-schedule
-celerybeat.pid
-
-# SageMath parsed files
-*.sage.py
-
-# Environments
-.env
-.venv
-env/
-venv/
-ENV/
-env.bak/
-venv.bak/
-
-# Spyder project settings
-.spyderproject
-.spyproject
-
-# Rope project settings
-.ropeproject
-
-# mkdocs documentation
-/site
-
-# mypy
-.mypy_cache/
-.dmypy.json
-dmypy.json
-
-# Pyre type checker
-.pyre/
-
-# pytype static type analyzer
-.pytype/
-
-# Cython debug symbols
-cython_debug/
-
-# PyCharm
-#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
-#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
-#  and can be added to the global gitignore or merged into this file.  For a more nuclear
-#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
-#.idea/
+.idea
+local/**