feat: 911 helm resource repo

[matthiasbruns]

What this PR does / why we need it

This PR tied the helm ResourceRepository changes together and updates the spec location changes.

Follow up of #2128
cli and transfer are refactored to use the new Helm ResourceRepository.
Also removes the deprecated Access and ResourceConsumerIdentityProvider

Which issue(s) this PR fixes

Contributes open-component-model/ocm-project#911

Testing

How to test the changes

Check comment: #2130 (comment)

Verification

• I have tested the changes locally by running ocm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 50e4a97c-952f-4cd7-9a3f-80c8e0ac61d0

📥 Commits

Reviewing files that changed from the base of the PR and between 57c04be and 5b8caaf.

⛔ Files ignored due to path filters (3)

• cli/go.sum is excluded by !**/*.sum
• cli/integration/go.sum is excluded by !**/*.sum
• kubernetes/controller/go.sum is excluded by !**/*.sum

📒 Files selected for processing (10)

• cli/cmd/transfer/component-version/internal/graph.go
• cli/cmd/transfer/component-version/internal/scheme.go
• cli/go.mod
• cli/integration/add_component_version_integration_test.go
• cli/integration/download_resource_integration_test.go
• cli/integration/go.mod
• cli/internal/plugin/builtin/builtin.go
• cli/internal/plugin/builtin/input/helm/method_test.go
• kubernetes/controller/go.mod
• kubernetes/controller/internal/cel/functions/oci_test.go

---

📝 Walkthrough

Walkthrough

This PR updates Helm package import paths across the codebase from helm/access/spec/v1 to helm/spec/access/v1, bumps module dependencies for helm and transfer packages, registers a new helm resource repository plugin, and adds integration tests for helm chart access functionality.

Changes

Cohort / File(s)	Summary
Helm Access Import Path Updates cli/cmd/transfer/component-version/internal/graph.go, cli/cmd/transfer/component-version/internal/scheme.go, cli/internal/plugin/builtin/input/helm/method_test.go, kubernetes/controller/internal/cel/functions/oci_test.go	Updated Helm v1 access type import paths from helm/access/spec/v1 to helm/spec/access/v1, reflecting reorganization of Helm package structure in the bindings module.
Module Dependency Updates cli/go.mod, cli/integration/go.mod, kubernetes/controller/go.mod	Bumped ocm.software/open-component-model/bindings/go/helm and transfer module versions to match updated package structures (commits f251bed → 843620e or similar).
Helm Resource Repository Plugin Registration cli/internal/plugin/builtin/builtin.go	Added registration of internal "helm resource repository" plugin to the ResourcePluginRegistry, enabling CLI-based resolution for helm chart resources.
Helm Access Integration Tests cli/integration/add_component_version_integration_test.go, cli/integration/download_resource_integration_test.go	Added two new integration tests: one for adding component versions with helm/v1 access type, and another for downloading helm resources with chart archive and provenance validation via local HTTP server.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• chore(deps): Fix #2192 (update ocm monorepo go module dependencies) (no ctf) #2194 — Direct dependency version bumps for helm and transfer modules that enable the import path reorganization in this PR.
• feat(883): helm transfer cli #1846 — Modifies Helm access/scheme handling in the same transfer component files (graph.go and scheme.go).
• fix: testdata location in cli tests #1921 — Updates CLI integration tests and helm binding module references similarly.

Suggested reviewers

• jakobmoellerdev
• frewilhelm

Poem

🐰 A helm of charts now flows through plugins bright,
Where repositories dance in package night,
Import paths aligned, access types take flight,
Resources download with provenance sight! 📦✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: 911 helm resource repo' clearly references the main objective: implementing Helm ResourceRepository functionality to address issue #911.
Description check	✅ Passed	The description is related to the changeset, explaining the PR integrates Helm ResourceRepository changes, refactors CLI and transfer components, and removes deprecated interfaces as per issue #911.
Linked Issues check	✅ Passed	Changes comprehensively address issue #911 requirements: register Helm ResourceRepository in plugin system [builtin.go], update import paths reflecting new package structure across CLI/transfer components [graph.go, scheme.go, method_test.go, oci_test.go], add integration tests for helm access [add_component_version_integration_test.go, download_resource_integration_test.go], and update dependencies [go.mod files].
Out of Scope Changes check	✅ Passed	All changes are directly scoped to Helm ResourceRepository implementation: dependency updates align with the new spec package structure, import path updates follow the refactored bindings, integration tests validate helm/v1 access functionality, and the builtin plugin registration enables the required CLI resource download feature.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[matthiasbruns]

#!/bin/zsh
set -euo pipefail

# Test: Download a helm chart resource using the Helm ResourceRepository.
# This creates a CTF with a podinfo helm access resource, then downloads
# the chart from the remote helm repository via the ResourceRepository plugin.

alias OCM='go run ../../main.go'

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
WORK_DIR="$SCRIPT_DIR/test-download-helm-resource-output"
rm -rf "$WORK_DIR"
mkdir -p "$WORK_DIR"
CTF_DIR="$WORK_DIR/ctf"
DOWNLOAD_DIR="$WORK_DIR/downloaded"
CONSTRUCTOR_PATH="$WORK_DIR/constructor.yaml"

echo "=== Test: Download Helm Resource (podinfo) ==="
echo "Working directory: $WORK_DIR"

# 1. Create constructor with helm access pointing to the real podinfo chart repo
cat <<EOF > "$CONSTRUCTOR_PATH"
components:
- name: ocm.software/podinfo
  version: 6.9.1
  provider:
    name: ocm.software
  resources:
  - name: podinfo
    version: 6.9.1
    type: helmChart
    access:
      type: helm/v1
      helmRepository: https://stefanprodan.github.io/podinfo
      helmChart: podinfo-6.9.1.tgz
EOF

# 2. Add component version to CTF (skip digest processing since we have remote access)
echo "--- Adding component version to CTF ---"
OCM add cv --repository "ctf::$CTF_DIR" --constructor "$CONSTRUCTOR_PATH" --skip-reference-digest-processing

# 3. Download the resource - this triggers the Helm ResourceRepository to fetch from remote
echo "--- Downloading helm resource ---"
OCM download resource "ctf::$CTF_DIR//ocm.software/podinfo:6.9.1" \
  --identity name=podinfo,version=6.9.1 \
  --output "$DOWNLOAD_DIR" \
  --extraction-policy disable

# 4. Verify the download produced a non-empty file
if [ ! -f "$DOWNLOAD_DIR" ]; then
  echo "FAIL: Downloaded file does not exist at $DOWNLOAD_DIR"
  exit 1
fi

FILE_SIZE=$(stat -f%z "$DOWNLOAD_DIR" 2>/dev/null || stat -c%s "$DOWNLOAD_DIR" 2>/dev/null)
if [ "$FILE_SIZE" -eq 0 ]; then
  echo "FAIL: Downloaded file is empty"
  exit 1
fi

echo "--- Downloaded file size: $FILE_SIZE bytes ---"

# 5. Verify the tar contains the expected chart file
TAR_CONTENTS=$(tar tf "$DOWNLOAD_DIR")
echo "--- Tar contents ---"
echo "$TAR_CONTENTS"

if ! echo "$TAR_CONTENTS" | grep -q "podinfo-6.9.1.tgz"; then
  echo "FAIL: Tar does not contain podinfo-6.9.1.tgz"
  exit 1
fi

# 6. Extract the tar and verify SHA256 of the chart file
EXTRACT_DIR="$WORK_DIR/extracted"
mkdir -p "$EXTRACT_DIR"
tar xf "$DOWNLOAD_DIR" -C "$EXTRACT_DIR"

CHART_FILE=$(find "$EXTRACT_DIR" -name "podinfo-6.9.1.tgz" -type f)
if [ -z "$CHART_FILE" ]; then
  echo "FAIL: Could not find extracted chart file"
  exit 1
fi

EXPECTED_SHA256="6d082dc0d4e90fbb525c0c1fc8a52d5279581750b8888688b07ce00f96d947e8"
ACTUAL_SHA256=$(shasum -a 256 "$CHART_FILE" | awk '{print $1}')
echo "--- Chart SHA256: $ACTUAL_SHA256 ---"

if [ "$ACTUAL_SHA256" != "$EXPECTED_SHA256" ]; then
  echo "FAIL: SHA256 mismatch"
  echo "  expected: $EXPECTED_SHA256"
  echo "  actual:   $ACTUAL_SHA256"
  exit 1
fi

echo ""
echo "=== PASS: Helm resource download succeeded ==="

This should download podinfo helm chart, umpack it and verify. You can check the contents in test-download-helm-resource-output/extracted - it should contain podinfo-6.9.1.tgz

Expected output

 /bin/zsh /Users/mbruns/dev/sap/open-component-model/cli/tmp/tests/test-download-helm-resource.sh
=== Test: Download Helm Resource (podinfo) ===
Working directory: /Users/mbruns/dev/sap/open-component-model/cli/tmp/tests/test-download-helm-resource-output
--- Adding component version to CTF ---
 COMPONENT            │ VERSION │ PROVIDER     
──────────────────────┼─────────┼──────────────
 ocm.software/podinfo │ 6.9.1   │ ocm.software 
--- Downloading helm resource ---
WARNING: Verification not found for https://stefanprodan.github.io/podinfo/podinfo-6.9.1.tgz: failed to fetch https://stefanprodan.github.io/podinfo/podinfo-6.9.1.tgz.prov : 404 Not Found
time=2026-04-16T16:00:29.876+02:00 level=INFO msg="resource downloaded successfully" output=/Users/mbruns/dev/sap/open-component-model/cli/tmp/tests/test-download-helm-resource-output/downloaded
--- Downloaded file size: 17408 bytes ---
--- Tar contents ---
./
podinfo-6.9.1.tgz
--- Chart SHA256: 6d082dc0d4e90fbb525c0c1fc8a52d5279581750b8888688b07ce00f96d947e8 ---

=== PASS: Helm resource download succeeded ===

If you run this on e.g. main without the resource-repo, you will see something like this:

=== Test: Download Helm Resource (podinfo) ===
Working directory: /Users/mbruns/dev/sap/open-component-model/cli/tmp/tests/test-download-helm-resource-output
--- Adding component version to CTF ---
 COMPONENT            │ VERSION │ PROVIDER     
──────────────────────┼─────────┼──────────────
 ocm.software/podinfo │ 6.9.1   │ ocm.software 
--- Downloading helm resource ---
Error: downloading resource for identity "name=podinfo,version=6.9.1" failed: getting resource plugin for access "helm/v1" failed: failed to get plugin for typ "helm/v1"
exit status 1

[netlify]

✅ Deploy Preview for ocm-website canceled.

Name	Link
🔨 Latest commit	337b83b
🔍 Latest deploy log	https://app.netlify.com/projects/ocm-website/deploys/69e1ddcdbc0449000800495a

[matthiasbruns]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.