Thanks for providing the detailed commit instructions. However, I not…

.github/WORKFLOWS.md

@@ -0,0 +1,130 @@
+# GitHub Workflows Documentation
+
+This document describes the automated workflows used in this repository.
+
+## 📋 Available Workflows
+
+### 1. CI Workflow (`ci.yml`)
+**Trigger**: Push and Pull Requests
+
+Validates the Helm chart on every code change:
+- Lints the chart using `helm lint`
+- Runs chart testing with `ct lint`
+- Validates template rendering
+- Ensures chart quality and best practices
+
+### 2. Release Workflow (`release.yml`)
+**Trigger**: Push to `main` branch (when Chart.yaml version changes)
+
+Automates chart releases:
+- Creates GitHub releases
+- Signs the chart with GPG
+- Publishes to GitHub Pages (Helm repository)
+- Updates Artifact Hub
+
+### 3. Auto-Update Valkey Version (`update-valkey-version.yml`)
+**Trigger**:
+- Weekly schedule (Mondays at 9:00 AM UTC)
+- Manual dispatch
+
+Automatically keeps Valkey version up-to-date:
+
+#### How It Works
+
+```mermaid
+graph TD
+    A[Scheduled: Every Monday] --> B[Pull cgr.dev/chainguard/valkey:latest]
+    C[Manual Trigger] --> B
+    B --> D[Detect Valkey version]
+    D --> E{Version changed?}
+    E -->|No| F[✓ No action needed]
+    E -->|Yes| G[Update Chart.yaml appVersion]
+    G --> H[Bump chart patch version]
+    H --> I[Update CHANGELOG.md]
+    I --> J[Create Pull Request]
+    J --> K[Review & Merge]
+    K --> L[Release workflow triggers]
+```
+
+#### What It Does
+
+1. **Version Detection**
+   - Pulls the latest Chainguard Valkey image
+   - Runs `valkey-server --version` to detect the exact version
+   - Compares with current `appVersion` in `Chart.yaml`
+
+2. **If Version Changed**
+   - Updates `appVersion` in `Chart.yaml` to the new version
+   - Bumps the chart patch version (e.g., `0.2.0` → `0.2.1`)
+   - Adds entry to `CHANGELOG.md` with the version change
+   - Creates a pull request with all changes
+
+3. **Pull Request Contents**
+   - Clear title: `chore: update Valkey to version X.Y.Z`
+   - Detailed body with old → new version info
+   - Labeled as `automated`, `version-update`, `dependencies`
+   - Ready for review and merge
+
+4. **After Merge**
+   - Release workflow automatically triggers
+   - New chart version is published
+   - Users get the updated version
+
+#### Manual Trigger
+
+You can manually trigger the workflow from GitHub:
+
+1. Go to **Actions** tab
+2. Select **Update Valkey Version** workflow
+3. Click **Run workflow**
+4. Select branch (usually `main`)
+
+This is useful when you want to check for updates immediately instead of waiting for the weekly schedule.
+
+#### Why This Approach?
+
+**Benefits:**
+- ✅ Chart stays current with latest Valkey releases
+- ✅ Security updates are tracked and applied quickly
+- ✅ Full transparency via pull requests
+- ✅ Human review before changes are published
+- ✅ Automatic changelog maintenance
+
+**Trade-offs:**
+- ⚠️ Chainguard free tier only provides `latest` tag
+- ⚠️ Updates are reactive (weekly check) not instant
+- ⚠️ Requires manual PR merge (by design, for safety)
+
+## 🔧 Maintenance
+
+### Adjusting Update Frequency
+
+Edit the cron schedule in `update-valkey-version.yml`:
+
+```yaml
+schedule:
+  - cron: '0 9 * * 1'  # Every Monday at 9:00 AM UTC
+```
+
+Common schedules:
+- Daily: `'0 9 * * *'`
+- Twice a week: `'0 9 * * 1,4'` (Monday and Thursday)
+- Monthly: `'0 9 1 * *'` (First day of month)
+
+### Troubleshooting
+
+**If version detection fails:**
+1. Check Docker pull permissions for Chainguard registry
+2. Verify the `--version` command output format hasn't changed
+3. Review workflow logs in Actions tab
+
+**If PRs aren't being created:**
+1. Ensure GitHub Actions has write permissions
+2. Check if there's already an open PR for version update
+3. Verify the comparison logic in the workflow
+
+## 📚 References
+
+- [Chainguard Images](https://www.chainguard.dev/chainguard-images)
+- [Helm Chart Best Practices](https://helm.sh/docs/chart_best_practices/)
+- [GitHub Actions Documentation](https://docs.github.com/en/actions)

.github/workflows/update-valkey-version.yml

@@ -0,0 +1,144 @@
+name: Update Valkey Version
+
+on:
+  schedule:
+    # Runs every Monday at 9:00 AM UTC
+    - cron: '0 9 * * 1'
+  workflow_dispatch: # Allows manual trigger
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  check-and-update:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get Valkey version from Chainguard image
+        id: get-version
+        run: |
+          # Pull the latest Chainguard Valkey image
+          docker pull cgr.dev/chainguard/valkey:latest
+
+          # Get Valkey version from the container
+          # Using sed for better compatibility (works on both Linux and macOS)
+          VERSION=$(docker run --rm cgr.dev/chainguard/valkey:latest --version | sed -n 's/.*v=\([0-9]*\.[0-9]*\.[0-9]*\).*/\1/p')
+
+          if [ -z "$VERSION" ]; then
+            echo "Failed to detect Valkey version"
+            exit 1
+          fi
+
+          echo "detected_version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Detected Valkey version: $VERSION"
+
+      - name: Get current appVersion from Chart.yaml
+        id: current-version
+        run: |
+          CURRENT=$(grep '^appVersion:' Chart.yaml | awk '{print $2}' | tr -d '"')
+          echo "current_version=$CURRENT" >> $GITHUB_OUTPUT
+          echo "Current appVersion: $CURRENT"
+
+      - name: Compare versions
+        id: compare
+        run: |
+          DETECTED="${{ steps.get-version.outputs.detected_version }}"
+          CURRENT="${{ steps.current-version.outputs.current_version }}"
+
+          if [ "$DETECTED" != "$CURRENT" ]; then
+            echo "needs_update=true" >> $GITHUB_OUTPUT
+            echo "Version mismatch detected: $CURRENT -> $DETECTED"
+          else
+            echo "needs_update=false" >> $GITHUB_OUTPUT
+            echo "Version is up to date: $CURRENT"
+          fi
+
+      - name: Update Chart.yaml
+        if: steps.compare.outputs.needs_update == 'true'
+        run: |
+          NEW_VERSION="${{ steps.get-version.outputs.detected_version }}"
+
+          # Update appVersion in Chart.yaml
+          sed -i "s/^appVersion: .*/appVersion: \"$NEW_VERSION\"/" Chart.yaml
+
+          # Bump patch version of chart
+          CHART_VERSION=$(grep '^version:' Chart.yaml | awk '{print $2}')
+          # Simple patch bump (you might want to use semver tool for production)
+          NEW_CHART_VERSION=$(echo $CHART_VERSION | awk -F. '{$NF = $NF + 1;} 1' | sed 's/ /./g')
+          sed -i "s/^version: .*/version: $NEW_CHART_VERSION/" Chart.yaml
+
+          echo "Updated appVersion to $NEW_VERSION"
+          echo "Updated chart version to $NEW_CHART_VERSION"
+
+      - name: Update CHANGELOG
+        if: steps.compare.outputs.needs_update == 'true'
+        run: |
+          NEW_VERSION="${{ steps.get-version.outputs.detected_version }}"
+          CHART_VERSION=$(grep '^version:' Chart.yaml | awk '{print $2}')
+          DATE=$(date +%Y-%m-%d)
+
+          # Create or update CHANGELOG
+          if [ ! -f CHANGELOG.md ]; then
+            echo "# Changelog" > CHANGELOG.md
+            echo "" >> CHANGELOG.md
+          fi
+
+          # Add new entry
+          sed -i "3i\\
+## [$CHART_VERSION] - $DATE\n\\
+\n\\
+### Changed\n\\
+- Updated Valkey to version $NEW_VERSION (from Chainguard latest image)\n" CHANGELOG.md
+
+      - name: Create Pull Request
+        if: steps.compare.outputs.needs_update == 'true'
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: |
+            chore: update Valkey to version ${{ steps.get-version.outputs.detected_version }}
+
+            - Updated appVersion from ${{ steps.current-version.outputs.current_version }} to ${{ steps.get-version.outputs.detected_version }}
+            - Automatically detected from cgr.dev/chainguard/valkey:latest
+
+            Co-Authored-By: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
+          branch: auto-update-valkey-${{ steps.get-version.outputs.detected_version }}
+          delete-branch: true
+          title: "chore: update Valkey to version ${{ steps.get-version.outputs.detected_version }}"
+          body: |
+            ## 🤖 Automated Valkey Version Update
+
+            This PR was automatically created by the version checker workflow.
+
+            ### Changes
+            - **Valkey version**: `${{ steps.current-version.outputs.current_version }}` → `${{ steps.get-version.outputs.detected_version }}`
+            - **Source**: Detected from `cgr.dev/chainguard/valkey:latest`
+            - **Chart version**: Bumped patch version
+
+            ### Verification
+            The version was detected by pulling the latest Chainguard Valkey image and running `--version`.
+
+            ### Next Steps
+            - Review the changes
+            - Merge to trigger a new chart release
+            - The release workflow will automatically publish to GitHub Pages
+
+            ---
+            🔄 This check runs weekly on Mondays at 9:00 AM UTC
+          labels: |
+            automated
+            version-update
+            dependencies
+
+      - name: Summary
+        run: |
+          if [ "${{ steps.compare.outputs.needs_update }}" == "true" ]; then
+            echo "✅ Version update PR created: ${{ steps.current-version.outputs.current_version }} → ${{ steps.get-version.outputs.detected_version }}"
+          else
+            echo "✅ No update needed. Current version ${{ steps.current-version.outputs.current_version }} is up to date."
+          fi

CHANGELOG.md

@@ -0,0 +1,41 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.2.0] - 2025-02-14
+
+### Changed
+- Switch to Chainguard zero-CVE images for enhanced security (valkey, kubectl, wolfi-base)
+- Update container user from 999 to 65532 (Chainguard default)
+- Simplify health check scripts for distroless compatibility
+- Update pre-upgrade hook to work without shell
+
+### Added
+- Automated version checking workflow (runs weekly)
+- Documentation for image versioning strategy
+- CHANGELOG.md for tracking releases
+
+### Security
+- Migration to Chainguard images with zero known CVEs
+- Enhanced security with distroless base images
+
+## [0.1.0] - 2024
+
+### Added
+- Initial release of Valkey Helm Chart
+- Standalone mode support
+- Sentinel mode for high availability
+- Authentication and security features
+- Persistence configuration
+- Prometheus metrics exporter
+- TLS support
+- Pre-upgrade hooks for zero-downtime migrations
+- Network policies and RBAC
+- Comprehensive documentation
+
+---
+
+**Note**: Starting from v0.2.0, this chart uses `cgr.dev/chainguard/valkey:latest` and the `appVersion` is automatically updated weekly via GitHub Actions when new Valkey versions are released.

README.md

@@ -3,6 +3,8 @@
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/valkey-redis)](https://artifacthub.io/packages/helm/valkey-redis/valkey)
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 [![Helm](https://img.shields.io/badge/Helm-3.x-blue)](https://helm.sh)
+[![Auto-Update](https://img.shields.io/badge/Auto--Update-Weekly-green)](https://github.com/start-codex/valkey-helm-chart/actions/workflows/update-valkey-version.yml)
+[![Chainguard](https://img.shields.io/badge/Images-Chainguard%20%7C%20Zero%20CVE-brightgreen)](https://www.chainguard.dev/)
 
 <p align="center">
   <img src="https://valkey.io/img/valkey-logo-og.png" alt="Valkey Logo" width="300">
@@ -14,6 +16,7 @@ Helm chart for deploying [Valkey](https://valkey.io/) on Kubernetes. Valkey is a
 
 - [Features](#features)
 - [Requirements](#requirements)
+- [Image Versioning Strategy](#image-versioning-strategy)
 - [Quick Start](#quick-start)
 - [Architectures](#architectures)
 - [Configuration](#configuration)
@@ -46,6 +49,35 @@ Helm chart for deploying [Valkey](https://valkey.io/) on Kubernetes. Valkey is a
 | Kubernetes | >= 1.23 |
 | Helm | >= 3.8 |
 
+## Image Versioning Strategy
+
+This chart uses **Chainguard's zero-CVE Valkey images** for enhanced security.
+
+### Why `latest` tag?
+
+- **Free tier limitation**: Chainguard's free tier only provides the `latest` tag
+- **Automatic updates**: Using `latest` ensures you always get the most recent security patches
+- **Zero CVEs**: Chainguard images are rebuilt continuously to maintain zero known vulnerabilities
+
+### Version tracking
+
+- **appVersion in Chart.yaml**: Reflects the current Valkey version available in `cgr.dev/chainguard/valkey:latest`
+- **Automated updates**: A GitHub Action checks weekly for version updates and creates PRs automatically
+- **Transparency**: Every version change is tracked via pull requests and changelog entries
+
+### For production use
+
+If you require **version pinning** for production:
+
+```yaml
+# Override with a specific version (requires Chainguard Pro or alternative registry)
+image:
+  repository: valkey/valkey  # Official Valkey images
+  tag: "9.0.0"               # Specific version tag
+```
+
+> **Note**: Using `latest` provides continuous security updates but means deployments may pull different versions over time. For strict reproducibility, consider using image digests or switching to a registry that provides versioned tags.
+
 ## Quick Start
 
 ```bash