diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..8a90cca
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
\ No newline at end of file
diff --git a/.github/workflows/acceptance.yaml b/.github/workflows/acceptance.yaml
index e3c28e3..ac1dac1 100644
--- a/.github/workflows/acceptance.yaml
+++ b/.github/workflows/acceptance.yaml
@@ -1,7 +1,5 @@
 name: Acceptance Tests
-
 on: [push, workflow_dispatch]
-
 jobs:
   kind:
     strategy:
@@ -13,14 +11,14 @@ jobs:
       - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Setup test tools
         uses: ./.github/workflows/setup-test-tools
-
       - name: Create K8s Kind Cluster
         uses: helm/kind-action@d8ccf8fb623ce1bb360ae2f45f323d9d5c5e9f00 # v1.5.0
         with:
           config: test/kind/config.yaml
           node_image: kindest/node:v${{ matrix.kind-k8s-version }}
           version: v0.17.0
-
       - run: bats --tap --timing ./test/acceptance
         env:
           VAULT_LICENSE_CI: ${{ secrets.VAULT_LICENSE_CI }}
+permissions:
+  contents: read
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
new file mode 100644
index 0000000..bdee70f
--- /dev/null
+++ b/.github/workflows/actionlint.yml
@@ -0,0 +1,16 @@
+# If the repository is public, be sure to change to GitHub hosted runners
+name: Lint GitHub Actions Workflows
+on:
+  push:
+    paths:
+      - .github/workflows/**.yml
+  pull_request:
+    paths:
+      - .github/workflows/**.yml
+permissions:
+  contents: read
+jobs:
+  actionlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: hashicorp/vault-workflows-common/.github/workflows/actionlint.yaml@main
diff --git a/.github/workflows/setup-test-tools/action.yaml b/.github/workflows/setup-test-tools/action.yaml
index 7683deb..d666e23 100644
--- a/.github/workflows/setup-test-tools/action.yaml
+++ b/.github/workflows/setup-test-tools/action.yaml
@@ -1,6 +1,5 @@
 name: Setup common testing tools
 description: Install bats and python-yq
-
 runs:
   using: "composite"
   steps:
@@ -18,3 +17,5 @@ runs:
         python-version: '3.10'
     - run: pip install yq
       shell: bash
+permissions:
+  contents: read
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
index 5bfd153..30968c8 100644
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@@ -1,7 +1,5 @@
 name: Tests
-
 on: [push, workflow_dispatch]
-
 jobs:
   bats-unit-tests:
     runs-on: ubuntu-latest
@@ -9,7 +7,6 @@ jobs:
       - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - uses: ./.github/workflows/setup-test-tools
       - run: bats --tap --timing ./test/unit
-
   chart-verifier:
     runs-on: ubuntu-latest
     env:
@@ -23,3 +20,5 @@ jobs:
           go-version: '1.19.2'
       - run: go install github.com/redhat-certification/chart-verifier@${CHART_VERIFIER_VERSION}
       - run: bats --tap --timing ./test/chart
+permissions:
+  contents: read
diff --git a/.github/workflows/update-helm-charts-index.yml b/.github/workflows/update-helm-charts-index.yml
new file mode 100644
index 0000000..7a1061d
--- /dev/null
+++ b/.github/workflows/update-helm-charts-index.yml
@@ -0,0 +1,40 @@
+name: update-helm-charts-index
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+
+permissions:
+  contents: read
+
+jobs:
+  update-helm-charts-index:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      - name: verify Chart version matches tag version
+        run: |-
+          export TAG=${{ github.ref_name }}
+          git_tag=$(echo "${TAG#v}")
+          chart_tag=$(yq r Chart.yaml version)
+          if [ "${git_tag}" != "${chart_tag}" ]; then
+            echo "chart version (${chart_tag}) did not match git version (${git_tag})"
+            exit 1
+          fi
+      - name: update helm-charts index
+        id: update
+        env:
+          GH_TOKEN: ${{ secrets.HELM_CHARTS_GITHUB_TOKEN }}
+        run: |-
+          gh workflow run publish-charts.yml \
+            --repo hashicorp/helm-charts \
+            --ref main \
+            -f SOURCE_TAG="${{ github.ref_name }}" \
+            -f SOURCE_REPO="${{ github.repository }}"
+      - uses: hashicorp/actions-slack-status@v1
+        if: ${{always()}}
+        with:
+          success-message: "vault-helm charts index update triggered successfully. View the run <https://github.com/hashicorp/helm-charts/actions/workflows/publish-charts.yml|here>."
+          failure-message: "vault-helm charts index update trigger failed."
+          status: ${{job.status}}
+          slack-webhook-url: ${{secrets.SLACK_WEBHOOK_URL}}
diff --git a/CODEOWNERS b/CODEOWNERS
new file mode 100644
index 0000000..af6a350
--- /dev/null
+++ b/CODEOWNERS
@@ -0,0 +1 @@
+* @hashicorp/vault-ecosystem-foundations