fix: pull external-secrets chart from OCI

.gitea/workflows/deploy.yml

@@ -237,14 +237,37 @@ jobs:
           }
 
           eso_diagnostics() {
-            kubectl -n flux-system get kustomizations,helmrepositories,helmcharts,helmreleases || true
+            kubectl -n flux-system get kustomizations,ocirepositories,helmrepositories,helmcharts,helmreleases || true
             kubectl -n flux-system describe kustomization addon-external-secrets || true
-            kubectl -n flux-system describe helmrepository external-secrets || true
-            kubectl -n flux-system describe helmchart.source.toolkit.fluxcd.io flux-system-external-secrets || true
+            kubectl -n flux-system describe ocirepository external-secrets || true
             kubectl -n flux-system describe helmrelease external-secrets || true
             kubectl -n external-secrets get pods -o wide || true
           }
 
+          wait_for_flux_oci_helm_release() {
+            local oci_name="$1"
+            local release_name="$2"
+            local target_namespace="$3"
+            local oci_timeout="$4"
+            local release_timeout="$5"
+            local reconcile_at
+
+            wait_for_resource flux-system "ocirepository.source.toolkit.fluxcd.io/${oci_name}" 600
+            reconcile_at="$(date +%s)"
+            kubectl -n flux-system annotate "ocirepository/${oci_name}" reconcile.fluxcd.io/requestedAt="${reconcile_at}" --overwrite
+            kubectl -n flux-system annotate "helmrelease/${release_name}" reconcile.fluxcd.io/requestedAt="${reconcile_at}" --overwrite
+
+            if ! kubectl -n flux-system wait --for=condition=Ready "ocirepository/${oci_name}" --timeout="${oci_timeout}"; then
+              eso_diagnostics
+              exit 1
+            fi
+
+            if ! kubectl -n flux-system wait --for=condition=Ready "helmrelease/${release_name}" --timeout="${release_timeout}"; then
+              eso_diagnostics
+              exit 1
+            fi
+          }
+
           flux_helm_diagnostics() {
             local repo_name="$1"
             local chart_name="$2"
@@ -318,7 +341,7 @@ jobs:
           # Wait directly on the ESO Helm objects; Kustomization readiness hides useful failure details.
           wait_for_resource flux-system kustomization.kustomize.toolkit.fluxcd.io/addon-external-secrets 600
           kubectl -n flux-system annotate kustomization/addon-external-secrets reconcile.fluxcd.io/requestedAt="$(date +%s)" --overwrite
-          wait_for_flux_helm_release external-secrets flux-system-external-secrets external-secrets external-secrets 900s 1800s 1800s
+          wait_for_flux_oci_helm_release external-secrets external-secrets external-secrets 1800s 1800s
           wait_for_resource "" crd/clustersecretstores.external-secrets.io 900
           wait_for_resource "" crd/externalsecrets.external-secrets.io 900
           kubectl wait --for=condition=established --timeout=600s crd/clustersecretstores.external-secrets.io