chore: add missing workflow readmes

.github/dependabot.yml

@@ -3,6 +3,6 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     cooldown:
-      default-days: 5
+      default-days: 7
     schedule:
       interval: weekly

.github/workflows/docs/diff-rendered-charts.md

@@ -0,0 +1,43 @@
+# Render and Diff Helm Charts Reusable Workflow
+
+Renders Helm charts from both the base and head refs of a pull request and posts a diff as a PR comment showing what changes will be deployed.
+
+## Overview
+
+- Detects changed Helm charts in pull requests
+- Renders charts with all values files (supports multi-layer configurations)
+- Posts a unified diff as a PR comment
+
+## Usage
+
+Call this workflow from your repository's pull request workflow:
+
+```yaml
+name: Review Helm Chart Changes
+
+on:
+  pull_request:
+    paths:
+      - '**/k8s/**'
+
+jobs:
+  diff-charts:
+    uses: mozilla-it/deploy-actions/.github/workflows/diff-rendered-charts.yml@main
+```
+
+## Example Output
+
+When changes are detected, a comment will be posted to the PR:
+
+```diff
+Changes found in Helm charts.
+
+Changes found in chart: apps/my-service/k8s
+--- shared/base-charts/apps/my-service/k8s/values-prod/my-service/templates/deployment.yaml
++++ shared/head-charts/apps/my-service/k8s/values-prod/my-service/templates/deployment.yaml
+@@ -15,7 +15,7 @@
+       containers:
+       - name: my-service
+-        image: my-service:v1.0.0
++        image: my-service:v1.1.0
+```

.github/workflows/docs/psa-checker.md

@@ -0,0 +1,63 @@
+# Pod Security Standards Checker Reusable Workflow
+
+Validates that Helm charts meet Kubernetes [Pod Security Standards (PSS)](https://kubernetes.io/docs/concepts/security/pod-security-standards/) using the [psa-checker](https://github.com/mozilla/psa-checker) tool.
+
+## Overview
+
+Checks rendered Helm chart manifests against a specified Pod Security Standard level (`privileged`, `baseline`, or `restricted`).
+
+## Inputs
+
+| Name        | Required | Type   | Default        | Description                                              |
+| ----------- | -------- | ------ | -------------- | -------------------------------------------------------- |
+| `pss_level` | false    | string | `"restricted"` | PSS level to check against: `privileged`, `baseline`, or `restricted` |
+
+## Prerequisites
+
+**IMPORTANT**: This workflow requires rendered chart artifacts from the `validate-k8s-manifests` workflow. Use `needs: validate_k8s_manifests` when calling this workflow.
+
+## Usage
+
+### Basic usage with default (restricted) level
+
+```yaml
+name: Validate Kubernetes Manifests
+
+on:
+  pull_request:
+    paths:
+      - '**/k8s/**'
+
+jobs:
+  validate:
+    uses: mozilla-it/deploy-actions/.github/workflows/validate-k8s-manifests.yml@main
+
+  check-pss:
+    needs: validate
+    uses: mozilla-it/deploy-actions/.github/workflows/psa-checker.yml@main
+```
+
+### Custom PSS level
+
+```yaml
+name: Validate Kubernetes Manifests
+
+on:
+  pull_request:
+    paths:
+      - '**/k8s/**'
+
+jobs:
+  validate:
+    uses: mozilla-it/deploy-actions/.github/workflows/validate-k8s-manifests.yml@main
+
+  check-pss:
+    needs: validate
+    uses: mozilla-it/deploy-actions/.github/workflows/psa-checker.yml@main
+    with:
+      pss_level: baseline
+```
+
+## Troubleshooting
+
+If validation fails, review the workflow output to identify violations and consult the [Pod Security Standards documentation](https://kubernetes.io/docs/concepts/security/pod-security-standards/) for requirements.

.github/workflows/docs/validate-k8s-manifests.md

@@ -0,0 +1,81 @@
+# Render Helm Charts and Validate Kubernetes Manifests Reusable Workflow
+
+Renders Helm charts and validates the resulting Kubernetes manifests using [kubeconform](https://github.com/yannh/kubeconform). Posts validation failures as PR comments and uploads rendered manifests as artifacts for use by other workflows.
+
+## Inputs
+
+| Name     | Required | Type    | Default | Description                              |
+| -------- | -------- | ------- | ------- | ---------------------------------------- |
+| `strict` | false    | boolean | `false` | Run kubeconform with strict validation   |
+
+### Strict Mode
+
+When `strict: true`, kubeconform will reject resources with unknown fields and enforce stricter schema validation.
+
+## Usage
+
+### Basic validation
+
+```yaml
+name: Validate Kubernetes Manifests
+
+on:
+  pull_request:
+    paths:
+      - '**/k8s/**'
+
+jobs:
+  validate:
+    uses: mozilla-it/deploy-actions/.github/workflows/validate-k8s-manifests.yml@main
+```
+
+### Strict validation
+
+```yaml
+name: Validate Kubernetes Manifests
+
+on:
+  pull_request:
+    paths:
+      - '**/k8s/**'
+
+jobs:
+  validate:
+    uses: mozilla-it/deploy-actions/.github/workflows/validate-k8s-manifests.yml@main
+    with:
+      strict: true
+```
+
+### With pod security checking
+
+```yaml
+name: Validate Kubernetes Manifests
+
+on:
+  pull_request:
+    paths:
+      - '**/k8s/**'
+
+jobs:
+  validate:
+    uses: mozilla-it/deploy-actions/.github/workflows/validate-k8s-manifests.yml@main
+
+  check-pss:
+    needs: validate
+    uses: mozilla-it/deploy-actions/.github/workflows/psa-checker.yml@main
+```
+
+## Example Output
+
+When validation fails, a comment is posted to the PR:
+
+```text
+Kubernetes Manifest Validation: 2 resources found - Valid: 0, Invalid: 2, Errors: 0, Skipped: 0
+
+apps/my-service/k8s/values-prod/my-service/templates/deployment.yaml - Deployment my-service failed validation: missing required field "selector" in io.k8s.api.apps.v1.Deployment
+apps/my-service/k8s/values-prod/my-service/templates/service.yaml - Service my-service failed validation: Invalid value: "LoadBalancerr": spec.type
+```
+
+## Artifacts
+
+Rendered manifests are uploaded as artifacts with the pattern `k8s-manifests-*` and can be consumed by other workflows like `psa-checker`.

README.md

@@ -8,6 +8,9 @@ This repository contains GitHub Actions Composite Actions used for Deployment Au
 
 ## Workflows
 * [build-and-push](./.github/workflows/docs/build-and-push.md)
+* [diff-rendered-charts](./.github/workflows/docs/diff-rendered-charts.md)
+* [psa-checker](./.github/workflows/docs/psa-checker.md)
+* [validate-k8s-manifests](./.github/workflows/docs/validate-k8s-manifests.md)
 
 
 ## Releases & Tags