diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 322842a4b81a88743994447748bb5e75732c70d1..3140a9f47628dc9258adfe0b2935098eea0b4ade 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,8 +1,44 @@
+generate:
+  stage: build
+  needs: []
+  image: harbor.pasteur.fr/kube-system/helm-kubectl:3.4.0
+  script:
+    - mkdir -p out-templates
+    - helm dependency update ./test-chart/
+    - >
+      helm template
+      --values ./test-chart/values.yaml
+      --values ./test-chart/values-${VALUES_SUFFIX}.yaml
+      toto ./test-chart/ > out-templates/template-${VALUES_SUFFIX}.yaml
+  parallel:
+    matrix:
+      - VALUES_SUFFIX: [
+          "with-storage",
+          "blank"
+        ]
+  artifacts:
+    paths:
+    - out-templates
+    expire_in: 1 week
+
+
+
+test:
+  stage: build
+  needs: ["generate"]
+  image: docker:24
+  before_script:
+    - i=0; while [ "$i" -lt 60 ]; do docker info && break; sleep 1; i=$(( i + 1 )) ; done
+  script:
+    - docker run -v ./kubelinter-config.yaml:/etc/config.yaml -v ./out-templates:/dir stackrox/kube-linter lint /dir --config /etc/config.yaml
+
 
 
 upload:
+  only:
+    - helm
   stage: build
-  needs: []
+  needs: ["test"]
   image: harbor.pasteur.fr/kube-system/helm-kubectl:3.4.0
   script:
     - CHART_VERSION=$(helm show chart shiny-k8s-toolkit-helm | grep version | cut -d' ' -f2)
@@ -20,6 +56,9 @@ upload:
 
 
 trigger_job:
+  only:
+    - helm
+  stage: deploy
   needs: ["upload"]
   trigger:
-    project: hub/shiny-k8s-example
\ No newline at end of file
+    project: hub/shiny-k8s-example
diff --git a/kubelinter-config.yaml b/kubelinter-config.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..45c4ebd13823e1d88bf3bb39629460602e15fdeb
--- /dev/null
+++ b/kubelinter-config.yaml
@@ -0,0 +1,3 @@
+checks:
+  exclude:
+    - "latest-tag"
\ No newline at end of file
diff --git a/shiny-k8s-toolkit-helm/templates/deployment.yaml b/shiny-k8s-toolkit-helm/templates/deployment.yaml
index 989e58afbb6c9bf1b8f9dd67967b0a00e7cbf108..9df703a4d88ffefdccfd8b26e9fc1f674e945513 100644
--- a/shiny-k8s-toolkit-helm/templates/deployment.yaml
+++ b/shiny-k8s-toolkit-helm/templates/deployment.yaml
@@ -41,6 +41,7 @@ spec:
           securityContext:
             runAsGroup: 999
             runAsUser: 999
+            readOnlyRootFilesystem: true
           ports:
             - name: http
               containerPort: 3838
diff --git a/test-chart/Chart.yaml b/test-chart/Chart.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..0afcda46e9d99d28db91ba42e1f0705a272488a2
--- /dev/null
+++ b/test-chart/Chart.yaml
@@ -0,0 +1,29 @@
+apiVersion: v2
+name: test-project
+description: A test project
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 1.0.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.0.0"
+
+dependencies:
+- name: shiny-k8s-toolkit-helm
+  version: "*"
+  repository: "file://../shiny-k8s-toolkit-helm"
diff --git a/test-chart/values-blank.yaml b/test-chart/values-blank.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/test-chart/values-with-storage.yaml b/test-chart/values-with-storage.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..e6458808e0f38dc7a9e51595a00c1676fc82caae
--- /dev/null
+++ b/test-chart/values-with-storage.yaml
@@ -0,0 +1,3 @@
+shiny-k8s-toolkit-helm:
+  storage:
+    enabled: true
diff --git a/test-chart/values.yaml b/test-chart/values.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..140eee49b55b613f0f309596f9b825a35eac35b8
--- /dev/null
+++ b/test-chart/values.yaml
@@ -0,0 +1,15 @@
+shiny-k8s-toolkit-helm:
+  autoscaling:
+    enabled: false
+  nodowntime:
+    enabled: false
+  registry:
+    private: false
+  resources:
+    requests:
+      cpu: '250m'
+    limits:
+      cpu: '500m'
+  storage:
+    enabled: false
+    keepOnDelete: false # should be false in dev, true in prod