diff --git a/.github/workflows/releasing.yaml b/.github/workflows/releasing.yaml
new file mode 100644
index 0000000..e4016f8
--- /dev/null
+++ b/.github/workflows/releasing.yaml
@@ -0,0 +1,46 @@
+# File: .github/workflows/publish-helm.yaml
+name: Publish Helm Chart to GHCR
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.14.0
+
+      - name: Install yq
+        uses: mikefarah/yq-action@v1.1.0
+
+      - name: Read chart version
+        id: chart
+        run: |
+          echo "version=$(yq -r '.version' Chart.yaml)" >> $GITHUB_OUTPUT
+
+      - name: Log in to GitHub Container Registry
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io \
+            --username "${{ github.actor }}" --password-stdin
+
+      - name: Package & Push chart
+        run: |
+          # Package the chart from repo root (where Chart.yaml lives)
+          helm package . --destination .
+
+          # Push to GHCR under oc-community
+          TARBALL="oc-community-${{ steps.chart.outputs.version }}.tgz"
+          helm push "$TARBALL" oci://ghcr.io/${{ github.repository }}/oc-community
diff --git a/README.md b/README.md
index fec6fc3..29beaea 100644
--- a/README.md
+++ b/README.md
@@ -745,4 +745,4 @@ This project is licensed under the **AGPLv3** licence. See the [LICENSE](LICENSE
 
 ## Community Maintained
 
-This repository is **community-maintained** and **not officially supported by OpenCloud GmbH**. Use at your own risk, and feel free to contribute to improve the project!
+This repository is **community-maintained** and **not officially supported by OpenCloud GmbH**. Use at your own risk, and feel free to contribute to improve the project!
\ No newline at end of file
diff --git a/templates/collaboration/deployment.yaml b/templates/collaboration/deployment.yaml
index c0ad91d..9eeb7e5 100644
--- a/templates/collaboration/deployment.yaml
+++ b/templates/collaboration/deployment.yaml
@@ -7,6 +7,8 @@ metadata:
   labels:
     {{- include "opencloud.labels" . | nindent 4 }}
     app.kubernetes.io/component: collaboration
+  annotations:
+    helm.sh/hook-weight: "10"
 spec:
   replicas: 1
   selector:
@@ -25,18 +27,7 @@ spec:
         # Wait for OpenCloud to be ready
         - name: wait-for-opencloud
           image: busybox
-          command: ['sh', '-c', 'until wget -q -O- http://{{ include "opencloud.opencloud.fullname" . }}:9200/health; do echo waiting for opencloud; sleep 5; done;']
-        
-        {{- if not .Values.opencloud.persistence.enabled }}
-        # Copy config from OpenCloud API if persistence is disabled
-        - name: copy-config
-          image: busybox
-          command: ['sh', '-c', 'mkdir -p /etc/opencloud && wget -q -O /etc/opencloud/config.json http://{{ include "opencloud.opencloud.fullname" . }}:9200/api/v1/config/secrets || echo "Failed to get config from OpenCloud"']
-          volumeMounts:
-            - name: etc-opencloud
-              mountPath: /etc/opencloud
-        {{- end }}
-        
+          command: ['sh', '-c', 'until wget -q -O- http://{{ include "opencloud.opencloud.fullname" . }}:9200/health; do echo waiting for opencloud; sleep 5; done;']         
         # Wait for OnlyOffice to be ready
         - name: wait-for-onlyoffice
           image: busybox
@@ -76,6 +67,16 @@ spec:
               value: "{{ .Values.opencloud.logLevel }}"
             - name: OC_URL
               value: "https://{{ include "opencloud.domain" . }}"
+            - name: OC_JWT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "opencloud.fullname" . }}-oc-secrets
+                  key: jwt-secret
+            - name: COLLABORATION_WOPI_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "opencloud.fullname" . }}-oc-secrets
+                  key: wopi-secret
           ports:
             - name: http
               containerPort: 9300
@@ -96,19 +97,10 @@ spec:
             initialDelaySeconds: 200
             periodSeconds: 5
             failureThreshold: 1
-          volumeMounts:
-            - name: etc-opencloud
-              mountPath: /etc/opencloud
           resources:
             {{- toYaml .Values.onlyoffice.collaboration.resources | nindent 12 }}
       volumes:
         - name: etc-opencloud
-          {{- if .Values.opencloud.persistence.enabled }}
-          persistentVolumeClaim:
-            claimName: {{ include "opencloud.opencloud.fullname" . }}-config
-            readOnly: true
-          {{- else }}
-          # If persistence is disabled, use an init container to copy the config
+          # Use emptyDir instead of mounting the PVC to avoid conflicts
           emptyDir: {}
-          {{- end }}
 {{- end }}
diff --git a/templates/opencloud/deployment.yaml b/templates/opencloud/deployment.yaml
index 61c11a2..2f42b57 100644
--- a/templates/opencloud/deployment.yaml
+++ b/templates/opencloud/deployment.yaml
@@ -243,6 +243,18 @@ spec:
             - name: STORAGE_SYSTEM_DRIVER
               value: "decomposed"
             
+            # Collaboration secrets
+            - name: OC_JWT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "opencloud.fullname" . }}-oc-secrets
+                  key: jwt-secret
+            - name: OC_WOPI_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "opencloud.fullname" . }}-oc-secrets
+                  key: wopi-secret
+            
             # S3 storage configuration
             - name: STORAGE_USERS_DECOMPOSEDS3_ENDPOINT
               value: {{ if .Values.opencloud.storage.s3.external.enabled }}{{ .Values.opencloud.storage.s3.external.endpoint | quote }}{{ else }}"http://{{ include "opencloud.minio.fullname" . }}:9000"{{ end }}
diff --git a/templates/opencloud/secrets.yaml b/templates/opencloud/secrets.yaml
new file mode 100644
index 0000000..f80b01f
--- /dev/null
+++ b/templates/opencloud/secrets.yaml
@@ -0,0 +1,15 @@
+{{- if and .Values.onlyoffice.collaboration.enabled .Values.onlyoffice.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "opencloud.fullname" . }}-oc-secrets
+  namespace: {{ .Values.namespace }}
+  labels:
+    {{- include "opencloud.labels" . | nindent 4 }}
+    app.kubernetes.io/component: collaboration
+data:
+  # Generate a random JWT secret if not provided
+  jwt-secret: {{ .Values.opencloud.jwtSecret | default (randAlphaNum 32) | b64enc }}
+  # Generate a random WOPI secret if not provided
+  wopi-secret: {{ .Values.opencloud.wopiSecret | default (randAlphaNum 32) | b64enc }}
+{{- end }}
diff --git a/values.yaml b/values.yaml
index ce4b0c1..ad47eb7 100644
--- a/values.yaml
+++ b/values.yaml
@@ -16,7 +16,6 @@
 # 5. OnlyOffice Secret Keys: secret.inbox/outbox/session.string: B8LjkNqGxn6gf8bkuBUiMwyuCFwFddnu
 # 6. RabbitMQ: url: amqp://guest:guest@localhost
 
-
 # =====================================================================
 # GLOBAL SETTINGS
 # =====================================================================
@@ -364,6 +363,10 @@ image:
 opencloud:
   # Enable OpenCloud
   enabled: true
+  # JWT secret for collaboration (will be auto-generated if not provided)
+  jwtSecret: ""
+  # WOPI secret for collaboration (will be auto-generated if not provided)
+  wopiSecret: ""
   # Number of replicas (Note: When using multiple replicas, persistence should be disabled
   # or use a storage class that supports ReadWriteMany access mode)
   replicas: 1