commit the chart dependencies as tgz

Why

easiest way to support aigap

How

commit the packaged chart dependencies from helm dependency update. In "normal" circumstances where a chart repository is the chart delivery mechanism this won't be needed, but since git repositories are being used as the chart delivery mechanism this makes life easiest for airgap deployments

dependency digests are used/checked by helm using the *.lock file to ensure the tgz being committed is the output of helm dependency update and nothing malicious is going on (assuming nothing malicious is going on in the chart dependency)

Caveats

The downside of this approach is now when chart dependencies change the user must run helm dependency update again, but this will get CI'ed at some point