diff --git a/.github/actions/validate-endpoints/action.yml b/.github/actions/validate-endpoints/action.yml
index 1028d154..b402c4ff 100644
--- a/.github/actions/validate-endpoints/action.yml
+++ b/.github/actions/validate-endpoints/action.yml
@@ -8,6 +8,10 @@ inputs:
     description: 'License fields to validate'
     required: false
     default: '[]'
+  version-label:
+    description: 'Version label to validate'
+    required: false
+    default: ''
   integration-enabled:
     description: 'If integration mode is enabled or not'
     required: false
@@ -95,6 +99,16 @@ runs:
           exit 1
         fi
 
+        # TODO: add more validation here if needed
+        if [ -n "${{ inputs.version-label }}" ]; then
+          versionLabel=$(curl -s --fail --show-error localhost:8888/api/v1/app/info | jq -r .currentRelease.versionLabel | tr -d '\n')
+
+          if [ "$versionLabel" != "${{ inputs.version-label }}" ]; then
+            echo "Expected version label to be '${{ inputs.version-label }}', but is '$versionLabel'."
+            exit 1
+          fi
+        fi
+
     - name: Validate /app/updates endpoint
       shell: bash
       run: |
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index 1383b37c..ee2b13bc 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -136,7 +136,7 @@ jobs:
 
       - name: Create release
         id: create-release
-        uses: replicatedhq/replicated-actions/create-release@v1.1.1
+        uses: replicatedhq/replicated-actions/create-release@v1.5.2
         with:
           app-slug: ${{ env.APP_SLUG }}
           api-token: ${{ secrets.C11Y_MATRIX_TOKEN }}
@@ -268,6 +268,30 @@ jobs:
           license-fields: ${{ env.LICENSE_FIELDS }}
           integration-enabled: 'false'
 
+      - name: Upgrade via Helm as subchart in production mode to a new version
+        run: |
+          oldpodname=$(kubectl get pods -l app.kubernetes.io/name=replicated -o jsonpath='{.items[0].metadata.name}')
+          
+          helm upgrade test-chart oci://registry.replicated.com/$APP_SLUG/$CHANNEL_SLUG/test-chart --set replicated.integration.enabled=false --set replicated.versionLabel=1.0.0 --wait --timeout 2m
+
+          COUNTER=1
+          while [ kubectl get pods -l app.kubernetes.io/name=replicated -o jsonpath='{.items[0].metadata.name}' | grep -q $oldpodname ]; do
+            ((COUNTER += 1))
+            if [ $COUNTER -gt 60 ]; then
+              echo "Pod did not restart after upgrade"
+              exit 1
+            fi
+            sleep 1
+          done
+
+      - name: Validate endpoints
+        uses: ./.github/actions/validate-endpoints
+        with:
+          license-id: ${{ env.LICENSE_ID }}
+          license-fields: ${{ env.LICENSE_FIELDS }}
+          version-label: '1.0.0'
+          integration-enabled: 'false'
+
       - name: Uninstall test-chart via Helm
         run: helm uninstall test-chart --wait --timeout 2m
 
@@ -286,6 +310,33 @@ jobs:
           integration-enabled: 'false'
           deployed-via-kubectl: 'true'
 
+      - name: Upgrade via kubectl as subchart in production mode
+        run: |
+          oldpodname=$(kubectl get pods -l app.kubernetes.io/name=replicated -o jsonpath='{.items[0].metadata.name}')
+
+          helm template test-chart oci://registry.replicated.com/$APP_SLUG/$CHANNEL_SLUG/test-chart --set replicated.integration.enabled=false --set replicated.versionLabel=1.0.0 | kubectl apply -f -
+          kubectl rollout status deployment test-chart --timeout=2m
+          kubectl rollout status deployment replicated --timeout=2m
+
+          COUNTER=1
+          while [ kubectl get pods -l app.kubernetes.io/name=replicated -o jsonpath='{.items[0].metadata.name}' | grep -q $oldpodname ]; do
+            ((COUNTER += 1))
+            if [ $COUNTER -gt 60 ]; then
+              echo "Pod did not restart after upgrade"
+              exit 1
+            fi
+            sleep 1
+          done
+
+      - name: Validate endpoints
+        uses: ./.github/actions/validate-endpoints
+        with:
+          license-id: ${{ env.LICENSE_ID }}
+          license-fields: ${{ env.LICENSE_FIELDS }}
+          integration-enabled: 'false'
+          version-label: '1.0.0'
+          deployed-via-kubectl: 'true'
+
       - name: Uninstall test-chart via kubectl
         run: |
           helm template test-chart oci://registry.replicated.com/$APP_SLUG/$CHANNEL_SLUG/test-chart --set replicated.integration.enabled=false | kubectl delete -f -
diff --git a/chart/templates/replicated-deployment.yaml b/chart/templates/replicated-deployment.yaml
index 50b586f5..dc27c3b3 100644
--- a/chart/templates/replicated-deployment.yaml
+++ b/chart/templates/replicated-deployment.yaml
@@ -20,6 +20,8 @@ spec:
       {{- include "replicated.selectorLabels" . | nindent 6 }}
   template:
     metadata:
+      annotations:
+        checksum/replicated-secret: {{ include (print $.Template.BasePath "/replicated-secret.yaml") . | sha256sum }}
       labels:
         {{- include "replicated.labels" . | nindent 8 }}
     spec: