diff --git a/.github/workflows/pr-tests-helm-upgrade.yml b/.github/workflows/pr-tests-helm-upgrade.yml
new file mode 100644
index 00000000000..be8bbc21996
--- /dev/null
+++ b/.github/workflows/pr-tests-helm-upgrade.yml
@@ -0,0 +1,66 @@
+name: PR Tests - Helm Upgrade
+
+on:
+  # Re-enable when we have a stable helm chart
+  # pull_request:
+  #   branches:
+  #     - dev
+  #   paths:
+  #     - packages/grid/helm/syft/**
+
+  workflow_dispatch:
+    inputs:
+      upgrade_type:
+        description: "Select upgrade path type"
+        required: false
+        default: "BetaToDev"
+        type: choice
+        options:
+          - BetaToDev
+          - ProdToBeta
+          - ProdToDev
+
+concurrency:
+  group: pr-tests-helm-upgrade
+  cancel-in-progress: true
+
+jobs:
+  pr-tests-helm-upgrade:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          brew update
+
+          # Install python deps
+          pip install --upgrade pip
+          pip install tox
+
+          # Install kubernetes
+          brew install helm k3d devspace kubectl
+
+      - name: Setup cluster
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+
+          tox -e dev.k8s.start
+
+      - name: Upgrade helm chart
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+
+          # default upgrade is beta to dev, but override with input if provided
+          UPGRADE_TYPE_INPUT=${{ github.event.inputs.upgrade_type }}
+          export UPGRADE_TYPE=${UPGRADE_TYPE_INPUT:-BetaToDev}
+          tox -e syft.test.helm.upgrade
+
+      - name: Destroy cluster
+        if: always()
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+
+          tox -e dev.k8s.destroyall
diff --git a/packages/grid/scripts/helm_upgrade.sh b/packages/grid/scripts/helm_upgrade.sh
new file mode 100644
index 00000000000..82418eaa99a
--- /dev/null
+++ b/packages/grid/scripts/helm_upgrade.sh
@@ -0,0 +1,53 @@
+#! /bin/bash
+
+set -e
+
+HELM_REPO="openmined/syft"
+DOMAIN_NAME="test-domain"
+KUBE_NAMESPACE="syft"
+KUBE_CONTEXT=${KUBE_CONTEXT:-"k3d-syft-dev"}
+
+UPGRADE_TYPE=$1
+
+PROD="openmined/syft"
+BETA="openmined/syft --devel"
+DEV="./helm/syft"
+
+if [ "$UPGRADE_TYPE" == "ProdToBeta" ]; then
+    INSTALL_SOURCE=$PROD   # latest published prod
+    UPGRADE_SOURCE=$BETA   # latest published beta
+    INSTALL_ARGS=""
+    UPGRADE_ARGS=""
+elif [ "$UPGRADE_TYPE" == "BetaToDev" ]; then
+    INSTALL_SOURCE=$BETA   # latest published beta
+    UPGRADE_SOURCE=$DEV    # local chart
+    INSTALL_ARGS=""
+    UPGRADE_ARGS=""
+elif [ "$UPGRADE_TYPE" == "ProdToDev" ]; then
+    INSTALL_SOURCE=$PROD   # latest published prod
+    UPGRADE_SOURCE=$DEV    # local chart
+    INSTALL_ARGS=""
+    UPGRADE_ARGS=""
+else
+    echo Invalid upgrade type $UPGRADE_TYPE
+    exit 1
+fi
+
+kubectl config use-context $KUBE_CONTEXT
+kubectl delete namespace syft || true
+helm repo add openmined https://openmined.github.io/PySyft/helm
+helm repo update openmined
+
+echo Installing syft...
+helm install $DOMAIN_NAME $INSTALL_SOURCE $INSTALL_ARGS --namespace $KUBE_NAMESPACE --create-namespace
+helm ls -A
+
+WAIT_TIME=5 bash ./scripts/wait_for.sh service backend --namespace $KUBE_NAMESPACE
+WAIT_TIME=5 bash ./scripts/wait_for.sh pod default-pool-0 --namespace $KUBE_NAMESPACE
+
+echo Upgrading syft...
+helm upgrade $DOMAIN_NAME $UPGRADE_SOURCE $UPGRADE_ARGS --namespace $KUBE_NAMESPACE
+helm ls -A
+
+echo "Post-upgrade sleep" && sleep 5
+WAIT_TIME=5 bash ./scripts/wait_for.sh service backend --namespace $KUBE_NAMESPACE
diff --git a/tox.ini b/tox.ini
index 0a368808cac..6577929ee25 100644
--- a/tox.ini
+++ b/tox.ini
@@ -28,6 +28,7 @@ envlist =
     syft.build.helm
     syft.package.helm
     syft.test.helm
+    syft.test.helm.upgrade
     syft.protocol.check
     syftcli.test.unit
     syftcli.publish
@@ -916,6 +917,17 @@ commands =
     bash -c "k3d cluster delete syft || true"
     bash -c "docker volume rm k3d-syft-images --force || true"
 
+[testenv:syft.test.helm.upgrade]
+description = Test helm upgrade
+changedir = {toxinidir}/packages/grid/
+passenv=HOME,USER,KUBE_CONTEXT
+setenv =
+    UPGRADE_TYPE = {env:UPGRADE_TYPE:ProdToBeta}
+allowlist_externals =
+    bash
+commands =
+    bash ./scripts/helm_upgrade.sh {env:UPGRADE_TYPE}
+
 [testenv:syftcli.test.unit]
 description = Syft CLI Unit Tests
 deps =
@@ -933,6 +945,9 @@ allowlist_externals =
     bash
     sudo
 commands =
+    ; check k3d version
+    bash -c 'k3d --version'
+
     ; create registry
     bash -c 'k3d registry create registry.localhost --port 5800 -v $HOME/.k3d-registry:/var/lib/registry || true'
 
@@ -940,7 +955,7 @@ commands =
     bash -c 'if ! grep -q k3d-registry.localhost /etc/hosts; then sudo {envpython} scripts/patch_hosts.py --add-k3d-registry --fix-docker-hosts; fi'
 
     ; Fail this command if registry is not working
-    bash -c 'URL=http://k3d-registry.localhost:5800/v2/_catalog; curl -X GET $URL'
+    bash -c 'curl --retry 5 --retry-all-errors http://k3d-registry.localhost:5800/v2/_catalog'
 
 [testenv:dev.k8s.patch.coredns]
 description = Patch CoreDNS to resolve k3d-registry.localhost