feat(chart): Make the securityContext for the StatefulSet configurable (#62)

<!--
 Before you open the request please review the following guidelines and tips to help it be more easily integrated:

 - Describe the scope of your change - i.e. what the change does.
 - Describe any known limitations with your change.
 - Please run any tests or examples that can exercise your modified code.

 Thank you for contributing! We will try to review, test and integrate the change as soon as we can.
 -->

### Description of the change

<!-- Describe the scope of your change - i.e. what the change does. -->

This patch adds the ability to **customize the `SecurityContext`** for the `statefulset` of the Gitea Actions `act_runner`.
This allows users to configure pod-level security settings, such as `fsGroup` and `fsGroupChangePolicy`.
The patch introduces `statefulset.podSecurityContext` as a new configurable parameter.

### Benefits

<!-- What benefits will be realized by the code change? -->
This change makes the chart more configurable for different kinds of deployment scenarios.

### Possible drawbacks

<!-- Describe any known limitations with your change -->

### Applicable issues

<!-- Enter any applicable Issues here (You can reference an issue using #). Please remove this section if there is no referenced issue. -->
- Fixes #

### Additional information

<!-- If there's anything else that's important and relevant to your pull request, mention that information here. Please remove this section if it remains empty. -->

  * The patch only adds the ability to customize the `podSecurityContext` for the `statefulset`. It does not modify any other security settings or introduce new features beyond this customization.
  * The default value for `statefulset.podSecurityContext` is an empty object `{}`, meaning no security context is applied unless the user explicitly defines it.

### ⚠ BREAKING

<!-- If there's a breaking change, please shortly describe in which way users are affected and how they can mitigate it. If there are no breakings, please remove this section. -->

### Checklist

<!-- [Place an '[X]' (no spaces) in all applicable fields. Please remove unrelated fields.] -->

- [X] Parameters are documented in the `values.yaml` and added to the `README.md` using [readme-generator-for-helm](https://github.com/bitnami-labs/readme-generator-for-helm)
- [X] Helm templating unittests are added (required when changing anything in `templates` folder)
- [X] All added template resources MUST render a namespace in metadata

Reviewed-on: https://gitea.com/gitea/helm-actions/pulls/62
Reviewed-by: DaanSelen <daanselen@noreply.gitea.com>
Co-authored-by: Stephen Sullivan <sjsullivan7@gmail.com>
Co-committed-by: Stephen Sullivan <sjsullivan7@gmail.com>

.gitea/workflows/changelog.yml

@@ -8,7 +8,7 @@ on:
 jobs:
   changelog:
     runs-on: ubuntu-latest
-    container: docker.io/thegeeklab/git-sv:2.0.5
+    container: docker.io/thegeeklab/git-sv:2.0.6
     steps:
       - name: install tools
         run: |

.gitea/workflows/commitlint.yml

@@ -11,7 +11,7 @@ on:
 jobs:
   check-and-test:
     runs-on: ubuntu-latest
-    container: commitlint/commitlint:19.9.1
+    container: commitlint/commitlint:20.1.0
     steps:
       - uses: actions/checkout@v5
       - name: check PR title

.gitea/workflows/test-pr.yml

@@ -10,7 +10,7 @@ on:
 
 env:
   # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
-  HELM_UNITTEST_VERSION: "v1.0.1"
+  HELM_UNITTEST_VERSION: "v1.0.3"
 
 jobs:
   check-and-test:

README.md

@@ -58,7 +58,7 @@ You should be good to go!
 | `statefulset.affinity`                    | Affinity for the statefulset                                                                                                                | `{}`                           |
 | `statefulset.extraVolumes`                | Extra volumes for the statefulset                                                                                                           | `[]`                           |
 | `statefulset.actRunner.registry`          | image registry, e.g. gcr.io,docker.io                                                                                                       | `docker.gitea.com`             |
-| `statefulset.actRunner.repository`        | The Gitea act runner image                                                                                                                  | `gitea/act_runner`             |
+| `statefulset.actRunner.repository`        | The Gitea act runner image                                                                                                                  | `act_runner`                   |
 | `statefulset.actRunner.tag`               | The Gitea act runner tag                                                                                                                    | `0.2.13`                       |
 | `statefulset.actRunner.digest`            | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`                                  | `""`                           |
 | `statefulset.actRunner.pullPolicy`        | The Gitea act runner pullPolicy                                                                                                             | `IfNotPresent`                 |
@@ -66,6 +66,7 @@ You should be good to go!
 | `statefulset.actRunner.extraVolumeMounts` | Allows mounting extra volumes in the act runner container                                                                                   | `[]`                           |
 | `statefulset.actRunner.config`            | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` |
 | `statefulset.dind.registry`               | image registry, e.g. gcr.io,docker.io                                                                                                       | `""`                           |
+| `statefulset.actRunner.extraEnvs`         | Allows adding custom environment variables                                                                                                  | `[]`                           |
 | `statefulset.dind.repository`             | The Docker-in-Docker image                                                                                                                  | `docker`                       |
 | `statefulset.dind.tag`                    | The Docker-in-Docker image tag                                                                                                              | `28.3.3-dind`                  |
 | `statefulset.dind.digest`                 | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`                                  | `""`                           |
@@ -74,6 +75,7 @@ You should be good to go!
 | `statefulset.dind.extraVolumeMounts`      | Allows mounting extra volumes in the Docker-in-Docker container                                                                             | `[]`                           |
 | `statefulset.dind.extraEnvs`              | Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY`                                                                | `[]`                           |
 | `statefulset.persistence.size`            | Size for persistence to store act runner data                                                                                               | `1Gi`                          |
+| `statefulset.securityContext`             | Customize the SecurityContext                                                                                                               | `{}`                           |
 | `existingSecret`                          | Secret that contains the token                                                                                                              | `""`                           |
 | `existingSecretKey`                       | Secret key                                                                                                                                  | `""`                           |
 | `giteaRootURL`                            | URL the act_runner registers and connect with                                                                                               | `""`                           |

pnpm-lock.yaml

@@ -220,8 +220,8 @@ packages:
   lodash@4.17.21:
     resolution: {integrity: sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==}
 
-  lru-cache@11.2.1:
-    resolution: {integrity: sha512-r8LA6i4LP4EeWOhqBaZZjDWwehd1xUJPCJd9Sv300H0ZmcUER4+JPh7bqqZeqs1o5pgtgvXm+d9UGrB5zZGDiQ==}
+  lru-cache@11.2.2:
+    resolution: {integrity: sha512-F9ODfyqML2coTIsQpSkRHnLSZMtkU8Q+mSfcaIyKwy58u+8k5nvAYeiNhsyMARvzNcXJ9QfWVrcPsC9e9rAxtg==}
     engines: {node: 20 || >=22}
 
   markdown-it@14.1.0:
@@ -610,7 +610,7 @@ snapshots:
 
   lodash@4.17.21: {}
 
-  lru-cache@11.2.1: {}
+  lru-cache@11.2.2: {}
 
   markdown-it@14.1.0:
     dependencies:
@@ -864,7 +864,7 @@ snapshots:
 
   path-scurry@2.0.0:
     dependencies:
-      lru-cache: 11.2.1
+      lru-cache: 11.2.2
       minipass: 7.1.2
 
   punycode.js@2.3.1: {}

templates/statefulset.yaml

@@ -30,6 +30,8 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      securityContext:
+        {{- toYaml .Values.statefulset.securityContext | nindent 8 }}
       initContainers:
         - name: init-gitea
           image: "{{ include "gitea.actions.init.image" . }}"
@@ -66,6 +68,9 @@ spec:
               value: /actrunner/config.yaml
             - name: TZ
               value: {{ .Values.statefulset.timezone | default "Etc/UTC" }}
+            {{- if .Values.statefulset.actRunner.extraEnvs }}
+            {{- toYaml .Values.statefulset.actRunner.extraEnvs | nindent 12 }}
+            {{- end }}
           resources:
             {{- toYaml .Values.statefulset.resources | nindent 12 }}
           volumeMounts:

unittests/helm/statefulset.yaml

@@ -40,7 +40,7 @@ tests:
           name: gitea-unittests-actions-act-runner
       - equal:
           path: spec.template.spec.containers[0].image
-          value: docker.gitea.com/gitea/act_runner:0.2.13@sha256:abcdef123456
+          value: docker.gitea.com/act_runner:0.2.13@sha256:abcdef123456
   - it: act-runner uses global.imageRegistry
     template: templates/statefulset.yaml
     set:
@@ -58,7 +58,7 @@ tests:
           name: gitea-unittests-actions-act-runner
       - equal:
           path: spec.template.spec.containers[0].image
-          value: test.io/gitea/act_runner:0.2.13
+          value: test.io/act_runner:0.2.13
   - it: dind uses fullOverride
     template: templates/statefulset.yaml
     set:
@@ -129,6 +129,93 @@ tests:
       - equal:
           path: spec.template.spec.initContainers[0].image
           value: test.io/busybox:1.37.0
+  - it: renders additional environment variables for act-runner container in StatefulSet
+    template: templates/statefulset.yaml
+    set:
+      enabled: true
+      existingSecret: "my-secret"
+      existingSecretKey: "my-secret-key"
+      statefulset:
+        actRunner:
+          extraEnvs:
+            - name: "CUSTOM_ENV"
+              value: "1"
+            - name: "GITEA_RUNNER_NAME"
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-actions-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].env[7]
+          value:
+            name: CUSTOM_ENV
+            value: "1"
+      - matchRegex:
+          path: spec.template.spec.containers[0].env[8].valueFrom.fieldRef.fieldPath
+          pattern: "metadata\\.name"
+      - matchRegex:
+          path: spec.template.spec.containers[0].env[8].name
+          pattern: "GITEA_RUNNER_NAME"
+  - it: Has fsGroup in securityContext
+    template: templates/statefulset.yaml
+    set:
+      enabled: true
+      existingSecret: "my-secret"
+      existingSecretKey: "my-secret-key"
+      statefulset.securityContext:
+        fsGroup: 1000
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-actions-act-runner
+      - equal:
+          path: spec.template.spec.securityContext["fsGroup"]
+          value: 1000
+  - it: Has fsGroupChangePolicy in securityContext
+    template: templates/statefulset.yaml
+    set:
+      enabled: true
+      existingSecret: "my-secret"
+      existingSecretKey: "my-secret-key"
+      statefulset.securityContext:
+        fsGroupChangePolicy: OnRootMismatch
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-actions-act-runner
+      - equal:
+          path: spec.template.spec.securityContext["fsGroupChangePolicy"]
+          value: "OnRootMismatch"
+  - it: Has Always in securityContext
+    template: templates/statefulset.yaml
+    set:
+      enabled: true
+      existingSecret: "my-secret"
+      existingSecretKey: "my-secret-key"
+      statefulset.securityContext:
+        fsGroupChangePolicy: Always
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-actions-act-runner
+      - equal:
+          path: spec.template.spec.securityContext["fsGroupChangePolicy"]
+          value: "Always"
   - it: doesn't renders a StatefulSet by default
     template: templates/statefulset.yaml
     asserts:

values.yaml

@@ -22,6 +22,7 @@
 ## @param statefulset.actRunner.extraVolumeMounts Allows mounting extra volumes in the act runner container
 ## @param statefulset.actRunner.config [default: Too complex. See values.yaml] Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details.
 ## @param statefulset.dind.registry image registry, e.g. gcr.io,docker.io
+## @param statefulset.actRunner.extraEnvs Allows adding custom environment variables
 ## @param statefulset.dind.repository The Docker-in-Docker image
 ## @param statefulset.dind.tag The Docker-in-Docker image tag
 ## @param statefulset.dind.digest Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`
@@ -30,6 +31,7 @@
 ## @param statefulset.dind.extraVolumeMounts Allows mounting extra volumes in the Docker-in-Docker container
 ## @param statefulset.dind.extraEnvs Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY`
 ## @param statefulset.persistence.size Size for persistence to store act runner data
+## @param statefulset.securityContext Customize the SecurityContext
 ## @param existingSecret Secret that contains the token
 ## @param existingSecretKey Secret key
 ## @param giteaRootURL URL the act_runner registers and connect with
@@ -44,15 +46,22 @@ statefulset:
   tolerations: []
   affinity: {}
   extraVolumes: []
+  securityContext: {}
 
   actRunner:
     registry: "docker.gitea.com"
-    repository: gitea/act_runner
+    repository: act_runner
     tag: 0.2.13
     digest: ""
     pullPolicy: IfNotPresent
     fullOverride: ""
     extraVolumeMounts: []
+    extraEnvs:
+      []
+      # - name: "GITEA_RUNNER_NAME"
+      #   valueFrom:
+      #     fieldRef:
+      #       fieldPath: metadata.name
 
     # See full example here: https://gitea.com/gitea/act_runner/src/branch/main/internal/pkg/config/config.example.yaml
     config: |