chore: finalize bump helm

This PR contains the following updates:

| Update | Change |
|---|---|
| lockFileMaintenance | All locks refreshed |

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDIuOSIsInVwZGF0ZWRJblZlciI6IjQzLjEwMi45IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJraW5kL2RlcGVuZGVuY3kiXX0=-->

Reviewed-on: https://gitea.com/gitea/helm-actions/pulls/117
Reviewed-by: DaanSelen <135789+daanselen@noreply.gitea.com>
Co-authored-by: Renovate Bot <renovate-bot@gitea.com>
Co-committed-by: Renovate Bot <renovate-bot@gitea.com>

.gitea/workflows/release-version.yml

@@ -7,7 +7,7 @@ on:
 
 env:
   # renovate: datasource=docker depName=alpine/helm
-  HELM_VERSION: "3.20.0"
+  HELM_VERSION: "4.1.3"
 
 jobs:
   generate-chart-publish:

.gitea/workflows/shellcheck.yml

@@ -1,4 +1,4 @@
-name: Lint Shell files
+name: shellcheck
 
 on:
   pull_request:

.gitea/workflows/test-pr.yml

@@ -1,6 +1,7 @@
 name: check-and-test
 
-on:
+"on":
+  "workflow_dispatch":
   pull_request:
     branches:
       - "*"
@@ -15,26 +16,26 @@ env:
 jobs:
   check-and-test:
     runs-on: ubuntu-latest
-    container: alpine/helm:3.20.0
+    container: alpine/helm:4.1.3
     steps:
       - name: install tools
         run: |
           apk update
           apk add --update bash make nodejs npm yamllint ncurses
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@v5
         with:
           version: 10
       - uses: actions/checkout@v6
       - name: install chart dependencies
         run: helm dependency build
       - name: lint
-        run: helm lint
+        run: helm lint .
       - name: template
         run: helm template --debug gitea-actions .
       - name: prepare unit test environment
         run: |
-          helm plugin install --version ${{ env.HELM_UNITTEST_VERSION }} https://github.com/helm-unittest/helm-unittest
+          helm plugin install --version ${{ env.HELM_UNITTEST_VERSION }} https://github.com/helm-unittest/helm-unittest --verify=false
           git submodule update --init --recursive
       - name: unit tests
         env:
@@ -46,4 +47,5 @@ jobs:
           make readme
           git diff --exit-code --name-only README.md
       - name: yaml lint
-        uses: https://github.com/ibiqlik/action-yamllint@v3
+        #uses: ibiqlik/action-yamllint@v3 # Github / Act
+        uses: https://github.com/ibiqlik/action-yamllint@v3 # Gitea

README.md

@@ -6,18 +6,10 @@ The parameters which can be used to customize the deployment are described below
 
 If you want to propose a new feature or mechanism, submit an [issue here](https://gitea.com/gitea/helm-actions/issues).
 
-## Docs
-
-[Docs](./docs/README.md)
-
-## Rootless Defaults
-
-If `.Values.image.rootless: true`, then the following will occur. In case you use `.Values.image.fullOverride`, check that this works in your image:
-
-- If `.Values.provisioning.enabled: true`, then uses the rootless Gitea image, must match helm-Gitea.
-
 ## Quick-start
 
+[Documentation](./docs/README.md)
+
 To get started, add the Helm repo, assuming you have not already:
 
 ```sh
@@ -39,6 +31,26 @@ helm upgrade --install gitea-actions gitea-charts/actions -f values.yaml
 
 You should be good to go!
 
+### Runner Token Secret Template
+
+For reference, a template for the secret is given below:  
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: runner-secret
+  namespace: "my-gitea-namespace"
+type: Opaque
+stringData:
+    runner-token: "my-cool-runner-token-given-by-gitea"
+```
+
+### Rootless Options
+
+If `.Values.statefulset.dind.rootless: true` is set, then the following will be required:  
+`.Values.statefulset.dind.tag` must be a rootless image such as: `29.3.1-dind-rootless`
+
 ## Parameters
 
 ### Gitea Actions
@@ -46,8 +58,6 @@ You should be good to go!
 | Name                                      | Description                                                                                                                                 | Value                          |
 | ----------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
 | `enabled`                                 | Create an act runner StatefulSet.                                                                                                           | `false`                        |
-| `init.image.repository`                   | The image used for the init containers                                                                                                      | `busybox`                      |
-| `init.image.tag`                          | The image tag used for the init containers                                                                                                  | `1.37.0`                       |
 | `statefulset.replicas`                    | the amount of (replica) runner pods deployed                                                                                                | `1`                            |
 | `statefulset.timezone`                    | is the timezone that will be set in the act_runner image                                                                                    | `Etc/UTC`                      |
 | `statefulset.annotations`                 | Act runner annotations                                                                                                                      | `{}`                           |
@@ -59,16 +69,18 @@ You should be good to go!
 | `statefulset.extraVolumes`                | Extra volumes for the statefulset                                                                                                           | `[]`                           |
 | `statefulset.actRunner.registry`          | image registry, e.g. gcr.io,docker.io                                                                                                       | `docker.gitea.com`             |
 | `statefulset.actRunner.repository`        | The Gitea act runner image                                                                                                                  | `act_runner`                   |
-| `statefulset.actRunner.tag`               | The Gitea act runner tag                                                                                                                    | `0.2.13`                       |
+| `statefulset.actRunner.tag`               | The Gitea act runner tag                                                                                                                    | `0.3.0`                        |
 | `statefulset.actRunner.digest`            | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`                                  | `""`                           |
 | `statefulset.actRunner.pullPolicy`        | The Gitea act runner pullPolicy                                                                                                             | `IfNotPresent`                 |
 | `statefulset.actRunner.fullOverride`      | Completely overrides the image registry, path/image, tag and digest.                                                                        | `""`                           |
 | `statefulset.actRunner.extraVolumeMounts` | Allows mounting extra volumes in the act runner container                                                                                   | `[]`                           |
 | `statefulset.actRunner.config`            | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` |
-| `statefulset.dind.registry`               | image registry, e.g. gcr.io,docker.io                                                                                                       | `""`                           |
+| `statefulset.dind.rootless`               | a simple flag to let helm know we are dealing with a rootless dind container                                                                | `false`                        |
+| `statefulset.dind.uid`                    | a field to set the running user id for the rootless dind container, so it knows where to look for the socket                                | `""`                           |
+| `statefulset.dind.registry`               | image registry, e.g. gcr.io,docker.io                                                                                                       | `docker.io`                    |
 | `statefulset.actRunner.extraEnvs`         | Allows adding custom environment variables                                                                                                  | `[]`                           |
 | `statefulset.dind.repository`             | The Docker-in-Docker image                                                                                                                  | `docker`                       |
-| `statefulset.dind.tag`                    | The Docker-in-Docker image tag                                                                                                              | `28.3.3-dind`                  |
+| `statefulset.dind.tag`                    | The Docker-in-Docker image tag                                                                                                              | `29.3.1-dind`                  |
 | `statefulset.dind.digest`                 | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`                                  | `""`                           |
 | `statefulset.dind.fullOverride`           | Completely overrides the image registry, path/image, tag and digest.                                                                        | `""`                           |
 | `statefulset.dind.pullPolicy`             | The Docker-in-Docker pullPolicy                                                                                                             | `IfNotPresent`                 |
@@ -76,9 +88,7 @@ You should be good to go!
 | `statefulset.dind.extraEnvs`              | Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY`                                                                | `[]`                           |
 | `statefulset.persistence.size`            | Size for persistence to store act runner data                                                                                               | `1Gi`                          |
 | `statefulset.securityContext`             | Customize the SecurityContext                                                                                                               | `{}`                           |
-| `existingSecret`                          | Secret that contains the token                                                                                                              | `""`                           |
+| `statefulset.serviceAccountName`          | Customize the service account name                                                                                                          | `""`                           |
-| `existingSecretKey`                       | Secret key                                                                                                                                  | `""`                           |
-| `giteaRootURL`                            | URL the act_runner registers and connect with                                                                                               | `""`                           |
 
 ### Gitea Actions Init
 
@@ -91,9 +101,30 @@ You should be good to go!
 | `init.image.pullPolicy`   | The init image pullPolicy                                                                                  | `IfNotPresent` |
 | `init.image.fullOverride` | Completely overrides the image registry, path/image, tag and digest.                                       | `""`           |
 
+### Runner Token Secret Configuration
+
+| Name                | Description                    | Value |
+| ------------------- | ------------------------------ | ----- |
+| `existingSecret`    | Secret that contains the token | `""`  |
+| `existingSecretKey` | Secret key                     | `""`  |
+
+### Gitea URL Setting
+
+| Name           | Description                                   | Value |
+| -------------- | --------------------------------------------- | ----- |
+| `giteaRootURL` | URL the act_runner registers and connect with | `""`  |
+
+### Extra Init Containers
+
+| Name                      | Description                                                                                     | Value |
+| ------------------------- | ----------------------------------------------------------------------------------------------- | ----- |
+| `preExtraInitContainers`  | Additional init containers to run in the pod before Gitea-actions runs it owns init containers. | `[]`  |
+| `postExtraInitContainers` | Additional init containers to run in the pod after Gitea-actions runs it owns init containers.  | `[]`  |
+
 ### Global
 
-| Name                   | Description                    | Value |
+| Name                      | Description                        | Value |
-| ---------------------- | ------------------------------ | ----- |
+| ------------------------- | ---------------------------------- | ----- |
-| `global.imageRegistry` | global image registry override | `""`  |
+| `global.imageRegistry`    | global image registry override     | `""`  |
-| `global.storageClass`  | global storage class override  | `""`  |
+| `global.imagePullSecrets` | global image registry pull secrets | `[]`  |
+| `global.storageClass`     | global storage class override      | `""`  |

docs/actions-dev.md

@@ -26,8 +26,6 @@ In this case, you can use either the Web UI to generate the token or run a shell
 the command `gitea actions generate-runner-token`. After generating the token, you must create a secret and use it via:
 
 ```yaml
-provisioning:
-  enabled: false
 existingSecret: "secret-name"
 existingSecretKey: "secret-key"
 ```

docs/share-dind-with-job-container.md

@@ -4,25 +4,19 @@ You can weaken isolation and allow jobs to call docker commands.
 
 ## Limitations
 
-- Docker bind mounts like `-v /path/on/self/container:/path/to/new/container` do not work, because they are going to mount the path from the dind container
+-
-- Docker port expose to local host `-e 80:8080` is not going to work
 
 ## Example Values
 
 ```yaml
-enabled: true
-statefulset:
-  actRunner:
-    # See full example here: https://gitea.com/gitea/act_runner/src/branch/main/internal/pkg/config/config.example.yaml
     config: |
       log:
         level: debug
       cache:
         enabled: false
       container:
-        valid_volumes:
+        require_docker: true
-        - /var/run/docker.sock
+        docker_timeout: 300s
-        options: -v /var/run/docker.sock:/var/run/docker.sock
 
 ## Specify an existing token secret
 ##
@@ -33,4 +27,4 @@ existingSecretKey: "token"
 giteaRootURL: "http://192.168.1.2:3000"
 ```
 
-Now you can run docker commands inside your jobs.
+Now you can run docker commands inside your jobs.

pnpm-lock.yaml

@@ -21,16 +21,8 @@ packages:
     resolution: {integrity: sha512-7eXyJzxQTQj2ajpHlIhadciCCYWOqN8ieaweU25bStHOZowQ2c2CQyjO/bX4gxIf73LoRKxHhEYgLTllJY9SIw==}
     hasBin: true
 
-  '@isaacs/balanced-match@4.0.1':
+  '@types/debug@4.1.13':
-    resolution: {integrity: sha512-yzMTt9lEb8Gv7zRioUilSglI0c0smZ9k5D65677DLWLtWJaXIS3CqcGyUFByYKlnUj6TkjLVs54fBl6+TiGQDQ==}
+    resolution: {integrity: sha512-KSVgmQmzMwPlmtljOomayoR89W4FynCAi3E8PPs7vmDVPe84hT+vGPKkJfThkmXs0x0jAaa9U8uW8bbfyS2fWw==}
-    engines: {node: 20 || >=22}
-
-  '@isaacs/brace-expansion@5.0.1':
-    resolution: {integrity: sha512-WMz71T1JS624nWj2n2fnYAuPovhv7EUhk69R6i9dsVyzxt5eM3bjwvgk9L+APE1TRscGysAVMANkB0jh0LQZrQ==}
-    engines: {node: 20 || >=22}
-
-  '@types/debug@4.1.12':
-    resolution: {integrity: sha512-vIChWdVG3LG1SMxEvI/AK+FWJthlrqlTu7fbrlywTkkaONwk/UAGaULXRlf8vkzFBLVm0zkMdCquhL5aOjhXPQ==}
 
   '@types/katex@0.16.8':
     resolution: {integrity: sha512-trgaNyfU+Xh2Tc+ABIb44a5AYUpicB3uwirOioeOkNPPbmgRNtcWyDeeFRzjPZENO9Vq8gvVqfhaaXWLlevVwg==}
@@ -51,8 +43,16 @@ packages:
   balanced-match@1.0.2:
     resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==}
 
-  brace-expansion@1.1.12:
+  balanced-match@4.0.4:
-    resolution: {integrity: sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==}
+    resolution: {integrity: sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==}
+    engines: {node: 18 || 20 || >=22}
+
+  brace-expansion@1.1.13:
+    resolution: {integrity: sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==}
+
+  brace-expansion@5.0.5:
+    resolution: {integrity: sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==}
+    engines: {node: 18 || 20 || >=22}
 
   character-entities-legacy@3.0.0:
     resolution: {integrity: sha512-RpPp0asT/6ufRm//AJVwpViZbGM/MkjQFxJccQRHmISF/22NBtsHqAWmL+/pmkPWoIUJdWyeVleTl1wydHATVQ==}
@@ -125,8 +125,8 @@ packages:
   fs.realpath@1.0.0:
     resolution: {integrity: sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==}
 
-  get-east-asian-width@1.4.0:
+  get-east-asian-width@1.5.0:
-    resolution: {integrity: sha512-QZjmEOC+IT1uk6Rx0sX22V6uHWVwbdbxf1faPqJ1QhLdGgsRGCZoyaQBm/piRdJy/D2um6hM1UP7ZEeQ4EkP+Q==}
+    resolution: {integrity: sha512-CQ+bEO+Tva/qlmw24dCejulK5pMzVnUOFOijVogd3KQs07HnRIgp8TGipvCCRT06xeYEbpbgwaCxglFyiuIcmA==}
     engines: {node: '>=18'}
 
   glob@7.2.3:
@@ -171,18 +171,18 @@ packages:
     resolution: {integrity: sha512-p/nXbhSEcu3pZRdkW1OfJhpsVtW1gd4Wa1fnQc9YLiTfAjn0312eMKimbdIQzuZl9aa9xUGaRlP9T/CJE/ditQ==}
     engines: {node: '>=0.10.0'}
 
-  katex@0.16.28:
+  katex@0.16.44:
-    resolution: {integrity: sha512-YHzO7721WbmAL6Ov1uzN/l5mY5WWWhJBSW+jq4tkfZfsxmo1hu6frS0EOswvjBUnWE6NtjEs48SFn5CQESRLZg==}
+    resolution: {integrity: sha512-EkxoDTk8ufHqHlf9QxGwcxeLkWRR3iOuYfRpfORgYfqc8s13bgb+YtRY59NK5ZpRaCwq1kqA6a5lpX8C/eLphQ==}
     hasBin: true
 
   linkify-it@5.0.0:
     resolution: {integrity: sha512-5aHCbzQRADcdP+ATqnDuhhJ/MRIqDkZX5pyjFHRRysS8vZ5AbqGEoFIb6pYHPZ+L/OC2Lc+xT8uHVVR5CAK/wQ==}
 
-  lodash@4.17.23:
+  lodash@4.18.1:
-    resolution: {integrity: sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==}
+    resolution: {integrity: sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==}
 
-  markdown-it@14.1.0:
+  markdown-it@14.1.1:
-    resolution: {integrity: sha512-a54IwgWPaeBCAAsv13YgmALOF1elABB08FxO9i+r4VFk5Vl4pKokRPeX8u5TCgSsPi6ec1otfLjdOpVcgbpshg==}
+    resolution: {integrity: sha512-BuU2qnTti9YKgK5N+IeMubp14ZUKUUw7yeJbkjtosvHiP0AZ5c8IAgEMk79D0eC8F23r4Ac/q8cAIFdm2FtyoA==}
     hasBin: true
 
   markdown-table@2.0.0:
@@ -275,12 +275,12 @@ packages:
   micromark@4.0.2:
     resolution: {integrity: sha512-zpe98Q6kvavpCr1NPVSCMebCKfD7CA2NqZ+rykeNhONIJBpc1tFKt9hucLGwha3jNTNI8lHpctWJWoimVF4PfA==}
 
-  minimatch@10.1.2:
+  minimatch@10.1.3:
-    resolution: {integrity: sha512-fu656aJ0n2kcXwsnwnv9g24tkU5uSmOlTjd6WyyaKm2Z+h1qmY6bAjrcaIxF/BslFqbZ8UBtbJi7KgQOZD2PTw==}
+    resolution: {integrity: sha512-IF6URNyBX7Z6XfvjpaNy5meRxPZiIf2OqtOoSLs+hLJ9pJAScnM1RjrFcbCaD85y42KcI+oZmKjFIJKYDFjQfg==}
     engines: {node: 20 || >=22}
 
-  minimatch@3.1.2:
+  minimatch@3.1.5:
-    resolution: {integrity: sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==}
+    resolution: {integrity: sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==}
 
   minimist@1.2.8:
     resolution: {integrity: sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==}
@@ -298,8 +298,8 @@ packages:
     resolution: {integrity: sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==}
     engines: {node: '>=0.10.0'}
 
-  picomatch@4.0.3:
+  picomatch@4.0.4:
-    resolution: {integrity: sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==}
+    resolution: {integrity: sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==}
     engines: {node: '>=12'}
 
   punycode.js@2.3.1:
@@ -322,8 +322,8 @@ packages:
     resolution: {integrity: sha512-Kxl3KJGb/gxkaUMOjRsQ8IrXiGW75O4E3RPjFIINOVH8AMl2SQ/yWdTzWwF3FevIX9LcMAjJW+GRwAlAbTSXdg==}
     engines: {node: '>=20'}
 
-  strip-ansi@7.1.2:
+  strip-ansi@7.2.0:
-    resolution: {integrity: sha512-gmBGslpoQJtgnMAvOVqGZpEz9dyoKTCzy2nfz/n8aIFhN/jCE/rCmcxabB6jOOHV+0WNnylOxaxBQPSvcWklhA==}
+    resolution: {integrity: sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w==}
     engines: {node: '>=12'}
 
   strip-json-comments@3.1.1:
@@ -340,8 +340,8 @@ packages:
   wrappy@1.0.2:
     resolution: {integrity: sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==}
 
-  yaml@2.8.2:
+  yaml@2.8.3:
-    resolution: {integrity: sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==}
+    resolution: {integrity: sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==}
     engines: {node: '>= 14.6'}
     hasBin: true
 
@@ -351,17 +351,11 @@ snapshots:
     dependencies:
       commander: 13.1.0
       dot-object: 2.1.5
-      lodash: 4.17.23
+      lodash: 4.18.1
       markdown-table: 2.0.0
-      yaml: 2.8.2
+      yaml: 2.8.3
 
-  '@isaacs/balanced-match@4.0.1': {}
+  '@types/debug@4.1.13':
-
-  '@isaacs/brace-expansion@5.0.1':
-    dependencies:
-      '@isaacs/balanced-match': 4.0.1
-
-  '@types/debug@4.1.12':
     dependencies:
       '@types/ms': 2.1.0
 
@@ -377,11 +371,17 @@ snapshots:
 
   balanced-match@1.0.2: {}
 
-  brace-expansion@1.1.12:
+  balanced-match@4.0.4: {}
+
+  brace-expansion@1.1.13:
     dependencies:
       balanced-match: 1.0.2
       concat-map: 0.0.1
 
+  brace-expansion@5.0.5:
+    dependencies:
+      balanced-match: 4.0.4
+
   character-entities-legacy@3.0.0: {}
 
   character-entities@2.0.2: {}
@@ -421,20 +421,20 @@ snapshots:
 
   entities@4.5.0: {}
 
-  fdir@6.5.0(picomatch@4.0.3):
+  fdir@6.5.0(picomatch@4.0.4):
     optionalDependencies:
-      picomatch: 4.0.3
+      picomatch: 4.0.4
 
   fs.realpath@1.0.0: {}
 
-  get-east-asian-width@1.4.0: {}
+  get-east-asian-width@1.5.0: {}
 
   glob@7.2.3:
     dependencies:
       fs.realpath: 1.0.0
       inflight: 1.0.6
       inherits: 2.0.4
-      minimatch: 3.1.2
+      minimatch: 3.1.5
       once: 1.4.0
       path-is-absolute: 1.0.1
 
@@ -468,7 +468,7 @@ snapshots:
 
   jsonpointer@5.0.1: {}
 
-  katex@0.16.28:
+  katex@0.16.44:
     dependencies:
       commander: 8.3.0
 
@@ -476,9 +476,9 @@ snapshots:
     dependencies:
       uc.micro: 2.1.0
 
-  lodash@4.17.23: {}
+  lodash@4.18.1: {}
 
-  markdown-it@14.1.0:
+  markdown-it@14.1.1:
     dependencies:
       argparse: 2.0.1
       entities: 4.5.0
@@ -499,9 +499,9 @@ snapshots:
       js-yaml: 4.1.1
       jsonc-parser: 3.3.1
       jsonpointer: 5.0.1
-      markdown-it: 14.1.0
+      markdown-it: 14.1.1
       markdownlint: 0.40.0
-      minimatch: 10.1.2
+      minimatch: 10.1.3
       run-con: 1.3.2
       smol-toml: 1.5.2
       tinyglobby: 0.2.15
@@ -583,7 +583,7 @@ snapshots:
     dependencies:
       '@types/katex': 0.16.8
       devlop: 1.1.0
-      katex: 0.16.28
+      katex: 0.16.44
       micromark-factory-space: 2.0.1
       micromark-util-character: 2.1.1
       micromark-util-symbol: 2.0.1
@@ -676,7 +676,7 @@ snapshots:
 
   micromark@4.0.2:
     dependencies:
-      '@types/debug': 4.1.12
+      '@types/debug': 4.1.13
       debug: 4.4.3
       decode-named-character-reference: 1.3.0
       devlop: 1.1.0
@@ -696,13 +696,13 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  minimatch@10.1.2:
+  minimatch@10.1.3:
     dependencies:
-      '@isaacs/brace-expansion': 5.0.1
+      brace-expansion: 5.0.5
 
-  minimatch@3.1.2:
+  minimatch@3.1.5:
     dependencies:
-      brace-expansion: 1.1.12
+      brace-expansion: 1.1.13
 
   minimist@1.2.8: {}
 
@@ -724,7 +724,7 @@ snapshots:
 
   path-is-absolute@1.0.1: {}
 
-  picomatch@4.0.3: {}
+  picomatch@4.0.4: {}
 
   punycode.js@2.3.1: {}
 
@@ -741,10 +741,10 @@ snapshots:
 
   string-width@8.1.0:
     dependencies:
-      get-east-asian-width: 1.4.0
+      get-east-asian-width: 1.5.0
-      strip-ansi: 7.1.2
+      strip-ansi: 7.2.0
 
-  strip-ansi@7.1.2:
+  strip-ansi@7.2.0:
     dependencies:
       ansi-regex: 6.2.2
 
@@ -752,11 +752,11 @@ snapshots:
 
   tinyglobby@0.2.15:
     dependencies:
-      fdir: 6.5.0(picomatch@4.0.3)
+      fdir: 6.5.0(picomatch@4.0.4)
-      picomatch: 4.0.3
+      picomatch: 4.0.4
 
   uc.micro@2.1.0: {}
 
   wrappy@1.0.2: {}
 
-  yaml@2.8.2: {}
+  yaml@2.8.3: {}

templates/statefulset.yaml

@@ -30,9 +30,16 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      restartPolicy: Always
+      {{- if .Values.statefulset.serviceAccountName }}
+      serviceAccountName: {{ .Values.statefulset.serviceAccountName }}
+      {{- end }}
       securityContext:
         {{- toYaml .Values.statefulset.securityContext | nindent 8 }}
       initContainers:
+        {{- if .Values.preExtraInitContainers }}
+        {{- toYaml .Values.preExtraInitContainers | nindent 8 }}
+        {{- end }}
         - name: init-gitea
           image: "{{ include "gitea.actions.init.image" . }}"
           command:
@@ -47,12 +54,12 @@ spec:
               echo "Gitea has been reached!"
         - name: dind
           image: "{{ include "gitea.actions.dind.image" . }}"
+          restartPolicy: Always
           imagePullPolicy: {{ .Values.statefulset.dind.pullPolicy }}
           {{- if .Values.statefulset.dind.extraEnvs }}
           env:
             {{- toYaml .Values.statefulset.dind.extraEnvs | nindent 12 }}
           {{- end }}
-          restartPolicy: Always
           securityContext:
             privileged: true
           startupProbe:
@@ -60,21 +67,36 @@ spec:
               command:
                 - /usr/bin/test
                 - -S
+                {{- if .Values.statefulset.dind.rootless }}
+                - /run/user/{{ .Values.statefulset.dind.uid | default 1000 }}/docker.sock
+                {{- else }}
                 - /var/run/docker.sock
+                {{- end }}
           livenessProbe:
             exec:
               command:
                 - /usr/bin/test
                 - -S
+                {{- if .Values.statefulset.dind.rootless }}
+                - /run/user/{{ .Values.statefulset.dind.uid | default 1000 }}/docker.sock
+                {{- else }}
                 - /var/run/docker.sock
+                {{- end }}
           resources:
             {{- toYaml .Values.statefulset.resources | nindent 12 }}
           volumeMounts:
+            {{- if .Values.statefulset.dind.rootless }}
+            - mountPath: /run/user/{{ .Values.statefulset.dind.uid | default 1000 }}/
+            {{- else }}
             - mountPath: /var/run/
+            {{- end }}
               name: docker-socket
             {{- with .Values.statefulset.dind.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
+        {{- if .Values.postExtraInitContainers }}
+        {{- toYaml .Values.postExtraInitContainers | nindent 8 }}
+        {{- end }}
       containers:
         - name: act-runner
           image: "{{ include "gitea.actions.actRunner.image" . }}"
@@ -84,8 +106,8 @@ spec:
             - name: GITEA_RUNNER_REGISTRATION_TOKEN
               valueFrom:
                 secretKeyRef:
-                  name: "{{ .Values.existingSecret | default $secretName }}"
+                  name: "{{ (tpl .Values.existingSecret . ) | default $secretName }}"
-                  key: "{{ .Values.existingSecretKey | default "token" }}"
+                  key: "{{ (tpl .Values.existingSecretKey . ) | default "token" }}"
             - name: GITEA_INSTANCE_URL
               value: {{ include "gitea.actions.local_root_url" . }}
             - name: CONFIG_FILE
@@ -109,6 +131,12 @@ spec:
             {{- with .Values.statefulset.actRunner.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
+      {{- if .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+      {{- range .Values.global.imagePullSecrets }}
+        - name: {{ . }}
+      {{- end }}
+      {{- end }}
       {{- range $key, $value := .Values.statefulset.nodeSelector }}
       nodeSelector:
         {{ $key }}: {{ $value | quote }}
@@ -135,7 +163,9 @@ spec:
         name: data-act-runner
       spec:
         accessModes: [ "ReadWriteOnce" ]
-        {{- include "gitea.actions.persistence.storageClass" . | nindent 8 }}
+        {{- if .Values.global.storageClass }}
+        {{- include "gitea.actions.persistence.storageClass" . | indent 8 }}
+        {{- end }}
         resources:
           requests:
             storage: {{ .Values.statefulset.persistence.size }}

unittests/helm/config-act-runner.yaml

@@ -48,7 +48,7 @@ tests:
       enabled: true
       statefulset:
         actRunner:
-          config:
+          config: |
             container:
               valid_volumes:
                 - /var/run/docker.sock

unittests/helm/statefulset.yaml

@@ -429,6 +429,33 @@ tests:
           content:
             mountPath: /mnt
             name: my-dind-volume
+  - it: should interpret existingSecret & existingSecretKey templating
+    template: templates/statefulset.yaml
+    set:
+      gitea:
+        token:
+          secret:
+            name: "gitea-secret"
+            key: "secret-key"
+      enabled: true
+      existingSecret: "{{ .Release.Name }}-{{ .Values.gitea.token.secret.name}}"
+      existingSecretKey: "{{ .Values.gitea.token.secret.key}}"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-actions-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].env[0].name
+          value: "GITEA_RUNNER_REGISTRATION_TOKEN"
+      - equal:
+          path: spec.template.spec.containers[0].env[0].valueFrom.secretKeyRef.name
+          value: "gitea-unittests-gitea-secret"
+      - equal:
+          path: spec.template.spec.containers[0].env[0].valueFrom.secretKeyRef.key
+          value: "secret-key"
   - it: should interpret Gitea Root URL templating
     template: templates/statefulset.yaml
     set:
@@ -461,3 +488,15 @@ tests:
               echo "Trying again in 3 seconds..."
             done
             echo "Gitea has been reached!"
+  - it: should render service account name correctly
+    template: templates/statefulset.yaml
+    set:
+      enabled: true
+      statefulset:
+        serviceAccountName: "my-service-account"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: "my-service-account"

values.yaml

@@ -2,8 +2,6 @@
 ## @section Gitea Actions
 #
 ## @param enabled Create an act runner StatefulSet.
-## @param init.image.repository The image used for the init containers
-## @param init.image.tag The image tag used for the init containers
 ## @param statefulset.replicas the amount of (replica) runner pods deployed
 ## @param statefulset.timezone is the timezone that will be set in the act_runner image
 ## @param statefulset.annotations Act runner annotations
@@ -21,6 +19,8 @@
 ## @param statefulset.actRunner.fullOverride Completely overrides the image registry, path/image, tag and digest.
 ## @param statefulset.actRunner.extraVolumeMounts Allows mounting extra volumes in the act runner container
 ## @param statefulset.actRunner.config [default: Too complex. See values.yaml] Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details.
+## @param statefulset.dind.rootless [default: false] a simple flag to let helm know we are dealing with a rootless dind container
+## @param statefulset.dind.uid a field to set the running user id for the rootless dind container, so it knows where to look for the socket
 ## @param statefulset.dind.registry image registry, e.g. gcr.io,docker.io
 ## @param statefulset.actRunner.extraEnvs Allows adding custom environment variables
 ## @param statefulset.dind.repository The Docker-in-Docker image
@@ -32,9 +32,7 @@
 ## @param statefulset.dind.extraEnvs Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY`
 ## @param statefulset.persistence.size Size for persistence to store act runner data
 ## @param statefulset.securityContext Customize the SecurityContext
-## @param existingSecret Secret that contains the token
+## @param statefulset.serviceAccountName Customize the service account name
-## @param existingSecretKey Secret key
-## @param giteaRootURL URL the act_runner registers and connect with
 enabled: false
 statefulset:
   replicas: 1
@@ -47,11 +45,12 @@ statefulset:
   affinity: {}
   extraVolumes: []
   securityContext: {}
+  serviceAccountName: ""
 
   actRunner:
     registry: "docker.gitea.com"
     repository: act_runner
-    tag: 0.2.13
+    tag: 0.3.0
     digest: ""
     pullPolicy: IfNotPresent
     fullOverride: ""
@@ -74,9 +73,11 @@ statefulset:
         docker_timeout: 300s
 
   dind:
-    registry: ""
+    rootless: false
+    uid: ""
+    registry: "docker.io"
     repository: docker
-    tag: 28.3.3-dind
+    tag: 29.3.1-dind
     digest: ""
     pullPolicy: IfNotPresent
     fullOverride: ""
@@ -110,18 +111,38 @@ init:
     pullPolicy: IfNotPresent
     fullOverride: ""
 
-## Specify an existing token secret
+## @section Runner Token Secret Configuration
-##
+#
+## @param existingSecret Secret that contains the token
+## @param existingSecretKey Secret key
 existingSecret: ""
 existingSecretKey: ""
 
-## Specify the root URL of the Gitea instance
+## @section Gitea URL Setting
+#
+## @param giteaRootURL URL the act_runner registers and connect with
 giteaRootURL: ""
 
+## @section Extra Init Containers
+#
+## @param preExtraInitContainers Additional init containers to run in the pod before gitea-actions runs it owns init containers.
+## @param postExtraInitContainers Additional init containers to run in the pod after gitea-actions runs it owns init containers.
+preExtraInitContainers: []
+# - name: pre-init-container
+#   image: docker.io/library/busybox
+#   command: [ /bin/sh, -c, 'echo "Hello world! I am a pre init container."' ]
+
+postExtraInitContainers: []
+# - name: post-init-container
+#   image: docker.io/library/busybox
+#   command: [ /bin/sh, -c, 'echo "Hello world! I am a post init container."' ]
+
 ## @section Global
 #
 ## @param global.imageRegistry global image registry override
+## @param global.imagePullSecrets global image registry pull secrets
 ## @param global.storageClass global storage class override
 global:
   imageRegistry: ""
+  imagePullSecrets: []
   storageClass: ""