.gitea/workflows/e2e.yml aktualisiert

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [https://github.com/crazy-max/ghaction-import-gpg](https://github.com/crazy-max/ghaction-import-gpg) | action | major | `v6` → `v7` |

---

### Release Notes

<details>
<summary>crazy-max/ghaction-import-gpg (https://github.com/crazy-max/ghaction-import-gpg)</summary>

### [`v7`](https://github.com/crazy-max/ghaction-import-gpg/compare/v6...v7)

[Compare Source](https://github.com/crazy-max/ghaction-import-gpg/compare/v6...v7)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Only on Sunday and Saturday ( * * * * 0,6 ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41Ni4xIiwidXBkYXRlZEluVmVyIjoiNDMuNTYuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsia2luZC9kZXBlbmRlbmN5Il19-->

Reviewed-on: https://gitea.com/gitea/helm-actions/pulls/103
Reviewed-by: DaanSelen <135789+daanselen@noreply.gitea.com>
Co-authored-by: Renovate Bot <renovate-bot@gitea.com>
Co-committed-by: Renovate Bot <renovate-bot@gitea.com>

.gitea/workflows/changelog.yml

@@ -8,12 +8,12 @@ on:
 jobs:
   changelog:
     runs-on: ubuntu-latest
-    container: docker.io/thegeeklab/git-sv:2.0.5
+    container: docker.io/thegeeklab/git-sv:2.0.9
     steps:
       - name: install tools
         run: |
           apk add -q --update --no-cache nodejs curl jq sed
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
       - name: Generate upcoming changelog

.gitea/workflows/commitlint.yml

@@ -11,9 +11,9 @@ on:
 jobs:
   check-and-test:
     runs-on: ubuntu-latest
-    container: commitlint/commitlint:19.7.1
+    container: commitlint/commitlint:20.4.1
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: check PR title
         run: |
           echo "${{ gitea.event.pull_request.title }}" | commitlint --config .commitlintrc.json

.gitea/workflows/e2e.yml

@@ -0,0 +1,76 @@
+on: pull_request
+jobs:
+  k8s-test:
+    runs-on: ubuntu-latest
+    env:
+      CLUSTER_NAME: test-cluster
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Docker CLI, kind, and kubectl
+        run: |
+          # Install Docker CLI (to talk to the host daemon via the mounted socket)
+          apt-get update && apt-get install -y docker.io jq
+
+          # Install kind
+          curl -Lo /usr/local/bin/kind https://kind.sigs.k8s.io/dl/v0.24.0/kind-linux-amd64
+          chmod +x /usr/local/bin/kind
+
+          # Install kubectl
+          curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+          install kubectl /usr/local/bin/
+
+      - name: Create kind cluster
+        run: |
+          kind delete cluster test-cluster2
+        
+          docker inspect ${CLUSTER_NAME}-control-plane && mkdir -p ~/.kube && kind get kubeconfig --name ${CLUSTER_NAME} > ~/.kube/config || kind create cluster --name ${CLUSTER_NAME} --wait 5m
+
+      - name: Connect kind to the job container's network and fix kubeconfig
+        if: always()
+        run: |
+          # 1. Find the Docker network the job container is on
+          #    The job container's hostname is the container ID
+          JOB_CONTAINER_ID=$(hostname)
+          NETWORK_NAME=$(docker inspect "$JOB_CONTAINER_ID" \
+            --format '{{range $k, $v := .NetworkSettings.Networks}}{{$k}}{{end}}')
+
+          echo "NETWORK_NAME=$NETWORK_NAME" >> $GITHUB_ENV
+
+          echo "Job container network: $NETWORK_NAME"
+
+          # 2. Get the kind control-plane container name
+          KIND_CONTAINER="${CLUSTER_NAME}-control-plane"
+
+          echo "KIND_CONTAINER=$KIND_CONTAINER" >> $GITHUB_ENV
+
+          # 3. Connect the kind container to the same network
+          docker network connect "$NETWORK_NAME" "$KIND_CONTAINER"
+
+          # 4. Get the kind container's IP on that network
+          KIND_IP=$(docker inspect "$KIND_CONTAINER" \
+            --format "{{(index .NetworkSettings.Networks \"$NETWORK_NAME\").IPAddress}}")
+
+          echo "Kind container IP on shared network: $KIND_IP"
+
+          # 5. Rewrite the kubeconfig to use the kind container's IP
+          #    kind's API server listens on port 6443 inside the container
+          kubectl config set-cluster kind-${CLUSTER_NAME} \
+            --server="https://${KIND_IP}:6443"
+
+          # 6. Since the TLS cert won't match the new IP, use insecure mode
+          #    OR set insecure-skip-tls-verify
+          kubectl config set-cluster kind-${CLUSTER_NAME} \
+            --insecure-skip-tls-verify=true
+
+      - name: Verify cluster access
+        if: always()
+        run: |
+          kubectl cluster-info
+          kubectl get nodes
+          kubectl get pods -A
+
+      - name: Disconnect Kind Network
+        if: always()
+        run: |
+          docker network disconnect "$NETWORK_NAME" "$KIND_CONTAINER"

.gitea/workflows/release-version.yml

@@ -7,13 +7,13 @@ on:
 
 env:
   # renovate: datasource=docker depName=alpine/helm
-  HELM_VERSION: "3.17.1"
+  HELM_VERSION: "3.20.0"
 
 jobs:
   generate-chart-publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: install tools
         run: |
           apt update -y
@@ -35,7 +35,7 @@ jobs:
 
       - name: Import GPG key
         id: import_gpg
-        uses: https://github.com/crazy-max/ghaction-import-gpg@v6
+        uses: https://github.com/crazy-max/ghaction-import-gpg@v7
         with:
           gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
           passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
@@ -59,7 +59,7 @@ jobs:
           helm registry logout registry-1.docker.io
 
       - name: aws credential configure
-        uses: https://github.com/aws-actions/configure-aws-credentials@v5
+        uses: https://github.com/aws-actions/configure-aws-credentials@v6
         with:
           aws-access-key-id: ${{ secrets.AWS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

.gitea/workflows/shellcheck.yml

@@ -9,6 +9,6 @@ jobs:
   shellcheck:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - run: apt update --yes && apt install --yes shellcheck
       - run: find . -type f -name "*.sh" -exec shellcheck -a {} \;

.gitea/workflows/test-pr.yml

@@ -10,12 +10,12 @@ on:
 
 env:
   # renovate: datasource=github-releases depName=helm-unittest/helm-unittest
-  HELM_UNITTEST_VERSION: "v1.0.1"
+  HELM_UNITTEST_VERSION: "v1.0.3"
 
 jobs:
   check-and-test:
     runs-on: ubuntu-latest
-    container: alpine/helm:3.17.1
+    container: alpine/helm:3.20.0
     steps:
       - name: install tools
         run: |
@@ -25,7 +25,7 @@ jobs:
         uses: pnpm/action-setup@v4
         with:
           version: 10
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: install chart dependencies
         run: helm dependency build
       - name: lint

README.md

@@ -16,6 +16,29 @@ If `.Values.image.rootless: true`, then the following will occur. In case you us
 
 - If `.Values.provisioning.enabled: true`, then uses the rootless Gitea image, must match helm-Gitea.
 
+## Quick-start
+
+To get started, add the Helm repo, assuming you have not already:
+
+```sh
+helm repo add gitea-charts https://dl.gitea.com/charts/
+helm repo update
+```
+
+Then pull the values.yaml file and fill it accordingly.
+
+```sh
+helm show values gitea-charts/actions > values.yaml
+```
+
+Deploy with your values, make sure the path is correct:
+
+```sh
+helm upgrade --install gitea-actions gitea-charts/actions -f values.yaml
+```
+
+You should be good to go!
+
 ## Parameters
 
 ### Gitea Actions
@@ -34,21 +57,40 @@ If `.Values.image.rootless: true`, then the following will occur. In case you us
 | `statefulset.tolerations`                 | Tolerations for the statefulset                                                                                                             | `[]`                           |
 | `statefulset.affinity`                    | Affinity for the statefulset                                                                                                                | `{}`                           |
 | `statefulset.extraVolumes`                | Extra volumes for the statefulset                                                                                                           | `[]`                           |
-| `statefulset.actRunner.repository`        | The Gitea act runner image                                                                                                                  | `gitea/act_runner`             |
+| `statefulset.actRunner.registry`          | image registry, e.g. gcr.io,docker.io                                                                                                       | `docker.gitea.com`             |
+| `statefulset.actRunner.repository`        | The Gitea act runner image                                                                                                                  | `act_runner`                   |
 | `statefulset.actRunner.tag`               | The Gitea act runner tag                                                                                                                    | `0.2.13`                       |
+| `statefulset.actRunner.digest`            | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`                                  | `""`                           |
 | `statefulset.actRunner.pullPolicy`        | The Gitea act runner pullPolicy                                                                                                             | `IfNotPresent`                 |
+| `statefulset.actRunner.fullOverride`      | Completely overrides the image registry, path/image, tag and digest.                                                                        | `""`                           |
 | `statefulset.actRunner.extraVolumeMounts` | Allows mounting extra volumes in the act runner container                                                                                   | `[]`                           |
 | `statefulset.actRunner.config`            | Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details. | `Too complex. See values.yaml` |
+| `statefulset.dind.registry`               | image registry, e.g. gcr.io,docker.io                                                                                                       | `""`                           |
+| `statefulset.actRunner.extraEnvs`         | Allows adding custom environment variables                                                                                                  | `[]`                           |
 | `statefulset.dind.repository`             | The Docker-in-Docker image                                                                                                                  | `docker`                       |
 | `statefulset.dind.tag`                    | The Docker-in-Docker image tag                                                                                                              | `28.3.3-dind`                  |
+| `statefulset.dind.digest`                 | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`                                  | `""`                           |
+| `statefulset.dind.fullOverride`           | Completely overrides the image registry, path/image, tag and digest.                                                                        | `""`                           |
 | `statefulset.dind.pullPolicy`             | The Docker-in-Docker pullPolicy                                                                                                             | `IfNotPresent`                 |
 | `statefulset.dind.extraVolumeMounts`      | Allows mounting extra volumes in the Docker-in-Docker container                                                                             | `[]`                           |
 | `statefulset.dind.extraEnvs`              | Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY`                                                                | `[]`                           |
 | `statefulset.persistence.size`            | Size for persistence to store act runner data                                                                                               | `1Gi`                          |
+| `statefulset.securityContext`             | Customize the SecurityContext                                                                                                               | `{}`                           |
 | `existingSecret`                          | Secret that contains the token                                                                                                              | `""`                           |
 | `existingSecretKey`                       | Secret key                                                                                                                                  | `""`                           |
 | `giteaRootURL`                            | URL the act_runner registers and connect with                                                                                               | `""`                           |
 
+### Gitea Actions Init
+
+| Name                      | Description                                                                                                | Value          |
+| ------------------------- | ---------------------------------------------------------------------------------------------------------- | -------------- |
+| `init.image.registry`     | image registry, e.g. gcr.io,docker.io                                                                      | `""`           |
+| `init.image.repository`   | The init image                                                                                             | `busybox`      |
+| `init.image.tag`          | the init image tag                                                                                         | `1.37.0`       |
+| `init.image.digest`       | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest` | `""`           |
+| `init.image.pullPolicy`   | The init image pullPolicy                                                                                  | `IfNotPresent` |
+| `init.image.fullOverride` | Completely overrides the image registry, path/image, tag and digest.                                       | `""`           |
+
 ### Global
 
 | Name                   | Description                    | Value |

package.json

@@ -14,6 +14,6 @@
   },
   "devDependencies": {
     "@bitnami/readme-generator-for-helm": "^2.7.0",
-    "markdownlint-cli": "^0.44.0"
+    "markdownlint-cli": "^0.47.0"
   }
 }

pnpm-lock.yaml

@@ -12,8 +12,8 @@ importers:
         specifier: ^2.7.0
         version: 2.7.2
       markdownlint-cli:
-        specifier: ^0.44.0
+        specifier: ^0.47.0
-        version: 0.44.0
+        version: 0.47.0
 
 packages:
 
@@ -21,19 +21,19 @@ packages:
     resolution: {integrity: sha512-7eXyJzxQTQj2ajpHlIhadciCCYWOqN8ieaweU25bStHOZowQ2c2CQyjO/bX4gxIf73LoRKxHhEYgLTllJY9SIw==}
     hasBin: true
 
-  '@isaacs/cliui@8.0.2':
+  '@isaacs/balanced-match@4.0.1':
-    resolution: {integrity: sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==}
+    resolution: {integrity: sha512-yzMTt9lEb8Gv7zRioUilSglI0c0smZ9k5D65677DLWLtWJaXIS3CqcGyUFByYKlnUj6TkjLVs54fBl6+TiGQDQ==}
-    engines: {node: '>=12'}
+    engines: {node: 20 || >=22}
 
-  '@pkgjs/parseargs@0.11.0':
+  '@isaacs/brace-expansion@5.0.1':
-    resolution: {integrity: sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==}
+    resolution: {integrity: sha512-WMz71T1JS624nWj2n2fnYAuPovhv7EUhk69R6i9dsVyzxt5eM3bjwvgk9L+APE1TRscGysAVMANkB0jh0LQZrQ==}
-    engines: {node: '>=14'}
+    engines: {node: 20 || >=22}
 
   '@types/debug@4.1.12':
     resolution: {integrity: sha512-vIChWdVG3LG1SMxEvI/AK+FWJthlrqlTu7fbrlywTkkaONwk/UAGaULXRlf8vkzFBLVm0zkMdCquhL5aOjhXPQ==}
 
-  '@types/katex@0.16.7':
+  '@types/katex@0.16.8':
-    resolution: {integrity: sha512-HMwFiRujE5PjrgwHQ25+bsLJgowjGjm5Z8FVSf0N6PwgJrwxH0QxzHYDcKsTfV3wva0vzrpqMTJS2jXPr5BMEQ==}
+    resolution: {integrity: sha512-trgaNyfU+Xh2Tc+ABIb44a5AYUpicB3uwirOioeOkNPPbmgRNtcWyDeeFRzjPZENO9Vq8gvVqfhaaXWLlevVwg==}
 
   '@types/ms@2.1.0':
     resolution: {integrity: sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA==}
@@ -41,22 +41,10 @@ packages:
   '@types/unist@2.0.11':
     resolution: {integrity: sha512-CmBKiL6NNo/OqgmMn95Fk9Whlp2mtvIv+KNpQKN2F4SjvrEesubTRWGYSg+BnWZOnlCaSTU1sMpsBOzgbYhnsA==}
 
-  ansi-regex@5.0.1:
-    resolution: {integrity: sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==}
-    engines: {node: '>=8'}
-
   ansi-regex@6.2.2:
     resolution: {integrity: sha512-Bq3SmSpyFHaWjPk8If9yc6svM8c56dB5BAtW4Qbw5jHTwwXXcTLoRMkpDJp6VL0XzlWaCHTXrkFURMYmD0sLqg==}
     engines: {node: '>=12'}
 
-  ansi-styles@4.3.0:
-    resolution: {integrity: sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==}
-    engines: {node: '>=8'}
-
-  ansi-styles@6.2.3:
-    resolution: {integrity: sha512-4Dj6M28JB+oAH8kFkTLUo+a2jwOFkuqb3yucU0CANcRRUbxS0cP0nZYCGjcc3BNXwRIsUVmDGgzawme7zvJHvg==}
-    engines: {node: '>=12'}
-
   argparse@2.0.1:
     resolution: {integrity: sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==}
 
@@ -66,9 +54,6 @@ packages:
   brace-expansion@1.1.12:
     resolution: {integrity: sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==}
 
-  brace-expansion@2.0.2:
-    resolution: {integrity: sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==}
-
   character-entities-legacy@3.0.0:
     resolution: {integrity: sha512-RpPp0asT/6ufRm//AJVwpViZbGM/MkjQFxJccQRHmISF/22NBtsHqAWmL+/pmkPWoIUJdWyeVleTl1wydHATVQ==}
 
@@ -78,17 +63,14 @@ packages:
   character-reference-invalid@2.0.1:
     resolution: {integrity: sha512-iBZ4F4wRbyORVsu0jPV7gXkOsGYjGHPmAyv+HiHG8gi5PtC9KI2j1+v8/tlibRvjoWX027ypmG/n0HtO5t7unw==}
 
-  color-convert@2.0.1:
-    resolution: {integrity: sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==}
-    engines: {node: '>=7.0.0'}
-
-  color-name@1.1.4:
-    resolution: {integrity: sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==}
-
   commander@13.1.0:
     resolution: {integrity: sha512-/rFeCpNJQbhSZjGVwO9RFV3xPqbnERS8MmIQzCtD/zl6gpJuV/bMLuN92oG3F7d8oDEHHRrujSXNUr8fpjntKw==}
     engines: {node: '>=18'}
 
+  commander@14.0.3:
+    resolution: {integrity: sha512-H+y0Jo/T1RZ9qPP4Eh1pkcQcLRglraJaSLoyOtHxu6AapkjWVCy2Sit1QQ4x3Dng8qDlSsZEet7g5Pq06MvTgw==}
+    engines: {node: '>=20'}
+
   commander@6.2.1:
     resolution: {integrity: sha512-U7VdrJFnJgo4xjrHpTzu0yrHPGImdsmD95ZlgYSEajAn2JKzDhDTPG9kBTefmObL2w/ngeZnilk+OV9CG3d7UA==}
     engines: {node: '>= 6'}
@@ -100,10 +82,6 @@ packages:
   concat-map@0.0.1:
     resolution: {integrity: sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==}
 
-  cross-spawn@7.0.6:
-    resolution: {integrity: sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==}
-    engines: {node: '>= 8'}
-
   debug@4.4.3:
     resolution: {integrity: sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==}
     engines: {node: '>=6.0'}
@@ -113,8 +91,8 @@ packages:
       supports-color:
         optional: true
 
-  decode-named-character-reference@1.2.0:
+  decode-named-character-reference@1.3.0:
-    resolution: {integrity: sha512-c6fcElNV6ShtZXmsgNgFFV5tVX2PaV4g+MOAkb8eXHvn6sryJBrZa9r0zV6+dtTyoCKxtDy5tyQ5ZwQuidtd+Q==}
+    resolution: {integrity: sha512-GtpQYB283KrPp6nRw50q3U9/VfOutZOe103qlN7BPP6Ad27xYnOIWv4lPzo8HCAL+mMZofJ9KEy30fq6MfaK6Q==}
 
   deep-extend@0.6.0:
     resolution: {integrity: sha512-LOHxIOaPYdHlJRtCQfDIVZtfw/ufM8+rVj649RIHzcm/vGwQRXFt6OPqIFWsm2XEMrNIEtWR64sY1LEKD2vAOA==}
@@ -131,33 +109,29 @@ packages:
     resolution: {integrity: sha512-xHF8EP4XH/Ba9fvAF2LDd5O3IITVolerVV6xvkxoM8zlGEiCUrggpAnHyOoKJKCrhvPcGATFAUwIujj7bRG5UA==}
     hasBin: true
 
-  eastasianwidth@0.2.0:
-    resolution: {integrity: sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==}
-
-  emoji-regex@8.0.0:
-    resolution: {integrity: sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==}
-
-  emoji-regex@9.2.2:
-    resolution: {integrity: sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==}
-
   entities@4.5.0:
     resolution: {integrity: sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==}
     engines: {node: '>=0.12'}
 
-  foreground-child@3.3.1:
+  fdir@6.5.0:
-    resolution: {integrity: sha512-gIXjKqtFuWEgzFRJA9WCQeSJLZDjgJUOMCMzxtvFq/37KojM1BFGufqsCy0r4qSQmYLsZYMeyRqzIWOMup03sw==}
+    resolution: {integrity: sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==}
-    engines: {node: '>=14'}
+    engines: {node: '>=12.0.0'}
+    peerDependencies:
+      picomatch: ^3 || ^4
+    peerDependenciesMeta:
+      picomatch:
+        optional: true
 
   fs.realpath@1.0.0:
     resolution: {integrity: sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==}
 
-  glob@10.4.5:
+  get-east-asian-width@1.4.0:
-    resolution: {integrity: sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==}
+    resolution: {integrity: sha512-QZjmEOC+IT1uk6Rx0sX22V6uHWVwbdbxf1faPqJ1QhLdGgsRGCZoyaQBm/piRdJy/D2um6hM1UP7ZEeQ4EkP+Q==}
-    hasBin: true
+    engines: {node: '>=18'}
 
   glob@7.2.3:
     resolution: {integrity: sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==}
-    deprecated: Glob versions prior to v9 are no longer supported
+    deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
 
   ignore@7.0.5:
     resolution: {integrity: sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg==}
@@ -183,21 +157,11 @@ packages:
   is-decimal@2.0.1:
     resolution: {integrity: sha512-AAB9hiomQs5DXWcRB1rqsxGUstbRroFOPPVAomNk/3XHR5JyEZChOyTWe2oayKnsSsr/kcGqF+z6yuH6HHpN0A==}
 
-  is-fullwidth-code-point@3.0.0:
-    resolution: {integrity: sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==}
-    engines: {node: '>=8'}
-
   is-hexadecimal@2.0.1:
     resolution: {integrity: sha512-DgZQp241c8oO6cA1SbTEWiXeoxV42vlcJxgH+B3hi1AiqqKruZR3ZGF8In3fj4+/y/7rHvlOZLZtgJ/4ttYGZg==}
 
-  isexe@2.0.0:
+  js-yaml@4.1.1:
-    resolution: {integrity: sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==}
+    resolution: {integrity: sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==}
-
-  jackspeak@3.4.3:
-    resolution: {integrity: sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==}
-
-  js-yaml@4.1.0:
-    resolution: {integrity: sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==}
     hasBin: true
 
   jsonc-parser@3.3.1:
@@ -207,18 +171,15 @@ packages:
     resolution: {integrity: sha512-p/nXbhSEcu3pZRdkW1OfJhpsVtW1gd4Wa1fnQc9YLiTfAjn0312eMKimbdIQzuZl9aa9xUGaRlP9T/CJE/ditQ==}
     engines: {node: '>=0.10.0'}
 
-  katex@0.16.22:
+  katex@0.16.28:
-    resolution: {integrity: sha512-XCHRdUw4lf3SKBaJe4EvgqIuWwkPSo9XoeO8GjQW94Bp7TWv9hNhzZjZ+OH9yf1UmLygb7DIT5GSFQiyt16zYg==}
+    resolution: {integrity: sha512-YHzO7721WbmAL6Ov1uzN/l5mY5WWWhJBSW+jq4tkfZfsxmo1hu6frS0EOswvjBUnWE6NtjEs48SFn5CQESRLZg==}
     hasBin: true
 
   linkify-it@5.0.0:
     resolution: {integrity: sha512-5aHCbzQRADcdP+ATqnDuhhJ/MRIqDkZX5pyjFHRRysS8vZ5AbqGEoFIb6pYHPZ+L/OC2Lc+xT8uHVVR5CAK/wQ==}
 
-  lodash@4.17.21:
+  lodash@4.17.23:
-    resolution: {integrity: sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==}
+    resolution: {integrity: sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==}
-
-  lru-cache@10.4.3:
-    resolution: {integrity: sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==}
 
   markdown-it@14.1.0:
     resolution: {integrity: sha512-a54IwgWPaeBCAAsv13YgmALOF1elABB08FxO9i+r4VFk5Vl4pKokRPeX8u5TCgSsPi6ec1otfLjdOpVcgbpshg==}
@@ -227,23 +188,23 @@ packages:
   markdown-table@2.0.0:
     resolution: {integrity: sha512-Ezda85ToJUBhM6WGaG6veasyym+Tbs3cMAw/ZhOPqXiYsr0jgocBV3j3nx+4lk47plLlIqjwuTm/ywVI+zjJ/A==}
 
-  markdownlint-cli@0.44.0:
+  markdownlint-cli@0.47.0:
-    resolution: {integrity: sha512-ZJTAONlvF9NkrIBltCdW15DxN9UTbPiKMEqAh2EU2gwIFlrCMavyCEPPO121cqfYOrLUJWW8/XKWongstmmTeQ==}
+    resolution: {integrity: sha512-HOcxeKFAdDoldvoYDofd85vI8LgNWy8vmYpCwnlLV46PJcodmGzD7COSSBlhHwsfT4o9KrAStGodImVBus31Bg==}
-    engines: {node: '>=18'}
+    engines: {node: '>=20'}
     hasBin: true
 
-  markdownlint@0.37.4:
+  markdownlint@0.40.0:
-    resolution: {integrity: sha512-u00joA/syf3VhWh6/ybVFkib5Zpj2e5KB/cfCei8fkSRuums6nyisTWGqjTWIOFoFwuXoTBQQiqlB4qFKp8ncQ==}
+    resolution: {integrity: sha512-UKybllYNheWac61Ia7T6fzuQNDZimFIpCg2w6hHjgV1Qu0w1TV0LlSgryUGzM0bkKQCBhy2FDhEELB73Kb0kAg==}
-    engines: {node: '>=18'}
+    engines: {node: '>=20'}
 
   mdurl@2.0.0:
     resolution: {integrity: sha512-Lf+9+2r+Tdp5wXDXC4PcIBjTDtq4UKjCPMQhKIuzpJNW0b96kVqSwW0bT7FhRSfmAiFYgP+SCRvdrDozfh0U5w==}
 
-  micromark-core-commonmark@2.0.2:
+  micromark-core-commonmark@2.0.3:
-    resolution: {integrity: sha512-FKjQKbxd1cibWMM1P9N+H8TwlgGgSkWZMmfuVucLCHaYqeSvJ0hFeHsIa65pA2nYbes0f8LDHPMrd9X7Ujxg9w==}
+    resolution: {integrity: sha512-RDBrHEMSxVFLg6xvnXmb1Ayr2WzLAWjeSATAoxwKYJV94TeNavgoIdA0a9ytzDSVzBy2YKFK+emCPOEibLeCrg==}
 
-  micromark-extension-directive@3.0.2:
+  micromark-extension-directive@4.0.0:
-    resolution: {integrity: sha512-wjcXHgk+PPdmvR58Le9d7zQYWy+vKEU9Se44p2CrCDPiLr2FMyiT4Fyb5UFKFC66wGB3kPlgD7q3TnoqPS7SZA==}
+    resolution: {integrity: sha512-/C2nqVmXXmiseSSuCdItCMho7ybwwop6RrrRPk0KbOHW21JKoCldC+8rFOaundDoRBUWBnJJcxeA/Kvi34WQXg==}
 
   micromark-extension-gfm-autolink-literal@2.1.0:
     resolution: {integrity: sha512-oOg7knzhicgQ3t4QCjCWgTmfNhvQbDDnJeVu9v81r7NltNCVmhPy1fJRX27pISafdjL+SVc4d3l48Gb6pbRypw==}
@@ -251,8 +212,8 @@ packages:
   micromark-extension-gfm-footnote@2.1.0:
     resolution: {integrity: sha512-/yPhxI1ntnDNsiHtzLKYnE3vf9JZ6cAisqVDauhp4CEHxlb4uoOTxOCJ+9s51bIB8U1N1FJ1RXOKTIlD5B/gqw==}
 
-  micromark-extension-gfm-table@2.1.0:
+  micromark-extension-gfm-table@2.1.1:
-    resolution: {integrity: sha512-Ub2ncQv+fwD70/l4ou27b4YzfNaCJOvyX4HxXU15m7mpYY+rjuWzsLIPZHJL253Z643RpbcP1oeIJlQ/SKW67g==}
+    resolution: {integrity: sha512-t2OU/dXXioARrC6yWfJ4hqB7rct14e8f7m0cbI5hUmDyyIlwv5vEtooptH8INkbLzOatzKuVbQmAYcbWoyz6Dg==}
 
   micromark-extension-math@3.1.0:
     resolution: {integrity: sha512-lvEqd+fHjATVs+2v/8kg9i5Q0AP2k85H0WUOwpIVvUML8BapsMvh1XAogmQjOCsLpoKRCVQqEkQBB3NhVBcsOg==}
@@ -308,35 +269,28 @@ packages:
   micromark-util-symbol@2.0.1:
     resolution: {integrity: sha512-vs5t8Apaud9N28kgCrRUdEed4UJ+wWNvicHLPxCa9ENlYuAY31M0ETy5y1vA33YoNPDFTghEbnh6efaE8h4x0Q==}
 
-  micromark-util-types@2.0.1:
+  micromark-util-types@2.0.2:
-    resolution: {integrity: sha512-534m2WhVTddrcKVepwmVEVnUAmtrx9bfIjNoQHRqfnvdaHQiFytEhJoTgpWJvDEXCO5gLTQh3wYC1PgOJA4NSQ==}
+    resolution: {integrity: sha512-Yw0ECSpJoViF1qTU4DC6NwtC4aWGt1EkzaQB8KPPyCRR8z9TWeV0HbEFGTO+ZY1wB22zmxnJqhPyTpOVCpeHTA==}
 
-  micromark@4.0.1:
+  micromark@4.0.2:
-    resolution: {integrity: sha512-eBPdkcoCNvYcxQOAKAlceo5SNdzZWfF+FcSupREAzdAh9rRmE239CEQAiTwIgblwnoM8zzj35sZ5ZwvSEOF6Kw==}
+    resolution: {integrity: sha512-zpe98Q6kvavpCr1NPVSCMebCKfD7CA2NqZ+rykeNhONIJBpc1tFKt9hucLGwha3jNTNI8lHpctWJWoimVF4PfA==}
+
+  minimatch@10.1.2:
+    resolution: {integrity: sha512-fu656aJ0n2kcXwsnwnv9g24tkU5uSmOlTjd6WyyaKm2Z+h1qmY6bAjrcaIxF/BslFqbZ8UBtbJi7KgQOZD2PTw==}
+    engines: {node: 20 || >=22}
 
   minimatch@3.1.2:
     resolution: {integrity: sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==}
 
-  minimatch@9.0.5:
-    resolution: {integrity: sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==}
-    engines: {node: '>=16 || 14 >=14.17'}
-
   minimist@1.2.8:
     resolution: {integrity: sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==}
 
-  minipass@7.1.2:
-    resolution: {integrity: sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==}
-    engines: {node: '>=16 || 14 >=14.17'}
-
   ms@2.1.3:
     resolution: {integrity: sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==}
 
   once@1.4.0:
     resolution: {integrity: sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==}
 
-  package-json-from-dist@1.0.1:
-    resolution: {integrity: sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==}
-
   parse-entities@4.0.2:
     resolution: {integrity: sha512-GG2AQYWoLgL877gQIKeRPGO1xF9+eG1ujIb5soS5gPvLQ1y2o8FL90w2QWNdf9I361Mpp7726c+lj3U0qK1uGw==}
 
@@ -344,13 +298,9 @@ packages:
     resolution: {integrity: sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==}
     engines: {node: '>=0.10.0'}
 
-  path-key@3.1.1:
+  picomatch@4.0.3:
-    resolution: {integrity: sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==}
+    resolution: {integrity: sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==}
-    engines: {node: '>=8'}
+    engines: {node: '>=12'}
-
-  path-scurry@1.11.1:
-    resolution: {integrity: sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==}
-    engines: {node: '>=16 || 14 >=14.18'}
 
   punycode.js@2.3.1:
     resolution: {integrity: sha512-uxFIHU0YlHYhDQtV4R9J6a52SLx28BCjT+4ieh7IGbgwVJWO+km431c4yRlREUAsAmt/uMjQUyQHNEPf0M39CA==}
@@ -364,33 +314,13 @@ packages:
     resolution: {integrity: sha512-CcfE+mYiTcKEzg0IqS08+efdnH0oJ3zV0wSUFBNrMHMuxCtXvBCLzCJHatwuXDcu/RlhjTziTo/a1ruQik6/Yg==}
     hasBin: true
 
-  shebang-command@2.0.0:
+  smol-toml@1.5.2:
-    resolution: {integrity: sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==}
+    resolution: {integrity: sha512-QlaZEqcAH3/RtNyet1IPIYPsEWAaYyXXv1Krsi+1L/QHppjX4Ifm8MQsBISz9vE8cHicIq3clogsheili5vhaQ==}
-    engines: {node: '>=8'}
-
-  shebang-regex@3.0.0:
-    resolution: {integrity: sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==}
-    engines: {node: '>=8'}
-
-  signal-exit@4.1.0:
-    resolution: {integrity: sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==}
-    engines: {node: '>=14'}
-
-  smol-toml@1.3.4:
-    resolution: {integrity: sha512-UOPtVuYkzYGee0Bd2Szz8d2G3RfMfJ2t3qVdZUAozZyAk+a0Sxa+QKix0YCwjL/A1RR0ar44nCxaoN9FxdJGwA==}
     engines: {node: '>= 18'}
 
-  string-width@4.2.3:
+  string-width@8.1.0:
-    resolution: {integrity: sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==}
+    resolution: {integrity: sha512-Kxl3KJGb/gxkaUMOjRsQ8IrXiGW75O4E3RPjFIINOVH8AMl2SQ/yWdTzWwF3FevIX9LcMAjJW+GRwAlAbTSXdg==}
-    engines: {node: '>=8'}
+    engines: {node: '>=20'}
-
-  string-width@5.1.2:
-    resolution: {integrity: sha512-HnLOCR3vjcY8beoNLtcjZ5/nxn2afmME6lhrDrebokqMap+XbeW8n9TXpPDOqdGK5qcI3oT0GKTW6wC7EMiVqA==}
-    engines: {node: '>=12'}
-
-  strip-ansi@6.0.1:
-    resolution: {integrity: sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==}
-    engines: {node: '>=8'}
 
   strip-ansi@7.1.2:
     resolution: {integrity: sha512-gmBGslpoQJtgnMAvOVqGZpEz9dyoKTCzy2nfz/n8aIFhN/jCE/rCmcxabB6jOOHV+0WNnylOxaxBQPSvcWklhA==}
@@ -400,27 +330,18 @@ packages:
     resolution: {integrity: sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==}
     engines: {node: '>=8'}
 
+  tinyglobby@0.2.15:
+    resolution: {integrity: sha512-j2Zq4NyQYG5XMST4cbs02Ak8iJUdxRM0XI5QyxXuZOzKOINmWurp3smXu3y5wDcJrptwpSjgXHzIQxR0omXljQ==}
+    engines: {node: '>=12.0.0'}
+
   uc.micro@2.1.0:
     resolution: {integrity: sha512-ARDJmphmdvUk6Glw7y9DQ2bFkKBHwQHLi2lsaH6PPmz/Ka9sFOBsBluozhDltWmnv9u/cF6Rt87znRTPV+yp/A==}
 
-  which@2.0.2:
-    resolution: {integrity: sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==}
-    engines: {node: '>= 8'}
-    hasBin: true
-
-  wrap-ansi@7.0.0:
-    resolution: {integrity: sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==}
-    engines: {node: '>=10'}
-
-  wrap-ansi@8.1.0:
-    resolution: {integrity: sha512-si7QWI6zUMq56bESFvagtmzMdGOtoxfR+Sez11Mobfc7tm+VkUckk9bW2UeffTGVUbOksxmSw0AA2gs8g71NCQ==}
-    engines: {node: '>=12'}
-
   wrappy@1.0.2:
     resolution: {integrity: sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==}
 
-  yaml@2.8.1:
+  yaml@2.8.2:
-    resolution: {integrity: sha512-lcYcMxX2PO9XMGvAJkJ3OsNMw+/7FKes7/hgerGUYWIoWu5j/+YQqcZr5JnPZWzOsEBgMbSbiSTn/dv/69Mkpw==}
+    resolution: {integrity: sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==}
     engines: {node: '>= 14.6'}
     hasBin: true
 
@@ -430,42 +351,28 @@ snapshots:
     dependencies:
       commander: 13.1.0
       dot-object: 2.1.5
-      lodash: 4.17.21
+      lodash: 4.17.23
       markdown-table: 2.0.0
-      yaml: 2.8.1
+      yaml: 2.8.2
 
-  '@isaacs/cliui@8.0.2':
+  '@isaacs/balanced-match@4.0.1': {}
+
+  '@isaacs/brace-expansion@5.0.1':
     dependencies:
-      string-width: 5.1.2
+      '@isaacs/balanced-match': 4.0.1
-      string-width-cjs: string-width@4.2.3
-      strip-ansi: 7.1.2
-      strip-ansi-cjs: strip-ansi@6.0.1
-      wrap-ansi: 8.1.0
-      wrap-ansi-cjs: wrap-ansi@7.0.0
-
-  '@pkgjs/parseargs@0.11.0':
-    optional: true
 
   '@types/debug@4.1.12':
     dependencies:
       '@types/ms': 2.1.0
 
-  '@types/katex@0.16.7': {}
+  '@types/katex@0.16.8': {}
 
   '@types/ms@2.1.0': {}
 
   '@types/unist@2.0.11': {}
 
-  ansi-regex@5.0.1: {}
-
   ansi-regex@6.2.2: {}
 
-  ansi-styles@4.3.0:
-    dependencies:
-      color-convert: 2.0.1
-
-  ansi-styles@6.2.3: {}
-
   argparse@2.0.1: {}
 
   balanced-match@1.0.2: {}
@@ -475,41 +382,27 @@ snapshots:
       balanced-match: 1.0.2
       concat-map: 0.0.1
 
-  brace-expansion@2.0.2:
-    dependencies:
-      balanced-match: 1.0.2
-
   character-entities-legacy@3.0.0: {}
 
   character-entities@2.0.2: {}
 
   character-reference-invalid@2.0.1: {}
 
-  color-convert@2.0.1:
-    dependencies:
-      color-name: 1.1.4
-
-  color-name@1.1.4: {}
-
   commander@13.1.0: {}
 
+  commander@14.0.3: {}
+
   commander@6.2.1: {}
 
   commander@8.3.0: {}
 
   concat-map@0.0.1: {}
 
-  cross-spawn@7.0.6:
-    dependencies:
-      path-key: 3.1.1
-      shebang-command: 2.0.0
-      which: 2.0.2
-
   debug@4.4.3:
     dependencies:
       ms: 2.1.3
 
-  decode-named-character-reference@1.2.0:
+  decode-named-character-reference@1.3.0:
     dependencies:
       character-entities: 2.0.2
 
@@ -526,29 +419,15 @@ snapshots:
       commander: 6.2.1
       glob: 7.2.3
 
-  eastasianwidth@0.2.0: {}
-
-  emoji-regex@8.0.0: {}
-
-  emoji-regex@9.2.2: {}
-
   entities@4.5.0: {}
 
-  foreground-child@3.3.1:
+  fdir@6.5.0(picomatch@4.0.3):
-    dependencies:
+    optionalDependencies:
-      cross-spawn: 7.0.6
+      picomatch: 4.0.3
-      signal-exit: 4.1.0
 
   fs.realpath@1.0.0: {}
 
-  glob@10.4.5:
+  get-east-asian-width@1.4.0: {}
-    dependencies:
-      foreground-child: 3.3.1
-      jackspeak: 3.4.3
-      minimatch: 9.0.5
-      minipass: 7.1.2
-      package-json-from-dist: 1.0.1
-      path-scurry: 1.11.1
 
   glob@7.2.3:
     dependencies:
@@ -579,19 +458,9 @@ snapshots:
 
   is-decimal@2.0.1: {}
 
-  is-fullwidth-code-point@3.0.0: {}
-
   is-hexadecimal@2.0.1: {}
 
-  isexe@2.0.0: {}
+  js-yaml@4.1.1:
-
-  jackspeak@3.4.3:
-    dependencies:
-      '@isaacs/cliui': 8.0.2
-    optionalDependencies:
-      '@pkgjs/parseargs': 0.11.0
-
-  js-yaml@4.1.0:
     dependencies:
       argparse: 2.0.1
 
@@ -599,7 +468,7 @@ snapshots:
 
   jsonpointer@5.0.1: {}
 
-  katex@0.16.22:
+  katex@0.16.28:
     dependencies:
       commander: 8.3.0
 
@@ -607,9 +476,7 @@ snapshots:
     dependencies:
       uc.micro: 2.1.0
 
-  lodash@4.17.21: {}
+  lodash@4.17.23: {}
-
-  lru-cache@10.4.3: {}
 
   markdown-it@14.1.0:
     dependencies:
@@ -624,40 +491,42 @@ snapshots:
     dependencies:
       repeat-string: 1.6.1
 
-  markdownlint-cli@0.44.0:
+  markdownlint-cli@0.47.0:
     dependencies:
-      commander: 13.1.0
+      commander: 14.0.3
-      glob: 10.4.5
+      deep-extend: 0.6.0
       ignore: 7.0.5
-      js-yaml: 4.1.0
+      js-yaml: 4.1.1
       jsonc-parser: 3.3.1
       jsonpointer: 5.0.1
-      markdownlint: 0.37.4
+      markdown-it: 14.1.0
-      minimatch: 9.0.5
+      markdownlint: 0.40.0
+      minimatch: 10.1.2
       run-con: 1.3.2
-      smol-toml: 1.3.4
+      smol-toml: 1.5.2
+      tinyglobby: 0.2.15
     transitivePeerDependencies:
       - supports-color
 
-  markdownlint@0.37.4:
+  markdownlint@0.40.0:
     dependencies:
-      markdown-it: 14.1.0
+      micromark: 4.0.2
-      micromark: 4.0.1
+      micromark-core-commonmark: 2.0.3
-      micromark-core-commonmark: 2.0.2
+      micromark-extension-directive: 4.0.0
-      micromark-extension-directive: 3.0.2
       micromark-extension-gfm-autolink-literal: 2.1.0
       micromark-extension-gfm-footnote: 2.1.0
-      micromark-extension-gfm-table: 2.1.0
+      micromark-extension-gfm-table: 2.1.1
       micromark-extension-math: 3.1.0
-      micromark-util-types: 2.0.1
+      micromark-util-types: 2.0.2
+      string-width: 8.1.0
     transitivePeerDependencies:
       - supports-color
 
   mdurl@2.0.0: {}
 
-  micromark-core-commonmark@2.0.2:
+  micromark-core-commonmark@2.0.3:
     dependencies:
-      decode-named-character-reference: 1.2.0
+      decode-named-character-reference: 1.3.0
       devlop: 1.1.0
       micromark-factory-destination: 2.0.1
       micromark-factory-label: 2.0.1
@@ -672,16 +541,16 @@ snapshots:
       micromark-util-resolve-all: 2.0.1
       micromark-util-subtokenize: 2.1.0
       micromark-util-symbol: 2.0.1
-      micromark-util-types: 2.0.1
+      micromark-util-types: 2.0.2
 
-  micromark-extension-directive@3.0.2:
+  micromark-extension-directive@4.0.0:
     dependencies:
       devlop: 1.1.0
       micromark-factory-space: 2.0.1
       micromark-factory-whitespace: 2.0.1
       micromark-util-character: 2.1.1
       micromark-util-symbol: 2.0.1
-      micromark-util-types: 2.0.1
+      micromark-util-types: 2.0.2
       parse-entities: 4.0.2
 
   micromark-extension-gfm-autolink-literal@2.1.0:
@@ -689,73 +558,73 @@ snapshots:
       micromark-util-character: 2.1.1
       micromark-util-sanitize-uri: 2.0.1
       micromark-util-symbol: 2.0.1
-      micromark-util-types: 2.0.1
+      micromark-util-types: 2.0.2
 
   micromark-extension-gfm-footnote@2.1.0:
     dependencies:
       devlop: 1.1.0
-      micromark-core-commonmark: 2.0.2
+      micromark-core-commonmark: 2.0.3
       micromark-factory-space: 2.0.1
       micromark-util-character: 2.1.1
       micromark-util-normalize-identifier: 2.0.1
       micromark-util-sanitize-uri: 2.0.1
       micromark-util-symbol: 2.0.1
-      micromark-util-types: 2.0.1
+      micromark-util-types: 2.0.2
 
-  micromark-extension-gfm-table@2.1.0:
+  micromark-extension-gfm-table@2.1.1:
     dependencies:
       devlop: 1.1.0
       micromark-factory-space: 2.0.1
       micromark-util-character: 2.1.1
       micromark-util-symbol: 2.0.1
-      micromark-util-types: 2.0.1
+      micromark-util-types: 2.0.2
 
   micromark-extension-math@3.1.0:
     dependencies:
-      '@types/katex': 0.16.7
+      '@types/katex': 0.16.8
       devlop: 1.1.0
-      katex: 0.16.22
+      katex: 0.16.28
       micromark-factory-space: 2.0.1
       micromark-util-character: 2.1.1
       micromark-util-symbol: 2.0.1
-      micromark-util-types: 2.0.1
+      micromark-util-types: 2.0.2
 
   micromark-factory-destination@2.0.1:
     dependencies:
       micromark-util-character: 2.1.1
       micromark-util-symbol: 2.0.1
-      micromark-util-types: 2.0.1
+      micromark-util-types: 2.0.2
 
   micromark-factory-label@2.0.1:
     dependencies:
       devlop: 1.1.0
       micromark-util-character: 2.1.1
       micromark-util-symbol: 2.0.1
-      micromark-util-types: 2.0.1
+      micromark-util-types: 2.0.2
 
   micromark-factory-space@2.0.1:
     dependencies:
       micromark-util-character: 2.1.1
-      micromark-util-types: 2.0.1
+      micromark-util-types: 2.0.2
 
   micromark-factory-title@2.0.1:
     dependencies:
       micromark-factory-space: 2.0.1
       micromark-util-character: 2.1.1
       micromark-util-symbol: 2.0.1
-      micromark-util-types: 2.0.1
+      micromark-util-types: 2.0.2
 
   micromark-factory-whitespace@2.0.1:
     dependencies:
       micromark-factory-space: 2.0.1
       micromark-util-character: 2.1.1
       micromark-util-symbol: 2.0.1
-      micromark-util-types: 2.0.1
+      micromark-util-types: 2.0.2
 
   micromark-util-character@2.1.1:
     dependencies:
       micromark-util-symbol: 2.0.1
-      micromark-util-types: 2.0.1
+      micromark-util-types: 2.0.2
 
   micromark-util-chunked@2.0.1:
     dependencies:
@@ -765,12 +634,12 @@ snapshots:
     dependencies:
       micromark-util-character: 2.1.1
       micromark-util-symbol: 2.0.1
-      micromark-util-types: 2.0.1
+      micromark-util-types: 2.0.2
 
   micromark-util-combine-extensions@2.0.1:
     dependencies:
       micromark-util-chunked: 2.0.1
-      micromark-util-types: 2.0.1
+      micromark-util-types: 2.0.2
 
   micromark-util-decode-numeric-character-reference@2.0.2:
     dependencies:
@@ -786,7 +655,7 @@ snapshots:
 
   micromark-util-resolve-all@2.0.1:
     dependencies:
-      micromark-util-types: 2.0.1
+      micromark-util-types: 2.0.2
 
   micromark-util-sanitize-uri@2.0.1:
     dependencies:
@@ -799,19 +668,19 @@ snapshots:
       devlop: 1.1.0
       micromark-util-chunked: 2.0.1
       micromark-util-symbol: 2.0.1
-      micromark-util-types: 2.0.1
+      micromark-util-types: 2.0.2
 
   micromark-util-symbol@2.0.1: {}
 
-  micromark-util-types@2.0.1: {}
+  micromark-util-types@2.0.2: {}
 
-  micromark@4.0.1:
+  micromark@4.0.2:
     dependencies:
       '@types/debug': 4.1.12
       debug: 4.4.3
-      decode-named-character-reference: 1.2.0
+      decode-named-character-reference: 1.3.0
       devlop: 1.1.0
-      micromark-core-commonmark: 2.0.2
+      micromark-core-commonmark: 2.0.3
       micromark-factory-space: 2.0.1
       micromark-util-character: 2.1.1
       micromark-util-chunked: 2.0.1
@@ -823,48 +692,39 @@ snapshots:
       micromark-util-sanitize-uri: 2.0.1
       micromark-util-subtokenize: 2.1.0
       micromark-util-symbol: 2.0.1
-      micromark-util-types: 2.0.1
+      micromark-util-types: 2.0.2
     transitivePeerDependencies:
       - supports-color
 
+  minimatch@10.1.2:
+    dependencies:
+      '@isaacs/brace-expansion': 5.0.1
+
   minimatch@3.1.2:
     dependencies:
       brace-expansion: 1.1.12
 
-  minimatch@9.0.5:
-    dependencies:
-      brace-expansion: 2.0.2
-
   minimist@1.2.8: {}
 
-  minipass@7.1.2: {}
-
   ms@2.1.3: {}
 
   once@1.4.0:
     dependencies:
       wrappy: 1.0.2
 
-  package-json-from-dist@1.0.1: {}
-
   parse-entities@4.0.2:
     dependencies:
       '@types/unist': 2.0.11
       character-entities-legacy: 3.0.0
       character-reference-invalid: 2.0.1
-      decode-named-character-reference: 1.2.0
+      decode-named-character-reference: 1.3.0
       is-alphanumerical: 2.0.1
       is-decimal: 2.0.1
       is-hexadecimal: 2.0.1
 
   path-is-absolute@1.0.1: {}
 
-  path-key@3.1.1: {}
+  picomatch@4.0.3: {}
-
-  path-scurry@1.11.1:
-    dependencies:
-      lru-cache: 10.4.3
-      minipass: 7.1.2
 
   punycode.js@2.3.1: {}
 
@@ -877,56 +737,26 @@ snapshots:
       minimist: 1.2.8
       strip-json-comments: 3.1.1
 
-  shebang-command@2.0.0:
+  smol-toml@1.5.2: {}
+
+  string-width@8.1.0:
     dependencies:
-      shebang-regex: 3.0.0
+      get-east-asian-width: 1.4.0
-
-  shebang-regex@3.0.0: {}
-
-  signal-exit@4.1.0: {}
-
-  smol-toml@1.3.4: {}
-
-  string-width@4.2.3:
-    dependencies:
-      emoji-regex: 8.0.0
-      is-fullwidth-code-point: 3.0.0
-      strip-ansi: 6.0.1
-
-  string-width@5.1.2:
-    dependencies:
-      eastasianwidth: 0.2.0
-      emoji-regex: 9.2.2
       strip-ansi: 7.1.2
 
-  strip-ansi@6.0.1:
-    dependencies:
-      ansi-regex: 5.0.1
-
   strip-ansi@7.1.2:
     dependencies:
       ansi-regex: 6.2.2
 
   strip-json-comments@3.1.1: {}
 
+  tinyglobby@0.2.15:
+    dependencies:
+      fdir: 6.5.0(picomatch@4.0.3)
+      picomatch: 4.0.3
+
   uc.micro@2.1.0: {}
 
-  which@2.0.2:
-    dependencies:
-      isexe: 2.0.0
-
-  wrap-ansi@7.0.0:
-    dependencies:
-      ansi-styles: 4.3.0
-      string-width: 4.2.3
-      strip-ansi: 6.0.1
-
-  wrap-ansi@8.1.0:
-    dependencies:
-      ansi-styles: 6.2.3
-      string-width: 5.1.2
-      strip-ansi: 7.1.2
-
   wrappy@1.0.2: {}
 
-  yaml@2.8.1: {}
+  yaml@2.8.2: {}

templates/_helpers.tpl

@@ -84,5 +84,48 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{- define "gitea.actions.local_root_url" -}}
-  {{- .Values.giteaRootURL -}}
+  {{- tpl .Values.giteaRootURL . -}}
+{{- end -}}
+
+{{/*
+Common create image implementation
+*/}}
+{{- define "gitea.actions.common.image" -}}
+{{- $fullOverride := .image.fullOverride | default "" -}}
+{{- $registry := .root.Values.global.imageRegistry | default .image.registry -}}
+{{- $repository :=  .image.repository -}}
+{{- $separator := ":" -}}
+{{- $tag := .image.tag | default .root.Chart.AppVersion | toString -}}
+{{- $digest := "" -}}
+{{- if .image.digest }}
+    {{- $digest = (printf "@%s" (.image.digest | toString)) -}}
+{{- end -}}
+{{- if $fullOverride }}
+    {{- printf "%s" $fullOverride -}}
+{{- else if $registry }}
+    {{- printf "%s/%s%s%s%s" $registry $repository $separator $tag $digest -}}
+{{- else -}}
+    {{- printf "%s%s%s%s" $repository $separator $tag $digest -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create image for the Gitea Actions Act Runner
+*/}}
+{{- define "gitea.actions.actRunner.image" -}}
+{{ include "gitea.actions.common.image" (dict "root" . "image" .Values.statefulset.actRunner) }}
+{{- end -}}
+
+{{/*
+Create image for DinD
+*/}}
+{{- define "gitea.actions.dind.image" -}}
+{{ include "gitea.actions.common.image" (dict "root" . "image" .Values.statefulset.dind) }}
+{{- end -}}
+
+{{/*
+Create image for Init
+*/}}
+{{- define "gitea.actions.init.image" -}}
+{{ include "gitea.actions.common.image" (dict "root" . "image" .Values.init.image) }}
 {{- end -}}

templates/config-act-runner.yaml

@@ -10,6 +10,10 @@ metadata:
 data:
   config.yaml: |
     {{- with .Values.statefulset.actRunner.config -}}
+    {{- if kindIs "string" . -}}
     {{ . | nindent 4}}
+    {{- else -}}
+    {{ toYaml . | nindent 4}}
+    {{- end -}}
     {{- end -}}
 {{- end }}

templates/statefulset.yaml

@@ -30,9 +30,11 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      securityContext:
+        {{- toYaml .Values.statefulset.securityContext | nindent 8 }}
       initContainers:
         - name: init-gitea
-          image: "{{ .Values.init.image.repository }}:{{ .Values.init.image.tag }}"
+          image: "{{ include "gitea.actions.init.image" . }}"
           command:
             - sh
             - -c
@@ -43,18 +45,42 @@ spec:
                 echo "Trying again in 3 seconds..."
               done
               echo "Gitea has been reached!"
+        - name: dind
+          image: "{{ include "gitea.actions.dind.image" . }}"
+          imagePullPolicy: {{ .Values.statefulset.dind.pullPolicy }}
+          {{- if .Values.statefulset.dind.extraEnvs }}
+          env:
+            {{- toYaml .Values.statefulset.dind.extraEnvs | nindent 12 }}
+          {{- end }}
+          restartPolicy: Always
+          securityContext:
+            privileged: true
+          startupProbe:
+            exec:
+              command:
+                - /usr/bin/test
+                - -S
+                - /var/run/docker.sock
+          livenessProbe:
+            exec:
+              command:
+                - /usr/bin/test
+                - -S
+                - /var/run/docker.sock
+          resources:
+            {{- toYaml .Values.statefulset.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /var/run/
+              name: docker-socket
+            {{- with .Values.statefulset.dind.extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
       containers:
         - name: act-runner
-          image: "{{ .Values.statefulset.actRunner.repository }}:{{ .Values.statefulset.actRunner.tag }}"
+          image: "{{ include "gitea.actions.actRunner.image" . }}"
           imagePullPolicy: {{ .Values.statefulset.actRunner.pullPolicy }}
           workingDir: /data
           env:
-            - name: DOCKER_HOST
-              value: tcp://127.0.0.1:2376
-            - name: DOCKER_TLS_VERIFY
-              value: "1"
-            - name: DOCKER_CERT_PATH
-              value: /certs/client
             - name: GITEA_RUNNER_REGISTRATION_TOKEN
               valueFrom:
                 secretKeyRef:
@@ -66,42 +92,23 @@ spec:
               value: /actrunner/config.yaml
             - name: TZ
               value: {{ .Values.statefulset.timezone | default "Etc/UTC" }}
+            {{- if .Values.statefulset.actRunner.extraEnvs }}
+            {{- toYaml .Values.statefulset.actRunner.extraEnvs | nindent 12 }}
+            {{- end }}
           resources:
             {{- toYaml .Values.statefulset.resources | nindent 12 }}
           volumeMounts:
             - mountPath: /actrunner/config.yaml
               name: act-runner-config
               subPath: config.yaml
-            - mountPath: /certs/client
+            - mountPath: /var/run/docker.sock
-              name: docker-certs
+              name: docker-socket
+              subPath: docker.sock
             - mountPath: /data
               name: data-act-runner
             {{- with .Values.statefulset.actRunner.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
-        - name: dind
-          image: "{{ .Values.statefulset.dind.repository }}:{{ .Values.statefulset.dind.tag }}"
-          imagePullPolicy: {{ .Values.statefulset.dind.pullPolicy }}
-          env:
-            - name: DOCKER_HOST
-              value: tcp://127.0.0.1:2376
-            - name: DOCKER_TLS_VERIFY
-              value: "1"
-            - name: DOCKER_CERT_PATH
-              value: /certs/client
-            {{- if .Values.statefulset.dind.extraEnvs }}
-            {{- toYaml .Values.statefulset.dind.extraEnvs | nindent 12 }}
-            {{- end }}
-          securityContext:
-            privileged: true
-          resources:
-            {{- toYaml .Values.statefulset.resources | nindent 12 }}
-          volumeMounts:
-            - mountPath: /certs/client
-              name: docker-certs
-            {{- with .Values.statefulset.dind.extraVolumeMounts }}
-            {{- toYaml . | nindent 12 }}
-            {{- end }}
       {{- range $key, $value := .Values.statefulset.nodeSelector }}
       nodeSelector:
         {{ $key }}: {{ $value | quote }}
@@ -118,7 +125,7 @@ spec:
         - name: act-runner-config
           configMap:
             name: {{ include "gitea.actions.fullname" . }}-act-runner-config
-        - name: docker-certs
+        - name: docker-socket
           emptyDir: {}
         {{- with .Values.statefulset.extraVolumes }}
         {{- toYaml . | nindent 8 }}

unittests/helm/config-act-runner.yaml

@@ -42,3 +42,27 @@ tests:
             runner:
               labels:
                 - "ubuntu-latest"
+  - it: renders a ConfigMap with inline yaml
+    template: templates/config-act-runner.yaml
+    set:
+      enabled: true
+      statefulset:
+        actRunner:
+          config:
+            container:
+              valid_volumes:
+                - /var/run/docker.sock
+              options: -v /var/run/docker.sock:/var/run/docker.sock
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: ConfigMap
+          apiVersion: v1
+          name: gitea-unittests-actions-act-runner-config
+      - matchRegex:
+          path: data["config.yaml"]
+          pattern: '(?m)^\s*options:\s*-v /var/run/docker.sock:/var/run/docker.sock\s*$'
+      - matchRegex:
+          path: data["config.yaml"]
+          pattern: '(?m)^\s*valid_volumes:\s*\n\s*-\s*/var/run/docker.sock\s*$'

unittests/helm/statefulset.yaml

@@ -6,6 +6,216 @@ templates:
   - templates/statefulset.yaml
   - templates/config-act-runner.yaml
 tests:
+  - it: act-runner uses fullOverride
+    template: templates/statefulset.yaml
+    set:
+      enabled: true
+      existingSecret: "my-secret"
+      existingSecretKey: "my-secret-key"
+      statefulset.actRunner.fullOverride: test.io/act_runner:x.y.z
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-actions-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: test.io/act_runner:x.y.z
+  - it: act-runner uses digest
+    template: templates/statefulset.yaml
+    set:
+      enabled: true
+      existingSecret: "my-secret"
+      existingSecretKey: "my-secret-key"
+      statefulset.actRunner.tag: 0.2.13
+      statefulset.actRunner.digest: sha256:abcdef123456
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-actions-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: docker.gitea.com/act_runner:0.2.13@sha256:abcdef123456
+  - it: act-runner uses global.imageRegistry
+    template: templates/statefulset.yaml
+    set:
+      enabled: true
+      existingSecret: "my-secret"
+      existingSecretKey: "my-secret-key"
+      global.imageRegistry: test.io
+      statefulset.actRunner.tag: 0.2.13
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-actions-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: test.io/act_runner:0.2.13
+  - it: dind uses fullOverride
+    template: templates/statefulset.yaml
+    set:
+      enabled: true
+      existingSecret: "my-secret"
+      existingSecretKey: "my-secret-key"
+      statefulset.dind.fullOverride: test.io/dind:x.y.z
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-actions-act-runner
+      - equal:
+          path: spec.template.spec.initContainers[1].image
+          value: test.io/dind:x.y.z
+  - it: dind uses global.imageRegistry
+    template: templates/statefulset.yaml
+    set:
+      enabled: true
+      existingSecret: "my-secret"
+      existingSecretKey: "my-secret-key"
+      global.imageRegistry: test.io
+      statefulset.dind.tag: 28.3.3-dind
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-actions-act-runner
+      - equal:
+          path: spec.template.spec.initContainers[1].image
+          value: test.io/docker:28.3.3-dind
+  - it: init uses fullOverride
+    template: templates/statefulset.yaml
+    set:
+      enabled: true
+      existingSecret: "my-secret"
+      existingSecretKey: "my-secret-key"
+      init.image.fullOverride: test.io/busybox:x.y.z
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-actions-act-runner
+      - equal:
+          path: spec.template.spec.initContainers[0].image
+          value: test.io/busybox:x.y.z
+  - it: init uses global.imageRegistry
+    template: templates/statefulset.yaml
+    set:
+      enabled: true
+      existingSecret: "my-secret"
+      existingSecretKey: "my-secret-key"
+      global.imageRegistry: test.io
+      init.image.tag: 1.37.0
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-actions-act-runner
+      - equal:
+          path: spec.template.spec.initContainers[0].image
+          value: test.io/busybox:1.37.0
+  - it: renders additional environment variables for act-runner container in StatefulSet
+    template: templates/statefulset.yaml
+    set:
+      enabled: true
+      existingSecret: "my-secret"
+      existingSecretKey: "my-secret-key"
+      statefulset:
+        actRunner:
+          extraEnvs:
+            - name: "CUSTOM_ENV"
+              value: "1"
+            - name: "GITEA_RUNNER_NAME"
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-actions-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].env[4]
+          value:
+            name: CUSTOM_ENV
+            value: "1"
+      - matchRegex:
+          path: spec.template.spec.containers[0].env[5].valueFrom.fieldRef.fieldPath
+          pattern: "metadata\\.name"
+      - matchRegex:
+          path: spec.template.spec.containers[0].env[5].name
+          pattern: "GITEA_RUNNER_NAME"
+  - it: Has fsGroup in securityContext
+    template: templates/statefulset.yaml
+    set:
+      enabled: true
+      existingSecret: "my-secret"
+      existingSecretKey: "my-secret-key"
+      statefulset.securityContext:
+        fsGroup: 1000
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-actions-act-runner
+      - equal:
+          path: spec.template.spec.securityContext["fsGroup"]
+          value: 1000
+  - it: Has fsGroupChangePolicy in securityContext
+    template: templates/statefulset.yaml
+    set:
+      enabled: true
+      existingSecret: "my-secret"
+      existingSecretKey: "my-secret-key"
+      statefulset.securityContext:
+        fsGroupChangePolicy: OnRootMismatch
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-actions-act-runner
+      - equal:
+          path: spec.template.spec.securityContext["fsGroupChangePolicy"]
+          value: "OnRootMismatch"
+  - it: Has Always in securityContext
+    template: templates/statefulset.yaml
+    set:
+      enabled: true
+      existingSecret: "my-secret"
+      existingSecretKey: "my-secret-key"
+      statefulset.securityContext:
+        fsGroupChangePolicy: Always
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-actions-act-runner
+      - equal:
+          path: spec.template.spec.securityContext["fsGroupChangePolicy"]
+          value: "Always"
   - it: doesn't renders a StatefulSet by default
     template: templates/statefulset.yaml
     asserts:
@@ -25,7 +235,7 @@ tests:
           apiVersion: apps/v1
           name: gitea-unittests-actions-act-runner
       - equal:
-          path: spec.template.spec.containers[0].env[3]
+          path: spec.template.spec.containers[0].env[0]
           value:
             name: GITEA_RUNNER_REGISTRATION_TOKEN
             valueFrom:
@@ -46,7 +256,7 @@ tests:
           apiVersion: apps/v1
           name: gitea-unittests-actions-act-runner
       - equal:
-          path: spec.template.spec.containers[0].env[3]
+          path: spec.template.spec.containers[0].env[0]
           value:
             name: GITEA_RUNNER_REGISTRATION_TOKEN
             valueFrom:
@@ -85,7 +295,7 @@ tests:
           apiVersion: apps/v1
           name: gitea-unittests-actions-act-runner
       - equal:
-          path: spec.template.spec.containers[0].env[4]
+          path: spec.template.spec.containers[0].env[1]
           value:
             name: GITEA_INSTANCE_URL
             value: "http://git.example.com"
@@ -113,7 +323,7 @@ tests:
           apiVersion: apps/v1
           name: gitea-unittests-actions-act-runner
       - equal:
-          path: spec.template.spec.containers[0].env[4]
+          path: spec.template.spec.containers[0].env[1]
           value:
             name: GITEA_INSTANCE_URL
             value: "https://git.example.com"
@@ -141,7 +351,7 @@ tests:
           apiVersion: apps/v1
           name: gitea-unittests-actions-act-runner
       - equal:
-          path: spec.template.spec.containers[0].env[4]
+          path: spec.template.spec.containers[0].env[1]
           value:
             name: GITEA_INSTANCE_URL
             value: "https://git.example.com:8443"
@@ -165,7 +375,7 @@ tests:
               value: "custom env value"
     asserts:
       - equal:
-          path: spec.template.spec.containers[1].env[3]
+          path: spec.template.spec.initContainers[1].env[0]
           value:
             name: "CUSTOM_ENV_NAME"
             value: "custom env value"
@@ -215,7 +425,39 @@ tests:
           name: gitea-unittests-actions-act-runner
       - contains:
           any: true
-          path: spec.template.spec.containers[1].volumeMounts
+          path: spec.template.spec.initContainers[1].volumeMounts
           content:
             mountPath: /mnt
             name: my-dind-volume
+  - it: should interpret Gitea Root URL templating
+    template: templates/statefulset.yaml
+    set:
+      global:
+        gitea:
+          service:
+            name: "my-gitea-svc-http"
+            port: 3210
+      enabled: true
+      giteaRootURL: "http://{{ .Values.global.gitea.service.name }}:{{ .Values.global.gitea.service.port }}"
+    asserts:
+      - hasDocuments:
+          count: 1
+      - containsDocument:
+          kind: StatefulSet
+          apiVersion: apps/v1
+          name: gitea-unittests-actions-act-runner
+      - equal:
+          path: spec.template.spec.containers[0].env[1].name
+          value: "GITEA_INSTANCE_URL"
+      - equal:
+          path: spec.template.spec.containers[0].env[1].value
+          value: "http://my-gitea-svc-http:3210"
+      - equal:
+          path: spec.template.spec.initContainers[0].command[2]
+          value: |
+            echo 'Trying to reach Gitea on http://my-gitea-svc-http:3210'
+            until timeout 10 wget --no-check-certificate --spider http://my-gitea-svc-http:3210; do
+              sleep 3
+              echo "Trying again in 3 seconds..."
+            done
+            echo "Gitea has been reached!"

values.yaml

@@ -13,17 +13,25 @@
 ## @param statefulset.tolerations Tolerations for the statefulset
 ## @param statefulset.affinity Affinity for the statefulset
 ## @param statefulset.extraVolumes Extra volumes for the statefulset
+## @param statefulset.actRunner.registry image registry, e.g. gcr.io,docker.io
 ## @param statefulset.actRunner.repository The Gitea act runner image
 ## @param statefulset.actRunner.tag The Gitea act runner tag
+## @param statefulset.actRunner.digest Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`
 ## @param statefulset.actRunner.pullPolicy The Gitea act runner pullPolicy
+## @param statefulset.actRunner.fullOverride Completely overrides the image registry, path/image, tag and digest.
 ## @param statefulset.actRunner.extraVolumeMounts Allows mounting extra volumes in the act runner container
 ## @param statefulset.actRunner.config [default: Too complex. See values.yaml] Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details.
+## @param statefulset.dind.registry image registry, e.g. gcr.io,docker.io
+## @param statefulset.actRunner.extraEnvs Allows adding custom environment variables
 ## @param statefulset.dind.repository The Docker-in-Docker image
 ## @param statefulset.dind.tag The Docker-in-Docker image tag
+## @param statefulset.dind.digest Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`
+## @param statefulset.dind.fullOverride Completely overrides the image registry, path/image, tag and digest.
 ## @param statefulset.dind.pullPolicy The Docker-in-Docker pullPolicy
 ## @param statefulset.dind.extraVolumeMounts Allows mounting extra volumes in the Docker-in-Docker container
 ## @param statefulset.dind.extraEnvs Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY`
 ## @param statefulset.persistence.size Size for persistence to store act runner data
+## @param statefulset.securityContext Customize the SecurityContext
 ## @param existingSecret Secret that contains the token
 ## @param existingSecretKey Secret key
 ## @param giteaRootURL URL the act_runner registers and connect with
@@ -38,12 +46,22 @@ statefulset:
   tolerations: []
   affinity: {}
   extraVolumes: []
+  securityContext: {}
 
   actRunner:
-    repository: gitea/act_runner
+    registry: "docker.gitea.com"
+    repository: act_runner
     tag: 0.2.13
+    digest: ""
     pullPolicy: IfNotPresent
+    fullOverride: ""
     extraVolumeMounts: []
+    extraEnvs:
+      []
+      # - name: "GITEA_RUNNER_NAME"
+      #   valueFrom:
+      #     fieldRef:
+      #       fieldPath: metadata.name
 
     # See full example here: https://gitea.com/gitea/act_runner/src/branch/main/internal/pkg/config/config.example.yaml
     config: |
@@ -56,9 +74,12 @@ statefulset:
         docker_timeout: 300s
 
   dind:
+    registry: ""
     repository: docker
     tag: 28.3.3-dind
+    digest: ""
     pullPolicy: IfNotPresent
+    fullOverride: ""
     extraVolumeMounts: []
 
     # If the container keeps crashing in your environment, you might have to add the `DOCKER_IPTABLES_LEGACY` environment variable.
@@ -71,11 +92,23 @@ statefulset:
   persistence:
     size: 1Gi
 
+## @section Gitea Actions Init
+#
+## @param init.image.registry image registry, e.g. gcr.io,docker.io
+## @param init.image.repository The init image
+## @param init.image.tag the init image tag
+## @param init.image.digest Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`
+## @param init.image.pullPolicy The init image pullPolicy
+## @param init.image.fullOverride Completely overrides the image registry, path/image, tag and digest.
 init:
   image:
+    registry: ""
     repository: busybox
     # Overrides the image tag whose default is the chart appVersion.
     tag: "1.37.0"
+    digest: ""
+    pullPolicy: IfNotPresent
+    fullOverride: ""
 
 ## Specify an existing token secret
 ##