25604372148
84%
master: 93%

Ran 09 May 2026 03:12PM UTC

Jobs 0

Files 0

Run time –

Badge

Embed ▾

pending completion

Build # 25604372148

Build Type

push

github

Committed by

web-flow

Commit Message

feat(chart): rootless restricted-PSS defaults (#1241)

* feat(chart): rootless restricted-PSS defaults

Wire `securityContext` and `podSecurityContext` to satisfy the restricted
PodSecurity Standard out of the box: rootless UID/GID 1000, drop all
capabilities, no privilege escalation, read-only rootfs, plus `fsGroup` so
the chart's writable mounts (/data, /config, /tmp) stay writable for the
non-root user. `fsGroupChangePolicy: OnRootMismatch` keeps recursive
chowns from running on every PVC mount.

Binding to :80 relies on `net.ipv4.ip_unprivileged_port_start=0`, which
containerd 1.5+ and cri-o set inside the container. The values.yaml
comments document how to opt out via `service.targetPort` on older runtimes,
or with `securityContext: {}` / `podSecurityContext: {}`.

* chore(chart): tighten chart comments

Drop em-dashes, repetition, and verbose chart-starter filler from values.yaml
and the templates. Same intent in fewer lines, with the *why* preserved on
each block (rolling-update pacing, drain budget, NetworkPolicy default-deny,
volume-mount rationale).

Coverage Stats

Source Files on build 25604372148

Detailed source file information is not available for this build.

dunglas / mercure / 25604372148
84%
master: 93%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Source Files on build 25604372148

dunglas / mercure / 25604372148 84% master: 93%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Source Files on build 25604372148

dunglas / mercure / 25604372148
84%
master: 93%

README BADGES
x