fix(infra): pin minio/mc tags + add postgres securityContext + harden bootstrap script

Address ai-review feedback on PR #17:
- Pin quay.io/minio/minio and mc to specific RELEASE tags (Renovate
  will bump). 'latest' is unpredictable in GitOps.
- Bootstrap script: set -e -> set -euo pipefail.
- Postgres container: runAsNonRoot, uid/gid 999, drop ALL caps,
  no privilege escalation. Matches PSS restricted profile.

infra/overlays/upc-dev/forte-drop-minio/resources/minio.yaml

@@ -45,7 +45,7 @@ spec:
     spec:
       containers:
       - name: minio
-        image: quay.io/minio/minio:latest
+        image: quay.io/minio/minio:RELEASE.2024-12-18T13-15-44Z
         args:
         - server
         - /data
@@ -121,7 +121,7 @@ spec:
       restartPolicy: OnFailure
       containers:
       - name: mc
-        image: quay.io/minio/mc:latest
+        image: quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z
         env:
         - name: MINIO_ROOT_USER
           valueFrom:
@@ -137,7 +137,7 @@ spec:
         - sh
         - -c
         - |
-          set -e
+          set -euo pipefail
           until mc alias set local http://forte-drop-minio:9000 "$MINIO_ROOT_USER" "$MINIO_ROOT_PASSWORD" 2>/dev/null; do
             echo "waiting for minio..."
             sleep 2

infra/overlays/upc-dev/forte-drop-postgresql/resources/postgresql.yaml

@@ -43,6 +43,13 @@ spec:
       containers:
       - name: postgresql
         image: postgres:16-alpine
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 999
+          runAsGroup: 999
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: [ALL]
         ports:
         - name: tcp-postgresql
           containerPort: 5432