fix(forte-drop-pg-backup): set MC_CONFIG_DIR so mc can write its config

The backup CronJob runs as uid 65532 (runAsNonRoot). mc defaulted its config dir to $HOME/.mc = /.mc and failed with "mkdir /.mc: permission denied" on the non-writable root fs — every nightly run died before uploading, so there are currently no backups in s3://drops/_pgbackups/. Point MC_CONFIG_DIR at the shared /work emptyDir (writable via fsGroup). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
gitea update
2026-06-11 13:18:20 +02:00 · 2026-06-11 13:03:59 +02:00 · 2026-06-11 10:34:11 +02:00 · 2026-06-11 10:14:25 +02:00
4 changed files with 27 additions and 6 deletions
@@ -0,0 +1,20 @@
 on:
  push:
    branches:
      - main
  pull_request:
 jobs:
  test:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      with:
        fetch-depth: 0
    - name: Install TruffleHog
      run: |
        curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh \
          | sh -s -- -b /usr/local/bin
    - name: Secret Scanning
      run: trufflehog git file://. --fail --no-update --results=verified,unknown
@@ -77,6 +77,12 @@ spec:
              mc rm --recursive --force --older-than 30d "obj/${S3_BUCKET}/_pgbackups/" || true
              echo "backup retention pass complete"
            env:
            # mc writes its config under $MC_CONFIG_DIR; point it at the shared
            # emptyDir (writable by uid 65532 via fsGroup). Without this it tries
            # to mkdir /.mc on the read-only-to-nonroot root fs -> "mkdir /.mc:
            # permission denied" and every run fails before uploading.
            - name: MC_CONFIG_DIR
              value: "/work/.mc"
            - name: S3_ENDPOINT
              valueFrom:
                secretKeyRef: { name: forte-drop-secrets, key: S3_ENDPOINT }
@@ -1,8 +1,3 @@
 # Labeled config Secret read by the Keycloak Client Registrar. Kyverno clones it
 # to the keycloak namespace; a CronJob registers the OIDC client in the forte
 # realm and writes the credentials back as forte-drop-oidc-credentials in THIS
 # namespace (~2 min). The forte-helm auth sidecar (auth.type: oidc) consumes that
 # registrar-created Secret automatically — no manual SealedSecret step needed.
 apiVersion: v1
 kind: Secret
 metadata:
@@ -17,7 +17,7 @@ spec:
  sources:
  - repoURL: https://dl.gitea.com/charts
    chart: gitea
-    targetRevision: "12.5.0"
+    targetRevision: "12.6.0"
    helm:
      releaseName: gitea
      valueFiles:
Author	SHA1	Message	Date
Sten	df30877b5e	fix(forte-drop-pg-backup): set MC_CONFIG_DIR so mc can write its config / test (pull_request) Successful in 8s Details The backup CronJob runs as uid 65532 (runAsNonRoot). mc defaulted its config dir to $HOME/.mc = /.mc and failed with "mkdir /.mc: permission denied" on the non-writable root fs — every nightly run died before uploading, so there are currently no backups in s3://drops/_pgbackups/. Point MC_CONFIG_DIR at the shared /work emptyDir (writable via fsGroup). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-11 13:18:20 +02:00
danijel.simeunovic	9297398d56	gitea update / test (push) Successful in 8s Details	2026-06-11 13:03:59 +02:00
danijel.simeunovic	b0804e1e6a	scan / test (push) Successful in 11s Details	2026-06-11 10:34:11 +02:00
danijel.simeunovic	8216399155	trufflehog / test (push) Failing after 33s Details	2026-06-11 10:14:25 +02:00