chores around renovate, security context, and appVersion

move renovate.json to the root dir and allow ignoring tests for merging GHA patch/minor updates only

switch the appVersion in Chart.yaml to a specific sha tag that should actually work, until pixelfed does another official release

set the securityContext and podSecurityContext to run as user 33, which is www-data to solve security root escalation issue

Signed-off-by: jessebot <jessebot@linux.com>

charts/pixelfed/values.yaml

@@ -54,15 +54,19 @@ podAnnotations: {}
 # For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
 podLabels: {}
 
-# -- securityContext for the whole pod
-podSecurityContext: {}
-  # runAsUser: 33
-  # runAsGroup: 33
-  # fsGroup: 33
+# securityContext for the whole pixelfed pod
+podSecurityContext:
+  # -- user to run the pixelfed pod as
+  runAsUser: 33
+  # -- group to run the pixelfed pod as
+  runAsGroup: 33
+  # -- group to mount the filesystem as
+  fsGroup: 33
 
-# -- securityContext for the pixelfed container
-securityContext: {}
-  # runAsUser: 33
+# securityContext for the pixelfed container
+securityContext:
+  # -- user to run the pixelfed container as
+  runAsUser: 33
   # runAsNonRoot: true
   # readOnlyRootFilesystem: true
   # capabilities: