update

Author: mitchross

.github/renovate.json5

@@ -122,11 +122,33 @@
       versioning: 'regex:^(?<major>\\d{4})\\.(?<minor>\\d{1,2})\\.(?<patch>\\d{1,2})-[a-f0-9]+$',
     },
     {
-      description: 'Ignore PostHog managed images (pinned to docker-compose hobby versions)',
-      enabled: false,
-      matchFileNames: [
-        'my-apps/development/posthog/**',
+      description: 'PostHog app images: auto-merge digest updates (rolling release)',
+      matchPackageNames: [
+        'posthog/posthog',
+        'posthog/posthog-node',
+        'ghcr.io/posthog/posthog/capture',
+        'ghcr.io/posthog/posthog/property-defs-rs',
+        'ghcr.io/posthog/posthog/feature-flags',
+        'ghcr.io/posthog/posthog/livestream',
+        'ghcr.io/posthog/posthog/cyclotron-janitor',
+        'ghcr.io/posthog/posthog/cymbal',
+      ],
+      matchFileNames: ['my-apps/development/posthog/**'],
+      automerge: true,
+      automergeType: 'branch',
+      schedule: ['every weekend'],
+    },
+    {
+      description: 'PostHog data layer: disable auto-updates (versions must match PostHog docker-compose.base.yml)',
+      matchPackageNames: [
+        'postgres',
+        'valkey/valkey',
+        'redis',
+        'clickhouse/clickhouse-server',
+        'docker.redpanda.com/redpandadata/redpanda',
       ],
+      matchFileNames: ['my-apps/development/posthog/**'],
+      enabled: false,
     },
     {
       description: 'Pin project-nomad MySQL to 8.x (AdonisJS/Lucid not tested with MySQL 9)',

my-apps/development/gitea/fix-permissions-patch.yaml

@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitea
+spec:
+  template:
+    spec:
+      initContainers:
+      - name: fix-permissions
+        image: alpine:3.21
+        command:
+        - sh
+        - -c
+        - chown -R 1000:1000 /data && chmod -R 700 /data/git/.ssh 2>/dev/null; true
+        volumeMounts:
+        - name: data
+          mountPath: /data
+        securityContext:
+          runAsUser: 0
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL

my-apps/development/gitea/kustomization.yaml

@@ -12,3 +12,9 @@ helmCharts:
   releaseName: gitea
   namespace: gitea
   valuesFile: values.yaml
+
+patches:
+- path: fix-permissions-patch.yaml
+  target:
+    kind: Deployment
+    name: gitea

my-apps/development/gitea/values.yaml

@@ -20,14 +20,8 @@ image:
 podSecurityContext:
   fsGroup: 1000
 
-# The init container runs chmod on /data/git/.ssh. Restored PVCs from backup
-# may have root-owned files. DAC_OVERRIDE bypasses ownership checks for chmod.
-containerSecurityContext:
-  capabilities:
-    add:
-      - CHOWN
-      - FOWNER
-      - DAC_OVERRIDE
+# Permissions fixed by Kustomize init container patch (fix-permissions-patch.yaml)
+# running as root. The chart's own init container runs as the default user.
 
 gitea:
   config:

my-apps/development/posthog/core/clickhouse-init.yaml

@@ -21,7 +21,7 @@ spec:
       restartPolicy: OnFailure
       containers:
       - name: clickhouse-init
-        image: clickhouse/clickhouse-server:25.12.5.44
+        image: clickhouse/clickhouse-server:25.12.8.9
         imagePullPolicy: IfNotPresent
         command:
         - sh

my-apps/development/posthog/core/jobs.yaml

@@ -80,7 +80,7 @@ spec:
         feature.node.kubernetes.io/cpu-cpuid.AVX2: "true"
       containers:
       - name: migrate
-        image: posthog/posthog:0c1bf64077d318019343b6894674713115f5effa
+        image: posthog/posthog:latest
         command:
         - /bin/sh
         - -c

my-apps/development/posthog/core/plugins.yaml

@@ -24,7 +24,7 @@ spec:
     spec:
       containers:
         - name: plugins
-          image: posthog/posthog-node:0c1bf64077d318019343b6894674713115f5effa
+          image: posthog/posthog-node:latest
           command:
             - node
             - nodejs/dist/index.js

my-apps/development/posthog/core/web.yaml

@@ -24,7 +24,7 @@ spec:
         feature.node.kubernetes.io/cpu-cpuid.AVX2: "true"
       containers:
       - name: web
-        image: posthog/posthog:0c1bf64077d318019343b6894674713115f5effa
+        image: posthog/posthog:latest
         command:
         - /bin/sh
         - -c

my-apps/development/posthog/core/workers.yaml

@@ -24,7 +24,7 @@ spec:
         feature.node.kubernetes.io/cpu-cpuid.AVX2: "true"
       containers:
         - name: worker
-          image: posthog/posthog:0c1bf64077d318019343b6894674713115f5effa
+          image: posthog/posthog:latest
           command:
             - ./bin/docker-worker-celery
             - --with-scheduler

my-apps/development/posthog/data-layer/clickhouse.yaml

@@ -24,7 +24,7 @@ spec:
     spec:
       containers:
       - name: clickhouse
-        image: clickhouse/clickhouse-server:25.12.5.44
+        image: clickhouse/clickhouse-server:25.12.8.9
         imagePullPolicy: IfNotPresent
         env:
         - name: CLICKHOUSE_SKIP_USER_SETUP