From 894c3873a498453e674922b00f9c61049dc6c73c Mon Sep 17 00:00:00 2001
From: ZhenYi <434836402@qq.com>
Date: Fri, 15 May 2026 00:50:13 +0800
Subject: [PATCH] fix deploy repo volume permissions

---
 deploy/README.md   | 9 +++++++++
 deploy/values.yaml | 5 ++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/deploy/README.md b/deploy/README.md
index e8ff9a5..8781a63 100644
--- a/deploy/README.md
+++ b/deploy/README.md
@@ -136,6 +136,15 @@ All services share a single PVC (`shared-data`) via `subPath` mounts:
 | `files`   | `/data/files`   | app                      |
 | `static`  | `/data`         | static-server            |
 
+Pods run as UID/GID `1000` and set `fsGroup: 1000` so Git processes can create temporary object
+directories under bare repositories. If an existing PVC was previously written by another UID,
+fix ownership once from a maintenance pod:
+
+```bash
+chown -R 1000:1000 /data/repos
+chmod -R u+rwX,g+rwX /data/repos
+```
+
 ## Autoscaling
 
 All services except `email_worker` have HPA enabled by default. The email worker is fixed at 1 replica and must not be
diff --git a/deploy/values.yaml b/deploy/values.yaml
index cbe631e..3c34f8e 100644
--- a/deploy/values.yaml
+++ b/deploy/values.yaml
@@ -197,6 +197,9 @@ serviceAccount:
 podSecurityContext:
   runAsNonRoot: true
   runAsUser: 1000
+  runAsGroup: 1000
+  fsGroup: 1000
+  fsGroupChangePolicy: OnRootMismatch
 
 securityContext:
   capabilities:
@@ -206,4 +209,4 @@ securityContext:
 
 nodeSelector: {}
 tolerations: []
-affinity: {}
\ No newline at end of file
+affinity: {}