fix deploy repo volume permissions

deploy/README.md

@@ -136,6 +136,15 @@ All services share a single PVC (`shared-data`) via `subPath` mounts:
 | `files`   | `/data/files`   | app                      |
 | `static`  | `/data`         | static-server            |
 
+Pods run as UID/GID `1000` and set `fsGroup: 1000` so Git processes can create temporary object
+directories under bare repositories. If an existing PVC was previously written by another UID,
+fix ownership once from a maintenance pod:
+
+```bash
+chown -R 1000:1000 /data/repos
+chmod -R u+rwX,g+rwX /data/repos
+```
+
 ## Autoscaling
 
 All services except `email_worker` have HPA enabled by default. The email worker is fixed at 1 replica and must not be

deploy/values.yaml

@@ -197,6 +197,9 @@ serviceAccount:
 podSecurityContext:
   runAsNonRoot: true
   runAsUser: 1000
+  runAsGroup: 1000
+  fsGroup: 1000
+  fsGroupChangePolicy: OnRootMismatch
 
 securityContext:
   capabilities: