fix(ci): Address tool findings and workflow errors

.forgejo/workflows/ci.yml

@@ -73,7 +73,7 @@ jobs:
       - name: Ansible Lint
         run: |
           if ! command -v ansible-lint &> /dev/null; then
-            pip3 install ansible-lint
+            pip3 install --break-system-packages ansible-lint
           fi
           ansible-lint ansible/ || true
         continue-on-error: true
@@ -81,7 +81,7 @@ jobs:
       - name: YAML Lint
         run: |
           if ! command -v yamllint &> /dev/null; then
-            pip3 install yamllint
+            pip3 install --break-system-packages yamllint
           fi
           yamllint ansible/ || true
         continue-on-error: true
@@ -100,10 +100,6 @@ jobs:
             install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
           fi
 
-      - name: Validate Kubernetes Manifests
-        run: |
-          kubectl apply --dry-run=client -f kubernetes/apps/ -R || true
-          kubectl apply --dry-run=client -f kubernetes/flux-system/ -R || true
 
       - name: Install kubeconform
         run: |

kubernetes/apps/example-nginx/deployment.yaml

@@ -25,12 +25,23 @@ spec:
       labels:
         app: nginx
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1001
+        runAsGroup: 1001
+        fsGroup: 1001
       containers:
       - name: nginx
         image: nginx:1.25-alpine
         ports:
         - containerPort: 80
           name: http
+        securityContext:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
         resources:
           requests:
             cpu: 100m