fix(supervisor): wire workerPodSecurityContext/etc env vars

ConProgramming · cursoragent · ConProgramming · commit a63fe156d690 · 2026-05-15T18:29:20.000-04:00
PR #12 added supervisor.config.kubernetes.workerPodSecurityContext, workerContainerSecurityContext, and workerPodAnnotations to values.yaml but the supervisor.yaml template never read them. The supervisor's Kubernetes workload manager reads KUBERNETES_WORKER_POD_SECURITY_CONTEXT, KUBERNETES_WORKER_CONTAINER_SECURITY_CONTEXT, and KUBERNETES_WORKER_POD_ANNOTATIONS env vars at runtime (JSON-parsed) and applies them to every worker pod it schedules. Without this wiring, worker pods on FedStart / GameWarden deployments are missing their compliance-required securityContext entries and would be rejected by pod-security admission. Co-authored-by: Cursor <cursoragent@cursor.com>
diff --git a/hosting/k8s/helm/Chart.yaml b/hosting/k8s/helm/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: trigger
 description: The official Trigger.dev Helm chart
 type: application
-version: 4.4.5-plt663.1
+version: 4.4.5-plt663.2
 appVersion: v4.4.4
 home: https://trigger.dev
 sources:
diff --git a/hosting/k8s/helm/templates/supervisor.yaml b/hosting/k8s/helm/templates/supervisor.yaml
@@ -174,6 +174,18 @@ spec:
               value: {{ .Values.supervisor.config.kubernetes.workerServiceAccount | quote }}
             - name: KUBERNETES_WORKER_AUTOMOUNT_SERVICE_ACCOUNT_TOKEN
               value: {{ .Values.supervisor.config.kubernetes.workerAutomountServiceAccountToken | quote }}
+            {{- if .Values.supervisor.config.kubernetes.workerPodSecurityContext }}
+            - name: KUBERNETES_WORKER_POD_SECURITY_CONTEXT
+              value: {{ .Values.supervisor.config.kubernetes.workerPodSecurityContext | toJson | quote }}
+            {{- end }}
+            {{- if .Values.supervisor.config.kubernetes.workerContainerSecurityContext }}
+            - name: KUBERNETES_WORKER_CONTAINER_SECURITY_CONTEXT
+              value: {{ .Values.supervisor.config.kubernetes.workerContainerSecurityContext | toJson | quote }}
+            {{- end }}
+            {{- if .Values.supervisor.config.kubernetes.workerPodAnnotations }}
+            - name: KUBERNETES_WORKER_POD_ANNOTATIONS
+              value: {{ .Values.supervisor.config.kubernetes.workerPodAnnotations | toJson | quote }}
+            {{- end }}
             {{- $registryAuthEnabled := false }}
             {{- if .Values.registry.deploy }}
               {{- $registryAuthEnabled = .Values.registry.auth.enabled }}
