[CI] Publish truefoundry to version 0.136.6

[innoavator]

Automated changes by create-pull-request GitHub action

---

Note

Medium Risk
Touches Helm templating that affects deployed RBAC, volumes, and CORS headers, so misconfigurations could break upgrades or runtime behavior. Version downgrades of chart dependencies/images also risk regressions if clusters expected 0.138.x behavior.

Overview
Publishes the truefoundry Helm chart as v0.136.6 and updates the lockfile, including downgrading tfy-llm-gateway/tfy-otel-collector dependency versions and multiple default image/control-plane version values to the 0.136.x line.

Removes Workload Identity Federation (global.wif) RBAC templates (the shared Role and per-component RoleBindings) and drops mlfoundryServer ServiceMonitor support/values.

Hardens and simplifies templating: the custom-CA initContainer now uses a fixed restrictive securityContext, several components stop injecting the tmp-dir emptyDir (and mlfoundry-server/servicefoundry-server rename it to truefoundry-tmpdir), tfy-controller only mounts custom-CA volumes when enabled, and tfy-proxy CORS no longer sets Access-Control-Allow-Private-Network. Minor Helm indentation fixes applied to several Service/ServiceAccount templates.

^{Reviewed by Cursor Bugbot for commit 437a251. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 3 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 437a251. Configure here.}

[cursor]

Switching nindent to indent breaks YAML annotations formatting

High Severity

Changing nindent 4 to indent 4 after {{- (which strips the preceding newline) causes annotation content to render on the same line as annotations: instead of on a new line. When annotations are non-empty (e.g., user-provided service account annotations like IAM role ARNs), this produces malformed YAML like annotations: key: value instead of a proper block mapping. This affects all six templates changed from nindent to indent: mlfoundry-server, s3proxy, spark-history-server, tfy-workflow-admin, and tfy-proxy (both serviceaccount and service).

Additional Locations (2)

• charts/truefoundry/templates/tfy-proxy/service.yaml#L9-L10
• charts/truefoundry/templates/s3proxy/serviceaccount.yaml#L9-L10

 

^{Reviewed by Cursor Bugbot for commit 437a251. Configure here.}

[cursor]

Proxy routes rendered for potentially disabled services

Medium Severity

Conditional guards (tfyController.enabled, s3proxy.enabled, and tags.llmGatewayRequestLogging/tags.tracing) were removed from the Caddy proxy config, so reverse_proxy routes for the proxy-server, s3proxy, and otel-collector are now always rendered even when those backing services are disabled. Requests to these paths will get connection errors (502) when the upstream services don't exist.

 

^{Reviewed by Cursor Bugbot for commit 437a251. Configure here.}

[cursor]

Removed /tmp emptyDir with read-only root filesystem

Medium Severity

The /tmp emptyDir volume and mount were removed from tfy-k8s-controller, tfy-controller, deltafusion-ingestor, and deltafusion-compaction, while the default securityContext still sets readOnlyRootFilesystem: true. Any container process that writes to /tmp will fail at runtime because the filesystem is read-only and no writable tmpdir is mounted.

Additional Locations (2)

• charts/truefoundry/templates/deltafusion-ingestor/_helpers.tpl#L358-L365
• charts/truefoundry/templates/tfy-controller/deployment.yaml#L67-L77

 

^{Reviewed by Cursor Bugbot for commit 437a251. Configure here.}