ci: upgrade Helm to v4.1.4, switch images to Alpine 3.23, disable backup cron

- release.yml: bump Helm v3.16.2 → v4.1.4; replace --wait with
  --rollback-on-failure (Helm 4 rename, implies --wait)
- Dockerfile: backend builder rust:1.95-slim-bookworm → rust:1.95-alpine3.23
  (adds cmake/g++/perl/nasm/sqlite-dev for aws-lc-rs + sqlx); runtime
  debian:trixie-slim → alpine:3.23 (adds sqlite-libs, uses adduser -D)
- cronjob-backup: gate on backup.enabled, pin image to alpine:3.23
- values.yaml: backup.enabled default true
- values_override.yaml: backup.enabled: false (disabled until tested)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitea/workflows/release.yml

@@ -105,7 +105,7 @@ jobs:
       - name: Set up Helm
         uses: azure/setup-helm@v4
         with:
-          version: v3.16.2
+          version: v4.1.4
 
       - name: Deploy via Helm
         run: |
@@ -113,4 +113,4 @@ jobs:
             -f ./deploy/values_override.yaml \
             --set image.tag=${{ github.ref_name }} \
             -n ${{ env.NAMESPACE }} \
-            --wait --timeout 5m
+            --rollback-on-failure --timeout 5m

Dockerfile

@@ -10,7 +10,8 @@ RUN pnpm run check
 RUN pnpm run build
 
 # --- Backend Build ---
-FROM rust:1.95-slim-bookworm AS backend-builder
+FROM rust:1.95-alpine3.23 AS backend-builder
+RUN apk add --no-cache cmake g++ perl nasm sqlite-dev
 WORKDIR /app/backend
 COPY backend/Cargo.toml backend/Cargo.lock ./
 RUN mkdir src && echo "fn main() {}" > src/main.rs && cargo build --release && rm -rf src
@@ -20,9 +21,9 @@ COPY backend/demo ./demo
 RUN touch src/main.rs && cargo build --release
 
 # --- Runtime ---
-FROM debian:trixie-slim
-RUN apt-get update && apt-get install -y ca-certificates curl && rm -rf /var/lib/apt/lists/*
-RUN useradd -u 1000 -m app
+FROM alpine:3.23
+RUN apk add --no-cache ca-certificates curl sqlite-libs
+RUN adduser -D -u 1000 app
 WORKDIR /app
 COPY --from=backend-builder /app/backend/target/release/tutortool ./server
 COPY --from=backend-builder /app/backend/demo                       ./backend/demo

deploy/templates/cronjob-backup.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.backup.enabled }}
 apiVersion: batch/v1
 kind: CronJob
 metadata:
@@ -25,7 +26,7 @@ spec:
                   topologyKey: kubernetes.io/hostname
           containers:
             - name: backup
-              image: alpine:latest
+              image: alpine:3.23
               command:
                 - /bin/sh
                 - -c
@@ -40,3 +41,4 @@ spec:
             - name: data
               persistentVolumeClaim:
                 claimName: {{ include "tutortool.fullname" . }}-data
+{{- end }}

deploy/values.yaml

@@ -48,6 +48,9 @@ httpRoute:
 # Do not set jwtSecretValue in committed values — provision via kubectl manually.
 jwtSecretName: tutortool-jwt
 
+backup:
+  enabled: true
+
 env:
   DATABASE_URL: sqlite:/data/attendance.db
   STATIC_DIR: /app/frontend/build

deploy/values_override.yaml

@@ -7,3 +7,6 @@ image:
 
 env:
   extra: {}
+
+backup:
+  enabled: false