runtime(metis): run remote builders as root on usb scratch

pkg/service/remote_helpers.go

@@ -263,6 +263,7 @@ func (a *App) remoteBuildPodSpec(name, host, image, node, artifactRef, buildTag
 							"--harbor-registry", a.settings.HarborRegistry,
 						),
 					},
+					"securityContext": map[string]any{"runAsUser": 0, "runAsGroup": 0},
 					"envFrom": []map[string]any{
 						{"configMapRef": map[string]any{"name": "metis"}},
 					},

pkg/service/remote_helpers_test.go

@@ -253,11 +253,20 @@ func TestRemoteWorkspaceAndHostTmpPathsPreferUsbScratchRoots(t *testing.T) {
 	app.settings.HostTmpDir = "/var/tmp/metis-flash-test"
 
 	buildSpec := app.remoteBuildPodSpec("metis-build-123", "titan-04", "runner:arm64", "titan-10", "registry.example/metis/titan-10", "build-1")
-	buildVolumes := buildSpec["spec"].(map[string]any)["volumes"].([]map[string]any)
+	buildBody := buildSpec["spec"].(map[string]any)
+	buildVolumes := buildBody["volumes"].([]map[string]any)
 	workspaceVolume := buildVolumes[0]["hostPath"].(map[string]any)
 	if got := workspaceVolume["path"]; got != "/var/tmp/metis-workspace/metis-build-123" {
 		t.Fatalf("build workspace hostPath = %v", got)
 	}
+	buildContainer := buildBody["containers"].([]map[string]any)[0]
+	buildSecurity := buildContainer["securityContext"].(map[string]any)
+	if got := buildSecurity["runAsUser"]; got != 0 {
+		t.Fatalf("build runAsUser = %v", got)
+	}
+	if got := buildSecurity["runAsGroup"]; got != 0 {
+		t.Fatalf("build runAsGroup = %v", got)
+	}
 
 	flashSpec := app.remoteFlashPodSpec("metis-flash-123", "titan-04", "runner:arm64", "titan-10", hostTmpDevicePath, "registry.example/metis/titan-10")
 	flashVolumes := flashSpec["spec"].(map[string]any)["volumes"].([]map[string]any)