runwhen-contrib · stewartshea · Mar 18, 2026 · Mar 18, 2026
diff --git a/charts/runwhen-local/Chart.yaml b/charts/runwhen-local/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: runwhen-local
 description: The RunWhen Local Helm Chart - Private runners powering Agentic AI
 type: application
-version: 0.5.0
+version: 0.5.1
 appVersion: "0.10.51"
 icon: https://storage.googleapis.com/runwhen-nonprod-shared-images/icons/runwhen_icon.png
 dependencies:

diff --git a/charts/runwhen-local/templates/runner-configmap.yaml b/charts/runwhen-local/templates/runner-configmap.yaml
@@ -86,9 +86,12 @@ data:
           {{- with .Values.runner.runEnvironment.deployment.nodeName }}
           nodeName: {{ . }}
           {{- end }}
-          {{- with .Values.runner.runEnvironment.deployment.nodeSelector }}
+          {{- $globalNodeSelector := .Values.nodeSelector | default dict | deepCopy }}
+          {{- $deploymentNodeSelector := .Values.runner.runEnvironment.deployment.nodeSelector | default dict | deepCopy }}
+          {{- $mergedDeploymentNodeSelector := merge $deploymentNodeSelector $globalNodeSelector }}
+          {{- if not (empty $mergedDeploymentNodeSelector) }}
           nodeSelector:
-            {{- toYaml . | nindent 12 }}
+            {{- toYaml $mergedDeploymentNodeSelector | nindent 12 }}
           {{- end }}
           {{- with .Values.runner.runEnvironment.deployment.tolerations }}
           # Additional tolerations for this deployment
@@ -167,103 +170,6 @@ data:
             {{- toYaml . | nindent 12 }}
           {{- end }}
 
-        pod:
-          runAsJob: {{ .Values.runner.runEnvironment.pod.runAsJob }}
-          {{- with .Values.runner.runEnvironment.pod.serviceAccount }}
-          serviceAccount: {{ . }}
-          {{- end }}
-          {{- with .Values.runner.runEnvironment.pod.annotations }}
-          annotations:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          {{- with .Values.runner.runEnvironment.pod.affinity }}
-          affinity:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          {{- with .Values.runner.runEnvironment.pod.nodeName }}
-          nodeName: {{ . }}
-          {{- end }}
-          {{- with .Values.runner.runEnvironment.pod.nodeSelector }}
-          nodeSelector:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          {{- with .Values.runner.runEnvironment.pod.tolerations }}
-          # Additional tolerations for the pod
-          tolerations:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          {{- with .Values.runner.runEnvironment.extraEnv }}
-          envVars:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          resources:
-          {{- if eq .Values.platformType "EKS_Fargate" }}
-            {{- toYaml .Values.runner.runEnvironment.pod.resources.EKS_Fargate | nindent 12 }}
-          {{- else }}
-            {{- toYaml .Values.runner.runEnvironment.pod.resources.default | nindent 12 }}
-          {{- end }}
-
-          # ------------------------
-          # Container-level securityContext (Pod)
-          # If runEnvironment.containerSecurityContext is set, use it;
-          # else if global .Values.containerSecurityContext is set, use that;
-          # else fall back to your default snippet.
-          # ------------------------
-          {{- if .Values.runner.runEnvironment.containerSecurityContext }}
-          securityContext:
-            {{- toYaml .Values.runner.runEnvironment.containerSecurityContext | nindent 12 }}
-          {{- else if .Values.containerSecurityContext }}
-          securityContext:
-            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
-          {{- else }}
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-                - all
-            readOnlyRootFilesystem: true
-            seccompProfile:
-              type: "RuntimeDefault"
-          {{- end }}
-
-          # ------------------------
-          # Pod-level securityContext (Pod)
-          # If runEnvironment.securityContext is set, use it;
-          # else if global .Values.podSecurityContext is set, use that.
-          # ------------------------
-          {{- if .Values.runner.runEnvironment.securityContext }}
-          podSecurityContext:
-            {{- toYaml .Values.runner.runEnvironment.securityContext | nindent 12 }}
-          {{- else if .Values.podSecurityContext }}
-          podSecurityContext:
-            {{- toYaml .Values.podSecurityContext | nindent 12 }}
-          {{- end }}
-
-          {{- if or (eq .Values.platformArch "arm64") (not (empty .Values.tolerations)) (not (empty .Values.runner.runEnvironment.pod.tolerations)) }}
-          tolerations:
-          {{- if eq .Values.platformArch "arm64" }}
-          - key: "kubernetes.io/arch"
-            operator: "Equal"
-            value: "arm64"
-            effect: "NoSchedule"
-          {{- end }}
-          {{- with .Values.tolerations }}
-          {{- toYaml . | nindent 10 }}
-          {{- end }}
-          {{- with .Values.runner.runEnvironment.pod.tolerations }}
-          {{- toYaml . | nindent 10 }}
-          {{- end }}
-          {{- end }}
-
-          {{- with .Values.runner.runEnvironment.volumes }}
-          volumes:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          {{- with .Values.runner.runEnvironment.volumeMounts }}
-          volumeMounts:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-
       {{- with .Values.runner.codeCollections }}
       codeCollections:
         {{- range $index, $collection := . }}

diff --git a/charts/runwhen-local/values.yaml b/charts/runwhen-local/values.yaml
@@ -356,7 +356,7 @@ runner:
   # Additional tolerations for the runner container
   tolerations: []
 
-  ## The target environments configuration for deploying the SLI (CronCodeRun) Deployments and TaskSet (CodeRun) Pods
+  ## The target environments configuration for runner workloads (SLI and task execution run on deployments)
   runEnvironment:
     image:
       pullSecret: ""
@@ -369,13 +369,13 @@ runner:
     # volumeMounts common for all the pods created by the runner
     volumeMounts: {}
 
-    # extraEnv is used to add additional environment variables for the SLI (CronCodeRun) Deployments and TaskSet (CodeRun) Pods
+    # extraEnv is used to add additional environment variables for runner deployments
     extraEnv: {}
 
-    # containerSecurityContext is used to set the security context for both the SLI (CronCodeRun) Deployments and TaskSet (CodeRun) Pods
+    # containerSecurityContext is used to set the security context for runner deployments
     # securityContext: {}
 
-    # securityContext is used to set the security context for both the SLI (CronCodeRun) Deployments and TaskSet (CodeRun) Pods
+    # securityContext is used to set the security context for runner deployments
     # podSecurityContext: {}
 
     secretProviders: {}
@@ -396,7 +396,7 @@ runner:
       #           name: vault-secret
       #           key: secret-id
 
-    # secretsProvided is used to mount the secrets to the SLI (CronCodeRun) Deployments and TaskSet (CodeRun) Pods
+    # secretsProvided is used to mount the secrets to runner deployments
     # The secrets are mounted as files or environment variables and must come from either a built in provider or a custom provider
     #
     # The built in providers and the format of their secrets provided entries are as follows:
@@ -417,18 +417,18 @@ runner:
       # hello: "k8s:env@secret/my-secret:hello"
       # vaultSecret: "my-vault@/dev/data/simple-test-secret:hello"
 
-    # blockedSecrets is used to block secrets from being mounted to the SLI (CronCodeRun) Deployments and TaskSet (CodeRun) Pods
+    # blockedSecrets is used to block secrets from being mounted to runner deployments
     # The format of the blockedSecrets entries are as follows:
     # - "<provider-name>@<some optional path>:<optional field>"
     blockedSecrets: []
-    # Block the use of all k8s secrets/configmaps being mounted to the SLI (CronCodeRun) Deployments and TaskSet (CodeRun) Pods
+    # Block the use of all k8s secrets/configmaps being mounted to runner deployments
     # - "k8s:file@"
-    # Block the use of all k8s secrets/configmaps being mounted as environment variables to the SLI (CronCodeRun) Deployments and TaskSet (CodeRun) Pods
+    # Block the use of all k8s secrets/configmaps being mounted as environment variables to runner deployments
     # - "k8s:env@"
     # Block the use of a specific secret being mounted to the SLI (CronCodeRun) Deployments and TaskSet (CodeRun) Pods
     # - "myvault@/dev/data/simple-test-secret"
 
-    #### The configurations applied to the SLI (CronCodeRun) Deployments ####
+    #### The configurations applied to runner deployments (SLI and task execution) ####
     deployment:
       # Override the service account for SLI (CronCodeRun) Deployments
       # If not set, the runner will create and manage service accounts
@@ -454,48 +454,21 @@ runner:
           limits:
             cpu: "300m"
             memory: "196Mi"
-    #### The configurations applied to the TaskSet (CodeRun) Pods ####
-    pod:
-      runAsJob: false
-      # Override the service account for TaskSet (CodeRun) Pods
-      # If not set, the runner will create and manage service accounts
-      serviceAccount: "runner"
-      annotations: {}
-      affinity: {}
-      nodeName: ""
-      nodeSelector: {}
-      tolerations: []
-      resources:
-        default:
-          requests:
-            cpu: "50m"
-            memory: "128Mi"
-          limits:
-            cpu: "1"
-            memory: "512Mi"
-        EKS_Fargate:
-          requests:
-            cpu: "300m"
-            memory: "256Mi"
-          limits:
-            cpu: "300m"
-            memory: "256Mi"
-    # The proxy configurations applied to the SLI (CronCodeRun) Deployments and TaskSet (CodeRun) Pods
+    # The proxy configurations applied to runner deployments
     # By default the global values for .Values.proxy and .Values.proxyCA are used.
     proxy: {}
       # enabled: false
       # httpProxy: ""
       # httpsProxy: ""
       # noProxy: "127.0.0.1,$($KUBERNETES_SERVICE_HOST)"
-    # The proxy CA details, if the runner is being deployed be sure to set
-    # the grafana-agent mounts and volumes to match the proxyCA configuration
+    # The proxy CA details; if the runner is deployed, ensure grafana-agent mounts and volumes match
     proxyCA: {}
       # secretName: ""
       # configMapName: ""
       # key: ""
 
-  # proxy configuration for the runner container, set runEnvironment.proxy.enabled to true to use this configuration
-  # for the SLI (CronCodeRun) Deployments and TaskSet (CodeRun) Pods as well, or configure custom proxy settings in the runEnvironment.proxy fields
+  # proxy configuration for the runner container; set runEnvironment.proxy.enabled to true to use this
+  # for runner deployments as well, or configure custom proxy settings in the runEnvironment.proxy fields
   resources:
     default:
       requests: