Fix orphan no-permission ServiceAccount in kubernetes-novolume mode

[khaykingleb]

Fixes #4454

When containerMode.type is kubernetes-novolume, the chart renders a <release>-gha-rs-no-permission ServiceAccount that the runner pod never uses (it uses the kube-mode SA instead). The SA is created with a actions.github.com/cleanup-protection finalizer, but the AutoscalingRunnerSet has no cleanup-no-permission-service-account-name annotation for this mode, so autoscalingRunnerSetFinalizerDependencyCleaner.removeNoPermissionServiceAccountFinalizer skips it on teardown. The SA becomes an orphan that blocks helm uninstall / Argo CD app deletion until someone manually strips the finalizer.

Fix

Align the creation condition with where the SA is actually used and tracked:

-{{- if and (ne $containerMode.type "kubernetes") (not .Values.template.spec.serviceAccountName) }}
+{{- if and (ne $containerMode.type "kubernetes") (ne $containerMode.type "kubernetes-novolume") (not .Values.template.spec.serviceAccountName) }}

Tests

Added a table-driven test that renders the chart in both kubernetes and kubernetes-novolume modes and asserts templates/no_permission_serviceaccount.yaml produces no output.