From 156afa14a20946cd1a54789f704ba453faaa7bd4 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Mon, 11 May 2026 13:08:51 +0200
Subject: [PATCH] test(ci): add compose bucket-bootstrap idempotency job
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The create-buckets service in docker-compose.prod.yml runs on every
`docker compose up` (one-shot, restart=no). A re-deploy that fails
because the user/bucket/policy already exists would block the whole
nightly/release pipeline — and the only way to find out today is to
run a second deploy.

This job runs the bootstrap twice against a throwaway minio stack and
asserts both invocations exit 0. Caught at PR time, not at the third
nightly deploy at 02:00.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/ci.yml | 50 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 49 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 461b486d..fd30bac6 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -146,4 +146,52 @@ jobs:
           out=$(fail2ban-regex /tmp/sample.log infra/fail2ban/filter.d/familienarchiv-auth.conf)
           echo "$out"
           echo "$out" | grep -qE '0 matched' \
-            || { echo "expected 0 matches for /api/auth/login 200"; exit 1; }
\ No newline at end of file
+            || { echo "expected 0 matches for /api/auth/login 200"; exit 1; }
+
+  # ─── Compose Bucket-Bootstrap Idempotency ─────────────────────────────────────
+  # docker-compose.prod.yml's create-buckets service runs on every
+  # `docker compose up` (one-shot, no restart). Must be idempotent — a
+  # re-deploy must not fail just because the bucket / user / policy
+  # already exists. Validated by running create-buckets twice against a
+  # throwaway minio stack and asserting both invocations exit 0.
+  compose-idempotency:
+    name: Compose Bucket Idempotency
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Write stub env file
+        run: |
+          cat > .env.test <<'EOF'
+          TAG=test
+          PORT_BACKEND=18080
+          PORT_FRONTEND=13000
+          APP_DOMAIN=localhost
+          POSTGRES_PASSWORD=stub
+          MINIO_PASSWORD=stubrootpassword
+          MINIO_APP_PASSWORD=stubapppassword
+          OCR_TRAINING_TOKEN=stub
+          APP_ADMIN_USERNAME=admin@local
+          APP_ADMIN_PASSWORD=stub
+          MAIL_HOST=mailpit
+          MAIL_PORT=1025
+          APP_MAIL_FROM=noreply@local
+          EOF
+
+      - name: Bring up minio
+        run: |
+          docker compose -f docker-compose.prod.yml -p test-idem --env-file .env.test up -d --wait minio
+
+      - name: First create-buckets run
+        run: |
+          docker compose -f docker-compose.prod.yml -p test-idem --env-file .env.test run --rm create-buckets
+
+      - name: Second create-buckets run (idempotency check)
+        run: |
+          docker compose -f docker-compose.prod.yml -p test-idem --env-file .env.test run --rm create-buckets
+
+      - name: Teardown
+        if: always()
+        run: |
+          docker compose -f docker-compose.prod.yml -p test-idem --env-file .env.test down -v
+          rm -f .env.test
\ No newline at end of file