fix(ci): pin Reload Caddy to alpine:3.21 digest, add reload-vs-restart rationale

- Switch ubuntu:22.04 (floating, ~70 MB) to alpine:3.21 pinned by sha256 digest (~5 MB); util-linux installed at run time via apk add - Add explicit comment explaining why `reload` not `restart`: SIGHUP re-reads config in-process without dropping TLS connections Addresses Tobias + Nora blocker from PR review. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-11 22:43:55 +02:00
parent fe2cdaae83
commit 544b96bc9e
2 changed files with 24 additions and 16 deletions
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -98,11 +98,12 @@ jobs:
        # cannot call systemctl directly; nsenter via a privileged sibling
        # container reaches the host systemd. Must run after deploy (so the
        # latest Caddyfile is on disk) and before the smoke test (so the
-        # public surface reflects the current config).
+        # public surface reflects the current config). Alpine with pinned
+        # digest; reload not restart — see nightly.yml for full rationale.
        run: |
          docker run --rm --privileged --pid=host \
-            ubuntu:22.04 \
-            nsenter -t 1 -m -u -n -p -i -- /bin/systemctl reload caddy
+            alpine:3.21@sha256:48b0309ca019d89d40f670aa1bc06e426dc0931948452e8491e3d65087abc07d \
+            sh -c 'apk add --no-cache util-linux -q && nsenter -t 1 -m -u -n -p -i -- /bin/systemctl reload caddy'

      - name: Smoke test deployed environment
        # See nightly.yml — same three checks, against the prod vhost.