fix(ci): deploy obs configs to /opt/familienarchiv/ before starting stack
All checks were successful
CI / Unit & Component Tests (pull_request) Successful in 3m4s
CI / OCR Service Tests (pull_request) Successful in 18s
CI / Backend Unit Tests (pull_request) Successful in 2m42s
CI / fail2ban Regex (pull_request) Successful in 41s
CI / Compose Bucket Idempotency (pull_request) Successful in 1m0s
All checks were successful
CI / Unit & Component Tests (pull_request) Successful in 3m4s
CI / OCR Service Tests (pull_request) Successful in 18s
CI / Backend Unit Tests (pull_request) Successful in 2m42s
CI / fail2ban Regex (pull_request) Successful in 41s
CI / Compose Bucket Idempotency (pull_request) Successful in 1m0s
The observability stack's bind-mount sources pointed to workspace-relative paths. When CI wiped the workspace between runs, containers kept running but their config files disappeared — causing Docker to auto-create directories at the missing paths and crash the services on next restart. Fix: mount /opt/familienarchiv/ into CI job containers via runner-config.yaml, then copy infra/observability/ and docker-compose.observability.yml there before docker compose up. Compose runs from the permanent path, so bind mounts resolve to stable host paths that survive workspace wipes. Docker Compose reads /opt/familienarchiv/.env automatically (no --env-file flag), which is managed on the server and persists between CI runs. Closes #601 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marcel
@@ -131,11 +131,25 @@ jobs:
|
||||
--profile staging \
|
||||
up -d --wait --remove-orphans
|
||||
|
||||
- name: Deploy observability configs
|
||||
# Copies the compose file and config tree from the workspace checkout
|
||||
# into /opt/familienarchiv/ — the permanent location that persists
|
||||
# between CI runs. Containers started in the next step bind-mount
|
||||
# from there, so a future workspace wipe cannot corrupt a running
|
||||
# config file. Secrets are read from /opt/familienarchiv/.env (managed
|
||||
# separately on the server; not written or deleted by CI).
|
||||
run: |
|
||||
mkdir -p /opt/familienarchiv/infra
|
||||
cp -r infra/observability /opt/familienarchiv/infra/
|
||||
cp docker-compose.observability.yml /opt/familienarchiv/
|
||||
|
||||
- name: Start observability stack
|
||||
# Runs from /opt/familienarchiv/ so bind mounts resolve to stable
|
||||
# host paths that survive workspace wipes between nightly runs.
|
||||
# Docker Compose reads /opt/familienarchiv/.env automatically.
|
||||
run: |
|
||||
docker compose \
|
||||
-f docker-compose.observability.yml \
|
||||
--env-file .env.staging \
|
||||
-f /opt/familienarchiv/docker-compose.observability.yml \
|
||||
up -d --wait --remove-orphans
|
||||
|
||||
- name: Reload Caddy
|
||||
|
||||
@@ -15,12 +15,15 @@ container:
|
||||
valid_volumes:
|
||||
- "/var/run/docker.sock"
|
||||
- "/srv/gitea-workspace"
|
||||
- "/opt/familienarchiv"
|
||||
# appended to `docker run` when the runner spawns a job container
|
||||
# SECURITY: Mounting the Docker socket grants job containers root-equivalent
|
||||
# access to the host Docker daemon. Acceptable here because only trusted code
|
||||
# from this private repo runs on this runner. Do NOT use on a runner that
|
||||
# accepts untrusted PRs from external contributors.
|
||||
options: "-v /var/run/docker.sock:/var/run/docker.sock -v /srv/gitea-workspace:/srv/gitea-workspace"
|
||||
# /opt/familienarchiv is mounted so the nightly job can deploy observability
|
||||
# configs to the permanent location without needing ssh or nsenter.
|
||||
options: "-v /var/run/docker.sock:/var/run/docker.sock -v /srv/gitea-workspace:/srv/gitea-workspace -v /opt/familienarchiv:/opt/familienarchiv"
|
||||
# keep network mode default (bridge) — Testcontainers handles its own networking
|
||||
force_pull: false
|
||||
|
||||
|
||||
Reference in New Issue
Block a user