marcel/familienarchiv
1
0
Fork 0
Code Issues 119 Pull Requests 2 Actions 1 Packages Projects Releases Wiki Activity
3,278 Commits 27 Branches 0 Tags
cd741b9f57686fa98ce18bf59dc6d43a7409d415
Commit Graph

6 Commits

Author SHA1 Message Date
Marcel
03e2615fa7 ci(deploy): use ::error:: annotations for smoke-test failures
Some checks failed
CI / Unit & Component Tests (pull_request) Has been cancelled
Details
CI / OCR Service Tests (pull_request) Has been cancelled
Details
CI / Backend Unit Tests (pull_request) Has been cancelled
Details
CI / fail2ban Regex (pull_request) Has been cancelled
Details
CI / Semgrep Security Scan (pull_request) Has been cancelled
Details
CI / Compose Bucket Idempotency (pull_request) Has been cancelled
Details
CI / Unit & Component Tests (push) Successful in 3m23s
Details
CI / OCR Service Tests (push) Successful in 22s
Details
CI / Backend Unit Tests (push) Successful in 3m37s
Details
CI / fail2ban Regex (push) Successful in 46s
Details
CI / Semgrep Security Scan (push) Successful in 21s
Details
CI / Compose Bucket Idempotency (push) Successful in 1m5s
Details
nightly / deploy-staging (push) Successful in 2m1s
Details 
Convert the two bare failure echoes (gateway detection, /actuator status) to
::error:: so Gitea renders them as CI log annotations, consistent with the rest
of the deploy steps. No behaviour change. Raised in review (Leonie).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-06-02 19:41:07 +02:00
Marcel
3db6a3bf8f ci(deploy): correct stale POSTGRES_HOST --env-file comment 
obs.env documents POSTGRES_HOST but does not set a value, so obs-secrets.env
does not 'override' it — it is the only source. Reword the carried-over comment
to match reality. Raised in review (Tobias).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-06-02 19:40:52 +02:00
Marcel
a47564934d ci(deploy): harden deploy-obs config step with set -euo pipefail 
A failed cp/mkdir in the deploy-configs step was previously swallowed (the step
had no set -e), so a broken config copy could still reach the validate step. The
five-key guard catches empty secrets but not a failed copy. -u also catches a
typo'd env var name. Raised in review (Sara, Tobias).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-06-02 19:37:56 +02:00
Marcel
0e30e5c570 ci(deploy): extract deploy-obs composite action 
Five required, no-default inputs (incl. grafana_db_password for the #651
read-only reader role). Four named run: blocks keep the four CI log sections:
deploy configs, validate, start, assert health.

Secrets map to env: and are written via an unquoted <<EOF heredoc ('$VAR'
expands at the shell layer; a quoted delimiter would write the literal var
name and config --quiet would pass anyway). A five-key non-empty guard runs
right after the write, and chmod 600 is the final operation so the file is
never world-readable. ADR-016 absolute paths and the two-file --env-file
ordering are preserved.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-06-02 19:21:28 +02:00
Marcel
a6a8552a48 ci(deploy): extract smoke-test composite action 
Parameterises the public-surface smoke test by host (one required input,
mapped via env: HOST). Keeps the three checks verbatim — login reachable,
HSTS value pinned, Permissions-Policy present, /actuator -> 404 — plus the
/proc/net/route gateway-detection and RESOLVE-array rationale.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-06-02 19:20:09 +02:00
Marcel
b0d28c1e0b ci(deploy): extract reload-caddy composite action 
First composite action in the repo (establishes the convention). Lifts the
Caddy reload step verbatim from nightly.yml/release.yml — DooD privileged
sibling + nsenter to systemctl reload caddy, pinned alpine digest, reload
not restart. No inputs.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-06-02 19:19:36 +02:00