fix(infra): pin GlitchTip image to 6.1.6 (v4 tag never existed)

glitchtip/glitchtip:v4 is not a real tag — GlitchTip does not use a v-prefix in its Docker image versioning. Latest stable release is 6.1.6. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fix(infra): set OTEL_EXPORTER_OTLP_ENDPOINT in docker-compose.prod.yml
2026-05-15 17:53:13 +02:00 · 2026-05-15 17:43:23 +02:00 · 2026-05-15 17:37:15 +02:00 · 2026-05-15 16:33:07 +02:00 · 2026-05-15 16:05:44 +02:00 · 2026-05-15 14:55:28 +02:00
17 changed files with 132 additions and 66 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -305,6 +305,7 @@ jobs:
          MAIL_PORT=1025
          APP_MAIL_FROM=noreply@local
          IMPORT_HOST_DIR=/tmp/dummy-import
          COMPOSE_NETWORK_NAME=test-idem-archiv-net
          EOF
      - name: Bring up minio
--- a/.gitea/workflows/nightly.yml
+++ b/.gitea/workflows/nightly.yml
@@ -30,6 +30,9 @@ name: nightly
 #   STAGING_OCR_TRAINING_TOKEN
 #   STAGING_APP_ADMIN_USERNAME
 #   STAGING_APP_ADMIN_PASSWORD
 #   GRAFANA_ADMIN_PASSWORD
 #   GLITCHTIP_SECRET_KEY
 #   SENTRY_DSN                  (set after GlitchTip first-run; empty = Sentry disabled)
 on:
  schedule:
@@ -74,6 +77,14 @@ jobs:
          MAIL_STARTTLS_ENABLE=false
          APP_MAIL_FROM=noreply@staging.raddatz.cloud
          IMPORT_HOST_DIR=/srv/familienarchiv-staging/import
          POSTGRES_USER=archiv
          PORT_GRAFANA=3003
          PORT_GLITCHTIP=3002
          PORT_PROMETHEUS=9090
          GRAFANA_ADMIN_PASSWORD=${{ secrets.GRAFANA_ADMIN_PASSWORD }}
          GLITCHTIP_SECRET_KEY=${{ secrets.GLITCHTIP_SECRET_KEY }}
          GLITCHTIP_DOMAIN=https://glitchtip.archiv.raddatz.cloud
          SENTRY_DSN=${{ secrets.SENTRY_DSN }}
          EOF
      - name: Verify backend /import:ro mount is wired
@@ -120,6 +131,13 @@ jobs:
            --profile staging \
            up -d --wait --remove-orphans
      - name: Start observability stack
        run: |
          docker compose \
            -f docker-compose.observability.yml \
            --env-file .env.staging \
            up -d --wait --remove-orphans
      - name: Reload Caddy
        # Apply any committed Caddyfile changes before smoke-testing the
        # public surface. Without this step, a Caddyfile edit lands in the
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -34,6 +34,9 @@ name: release
 #   MAIL_PORT
 #   MAIL_USERNAME
 #   MAIL_PASSWORD
 #   GRAFANA_ADMIN_PASSWORD
 #   GLITCHTIP_SECRET_KEY
 #   SENTRY_DSN                    (set after GlitchTip first-run; empty = Sentry disabled)
 on:
  push:
@@ -72,6 +75,14 @@ jobs:
          MAIL_STARTTLS_ENABLE=true
          APP_MAIL_FROM=noreply@raddatz.cloud
          IMPORT_HOST_DIR=/srv/familienarchiv-production/import
          POSTGRES_USER=archiv
          PORT_GRAFANA=3003
          PORT_GLITCHTIP=3002
          PORT_PROMETHEUS=9090
          GRAFANA_ADMIN_PASSWORD=${{ secrets.GRAFANA_ADMIN_PASSWORD }}
          GLITCHTIP_SECRET_KEY=${{ secrets.GLITCHTIP_SECRET_KEY }}
          GLITCHTIP_DOMAIN=https://glitchtip.archiv.raddatz.cloud
          SENTRY_DSN=${{ secrets.SENTRY_DSN }}
          EOF
      - name: Build images
@@ -93,6 +104,13 @@ jobs:
            --env-file .env.production \
            up -d --wait --remove-orphans
      - name: Start observability stack
        run: |
          docker compose \
            -f docker-compose.observability.yml \
            --env-file .env.production \
            up -d --wait --remove-orphans
      - name: Reload Caddy
        # See nightly.yml — same rationale and mechanism: DooD job containers
        # cannot call systemctl directly; nsenter via a privileged sibling
--- a/backend/pom.xml
+++ b/backend/pom.xml
@@ -29,6 +29,20 @@
 	<properties>
 		<java.version>21</java.version>
 	</properties>
 	<dependencyManagement>
 		<dependencies>
 			<!-- opentelemetry-spring-boot-starter:2.27.0 was built against opentelemetry-api:1.61.0,
 			     but Spring Boot 4.0.0 BOM only manages 1.55.0 (missing GlobalOpenTelemetry.getOrNoop()).
 			     Import the core OTel BOM here to override it before the Spring Boot BOM applies. -->
 			<dependency>
 				<groupId>io.opentelemetry</groupId>
 				<artifactId>opentelemetry-bom</artifactId>
 				<version>1.61.0</version>
 				<type>pom</type>
 				<scope>import</scope>
 			</dependency>
 		</dependencies>
 	</dependencyManagement>
 	<dependencies>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
@@ -225,11 +239,13 @@
 			</exclusions>
 		</dependency>
-		<!-- Sentry error reporting (GlitchTip-compatible) -->
+		<!-- Sentry error reporting (GlitchTip-compatible) — sentry-spring-boot-4 is the
 		     Spring Boot 4 / Spring Framework 7 compatible module (replaces the jakarta starter
 		     which crashes with SF7 due to bean-name generation for triply-nested @Import classes) -->
 		<dependency>
 			<groupId>io.sentry</groupId>
-			<artifactId>sentry-spring-boot-starter-jakarta</artifactId>
+			<artifactId>sentry-spring-boot-4</artifactId>
-			<version>8.5.0</version>
+			<version>8.41.0</version>
 		</dependency>
 	</dependencies>
--- a/backend/src/main/java/org/raddatz/familienarchiv/config/SentryConfig.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/config/SentryConfig.java
@@ -1,39 +0,0 @@
 package org.raddatz.familienarchiv.config;
 import io.sentry.Sentry;
 import jakarta.annotation.PostConstruct;
 import org.raddatz.familienarchiv.exception.DomainException;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Configuration;
 // SentryAutoConfiguration is excluded (see application.yaml) because Spring Boot 4 / Spring
 // Framework 7 cannot generate a bean name for the triply-nested
 // SentryAutoConfiguration$HubConfiguration$SentrySpanRestClientConfiguration class.
 // This bean replicates the essential init: DSN, environment, sample rate, PII guard,
 // and DomainException filter.
@Configuration
 public class SentryConfig {
    @Value("${sentry.dsn:}")
    private String dsn;
    @Value("${sentry.environment:dev}")
    private String environment;
    @Value("${sentry.traces-sample-rate:1.0}")
    private double tracesSampleRate;
    @PostConstruct
    public void init() {
        if (dsn == null || dsn.isBlank()) {
            return;
        }
        Sentry.init(options -> {
            options.setDsn(dsn);
            options.setEnvironment(environment);
            options.setTracesSampleRate(tracesSampleRate);
            options.setSendDefaultPii(false);
            options.addIgnoredExceptionForType(DomainException.class);
        });
    }
 }
--- a/backend/src/main/resources/application.yaml
+++ b/backend/src/main/resources/application.yaml
@@ -38,13 +38,6 @@ spring:
          starttls:
            enable: true
  autoconfigure:
    exclude:
      # SentryAutoConfiguration fails on Spring Boot 4/Spring Framework 7: Spring cannot generate a
      # bean name for the triply-nested SentryAutoConfiguration$HubConfiguration$SentrySpanRestClientConfiguration.
      # Sentry is initialized manually via SentryConfig instead. See #580.
      - io.sentry.spring.boot.jakarta.SentryAutoConfiguration
 server:
  # Behind Caddy/reverse proxy: trust X-Forwarded-{Proto,For,Host} so that
  # request.getScheme(), redirect URLs, and Spring Session "Secure" cookies
--- a/backend/src/test/java/org/raddatz/familienarchiv/ApplicationContextTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/ApplicationContextTest.java
@@ -1,14 +1,18 @@
 package org.raddatz.familienarchiv;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.boot.testcontainers.service.connection.ServiceConnection;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Import;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.bean.override.mockito.MockitoBean;
 import org.testcontainers.containers.PostgreSQLContainer;
 import software.amazon.awssdk.services.s3.S3Client;
 import static org.assertj.core.api.Assertions.assertThat;
@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.NONE)
@ActiveProfiles("test")
@Import(PostgresContainerConfig.class)
@@ -17,9 +21,18 @@ class ApplicationContextTest {
    @MockitoBean
    S3Client s3Client;
    @Autowired
    ApplicationContext ctx;
    @Test
    void contextLoads() {
        // verifies that the Spring context starts successfully with all beans wired,
        // Flyway migrations applied, and no configuration errors
    }
    @Test
    void sentry_is_disabled_when_no_dsn_is_configured() {
        // application-test.yaml has no sentry.dsn — SDK must stay inactive so tests are clean
        assertThat(io.sentry.Sentry.isEnabled()).isFalse();
    }
 }
--- a/backend/src/test/java/org/raddatz/familienarchiv/audit/AuditServiceIntegrationTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/audit/AuditServiceIntegrationTest.java
@@ -1,11 +1,11 @@
 package org.raddatz.familienarchiv.audit;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.raddatz.familienarchiv.PostgresContainerConfig;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.context.annotation.Import;
 import org.springframework.test.annotation.DirtiesContext;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.bean.override.mockito.MockitoBean;
 import org.springframework.transaction.support.TransactionTemplate;
@@ -18,7 +18,6 @@ import static org.awaitility.Awaitility.await;
@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.NONE)
@ActiveProfiles("test")
@Import(PostgresContainerConfig.class)
@DirtiesContext(classMode = DirtiesContext.ClassMode.AFTER_EACH_TEST_METHOD)
 class AuditServiceIntegrationTest {
    @MockitoBean S3Client s3Client;
@@ -26,6 +25,11 @@ class AuditServiceIntegrationTest {
    @Autowired AuditLogRepository auditLogRepository;
    @Autowired TransactionTemplate transactionTemplate;
    @BeforeEach
    void resetAuditLog() {
        auditLogRepository.deleteAll();
    }
    @Test
    void logAfterCommit_writes_ANNOTATION_CREATED_row_after_transaction_commits() {
        transactionTemplate.execute(status -> {
--- a/backend/src/test/java/org/raddatz/familienarchiv/document/DocumentSearchPagedIntegrationTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/document/DocumentSearchPagedIntegrationTest.java
@@ -12,9 +12,9 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.context.annotation.Import;
 import org.springframework.data.domain.PageRequest;
 import org.springframework.test.annotation.DirtiesContext;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.bean.override.mockito.MockitoBean;
 import org.springframework.transaction.annotation.Transactional;
 import software.amazon.awssdk.services.s3.S3Client;
 import java.time.LocalDate;
@@ -33,7 +33,7 @@ import static org.assertj.core.api.Assertions.assertThat;
@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.NONE)
@ActiveProfiles("test")
@Import(PostgresContainerConfig.class)
-@DirtiesContext(classMode = DirtiesContext.ClassMode.AFTER_EACH_TEST_METHOD)
+@Transactional
 class DocumentSearchPagedIntegrationTest {
    private static final int FIXTURE_SIZE = 120;
--- a/backend/src/test/java/org/raddatz/familienarchiv/exception/GlobalExceptionHandlerTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/exception/GlobalExceptionHandlerTest.java
@@ -0,0 +1,33 @@
 package org.raddatz.familienarchiv.exception;
 import io.sentry.Sentry;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.InjectMocks;
 import org.mockito.MockedStatic;
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.springframework.http.ResponseEntity;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.mockStatic;
@ExtendWith(MockitoExtension.class)
 class GlobalExceptionHandlerTest {
    @InjectMocks
    private GlobalExceptionHandler handler;
    @Test
    void handleGeneric_captures_exception_in_sentry_and_returns_500() {
        RuntimeException ex = new RuntimeException("unexpected failure");
        try (MockedStatic<Sentry> sentryMock = mockStatic(Sentry.class)) {
            ResponseEntity<GlobalExceptionHandler.ErrorResponse> response = handler.handleGeneric(ex);
            sentryMock.verify(() -> Sentry.captureException(ex));
            assertThat(response.getStatusCode().value()).isEqualTo(500);
            assertThat(response.getBody()).isNotNull();
            assertThat(response.getBody().code()).isEqualTo(ErrorCode.INTERNAL_ERROR);
        }
    }
 }
--- a/backend/src/test/java/org/raddatz/familienarchiv/geschichte/GeschichteServiceIntegrationTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/geschichte/GeschichteServiceIntegrationTest.java
@@ -19,9 +19,9 @@ import org.springframework.context.annotation.Import;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.test.annotation.DirtiesContext;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.bean.override.mockito.MockitoBean;
 import org.springframework.transaction.annotation.Transactional;
 import software.amazon.awssdk.services.s3.S3Client;
 import java.util.List;
@@ -32,7 +32,7 @@ import static org.assertj.core.api.Assertions.assertThat;
@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.NONE)
@ActiveProfiles("test")
@Import(PostgresContainerConfig.class)
-@DirtiesContext(classMode = DirtiesContext.ClassMode.AFTER_EACH_TEST_METHOD)
+@Transactional
 class GeschichteServiceIntegrationTest {
    @MockitoBean
--- a/backend/src/test/java/org/raddatz/familienarchiv/person/PersonServiceIntegrationTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/person/PersonServiceIntegrationTest.java
@@ -8,9 +8,9 @@ import org.raddatz.familienarchiv.person.PersonRepository;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.context.annotation.Import;
 import org.springframework.test.annotation.DirtiesContext;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.bean.override.mockito.MockitoBean;
 import org.springframework.transaction.annotation.Transactional;
 import software.amazon.awssdk.services.s3.S3Client;
 import static org.assertj.core.api.Assertions.assertThat;
@@ -18,7 +18,7 @@ import static org.assertj.core.api.Assertions.assertThat;
@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.NONE)
@ActiveProfiles("test")
@Import(PostgresContainerConfig.class)
-@DirtiesContext(classMode = DirtiesContext.ClassMode.AFTER_EACH_TEST_METHOD)
+@Transactional
 class PersonServiceIntegrationTest {
    @MockitoBean S3Client s3Client;
--- a/backend/src/test/resources/application-test.yaml
+++ b/backend/src/test/resources/application-test.yaml
@@ -13,12 +13,6 @@ spring:
    password: test
  mail:
    host: localhost
  autoconfigure:
    exclude:
      # SentryAutoConfiguration fails on Spring Boot 4/Spring Framework 7: Spring cannot generate a
      # bean name for the triply-nested SentryAutoConfiguration$HubConfiguration$SentrySpanRestClientConfiguration.
      # Sentry is wired manually via SentryConfig instead. See #580.
      - io.sentry.spring.boot.jakarta.SentryAutoConfiguration
 # Disable OTel SDK entirely in tests — prevents auto-configuration from loading resource providers
 # (e.g. AzureAppServiceResourceProvider) that fail against the semconv version used here.
--- a/docker-compose.observability.yml
+++ b/docker-compose.observability.yml
@@ -184,7 +184,7 @@ services:
      - obs-net
  obs-glitchtip:
-    image: glitchtip/glitchtip:v4
+    image: glitchtip/glitchtip:6.1.6
    container_name: obs-glitchtip
    restart: unless-stopped
    depends_on:
@@ -207,7 +207,7 @@ services:
      - obs-net
  obs-glitchtip-worker:
-    image: glitchtip/glitchtip:v4
+    image: glitchtip/glitchtip:6.1.6
    container_name: obs-glitchtip-worker
    restart: unless-stopped
    command: ./bin/run-celery-with-beat.sh
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -39,6 +39,7 @@
 networks:
  archiv-net:
    driver: bridge
    name: ${COMPOSE_NETWORK_NAME:-archiv-net}
 volumes:
  postgres-data:
@@ -212,10 +213,11 @@ services:
      APP_MAIL_FROM: ${APP_MAIL_FROM:-noreply@raddatz.cloud}
      SPRING_MAIL_PROPERTIES_MAIL_SMTP_AUTH: ${MAIL_SMTP_AUTH:-true}
      SPRING_MAIL_PROPERTIES_MAIL_SMTP_STARTTLS_ENABLE: ${MAIL_STARTTLS_ENABLE:-true}
      OTEL_EXPORTER_OTLP_ENDPOINT: http://tempo:4317
    networks:
      - archiv-net
    healthcheck:
-      test: ["CMD-SHELL", "wget -qO- http://localhost:8080/actuator/health | grep -q UP || exit 1"]
+      test: ["CMD-SHELL", "wget -qO- http://localhost:8081/actuator/health | grep -q UP || exit 1"]
      interval: 15s
      timeout: 5s
      retries: 10
--- a/docs/DEPLOYMENT.md
+++ b/docs/DEPLOYMENT.md
@@ -223,6 +223,9 @@ git.raddatz.cloud      A   <server IP>
 | `MAIL_PORT` | release.yml | typically `587` |
 | `MAIL_USERNAME` | release.yml | SMTP user |
 | `MAIL_PASSWORD` | release.yml | SMTP password |
 | `GRAFANA_ADMIN_PASSWORD` | both | Grafana `admin` login — generate a strong password |
 | `GLITCHTIP_SECRET_KEY` | both | Django secret key — `openssl rand -hex 32` |
 | `SENTRY_DSN` | both | GlitchTip project DSN — set after first-run (§4); leave empty to keep Sentry disabled |
 ### 3.4 First deploy
--- a/infra/caddy/Caddyfile
+++ b/infra/caddy/Caddyfile
@@ -88,3 +88,13 @@ git.raddatz.cloud {
 	import security_headers
 	reverse_proxy 127.0.0.1:3005
 }
 grafana.archiv.raddatz.cloud {
 	import security_headers
 	reverse_proxy 127.0.0.1:3003
 }
 glitchtip.archiv.raddatz.cloud {
 	import security_headers
 	reverse_proxy 127.0.0.1:3002
 }
Author	SHA1	Message	Date
Marcel	b1ff624c98	fix(infra): pin GlitchTip image to 6.1.6 (v4 tag never existed) glitchtip/glitchtip:v4 is not a real tag — GlitchTip does not use a v-prefix in its Docker image versioning. Latest stable release is 6.1.6. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 17:53:13 +02:00
Marcel	fed427dc4a	fix(infra): set OTEL_EXPORTER_OTLP_ENDPOINT in docker-compose.prod.yml Some checks failed CI / Unit & Component Tests (pull_request) Has been cancelled Details CI / OCR Service Tests (pull_request) Has been cancelled Details CI / Backend Unit Tests (pull_request) Has been cancelled Details CI / fail2ban Regex (pull_request) Has been cancelled Details CI / Compose Bucket Idempotency (pull_request) Has been cancelled Details CI / Unit & Component Tests (push) Has been cancelled Details CI / OCR Service Tests (push) Has been cancelled Details CI / Backend Unit Tests (push) Has been cancelled Details CI / fail2ban Regex (push) Has been cancelled Details CI / Compose Bucket Idempotency (push) Has been cancelled Details The endpoint belongs in the compose file (hardcoded to the in-network Tempo service) rather than per-environment workflow files. This covers both staging (nightly.yml) and production (release.yml) with a single change and removes the duplicate from the nightly env-file block. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 17:43:23 +02:00
Marcel	cf78ab2f8e	fix(staging): correct backend healthcheck port and OTel endpoint Some checks failed CI / OCR Service Tests (pull_request) Has been cancelled Details CI / Backend Unit Tests (pull_request) Has been cancelled Details CI / fail2ban Regex (pull_request) Has been cancelled Details CI / Compose Bucket Idempotency (pull_request) Has been cancelled Details CI / Unit & Component Tests (pull_request) Has been cancelled Details Two bugs introduced when the management port was split from the app port: 1. Backend healthcheck hit localhost:8080/actuator/health (app port) — actuator is on management.server.port=8081, so every probe got a 404 from the main MVC dispatcher, marking the container permanently unhealthy. Fix: change the probe to localhost:8081. 2. OTEL_EXPORTER_OTLP_ENDPOINT was not set in .env.staging, so the exporter fell back to http://localhost:4317 (the CI-safe default) instead of http://tempo:4317 (the in-network Tempo service). Fix: inject the correct endpoint in the nightly env-file generation step. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 17:37:15 +02:00
Marcel	c8883d0e40	fix(ci): isolate compose-idempotency network from archiv-net collisions All checks were successful CI / Unit & Component Tests (pull_request) Successful in 5m40s Details CI / OCR Service Tests (pull_request) Successful in 34s Details CI / Backend Unit Tests (pull_request) Successful in 7m8s Details CI / fail2ban Regex (pull_request) Successful in 1m58s Details CI / Compose Bucket Idempotency (pull_request) Successful in 1m41s Details CI / Unit & Component Tests (push) Successful in 5m37s Details CI / OCR Service Tests (push) Successful in 28s Details CI / Backend Unit Tests (push) Successful in 6m59s Details CI / fail2ban Regex (push) Successful in 1m59s Details CI / Compose Bucket Idempotency (push) Successful in 1m44s Details The name: archiv-net declaration (needed so docker-compose.observability.yml can join the network as external: true) caused the compose-idempotency CI job to collide with any archiv-net left on the runner from staging or a previous run. mc would resolve 'minio' to the wrong container and fail with a signature mismatch. Make the network name interpolable via COMPOSE_NETWORK_NAME (default: archiv-net so production/staging behaviour is unchanged). Inject COMPOSE_NETWORK_NAME= test-idem-archiv-net into the stub env file so the idempotency test always gets a fully isolated network. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 16:33:07 +02:00
Marcel	7154092547	fix(deps): pin opentelemetry-bom to 1.61.0 to fix startup crash Some checks failed CI / Unit & Component Tests (pull_request) Successful in 5m34s Details CI / OCR Service Tests (pull_request) Successful in 30s Details CI / Backend Unit Tests (pull_request) Successful in 7m6s Details CI / fail2ban Regex (pull_request) Successful in 1m49s Details CI / Compose Bucket Idempotency (pull_request) Failing after 1m26s Details opentelemetry-spring-boot-starter:2.27.0 was built against opentelemetry-api:1.61.0. Spring Boot 4.0.0 only manages 1.55.0, which is missing GlobalOpenTelemetry.getOrNoop(). The backend crashed at startup with NoSuchMethodError on the first staging nightly. Add a <dependencyManagement> import of opentelemetry-bom:1.61.0 before the Spring Boot BOM applies, so all OTel core artifacts resolve to the version the instrumentation starter actually requires. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 16:05:44 +02:00
Marcel	ada3a3ccaf	devops(ci): add --remove-orphans to observability stack deploy steps All checks were successful CI / Unit & Component Tests (pull_request) Successful in 5m27s Details CI / OCR Service Tests (pull_request) Successful in 34s Details CI / Backend Unit Tests (pull_request) Successful in 7m13s Details CI / fail2ban Regex (pull_request) Successful in 1m51s Details CI / Compose Bucket Idempotency (pull_request) Successful in 1m47s Details CI / Unit & Component Tests (push) Successful in 5m45s Details CI / OCR Service Tests (push) Successful in 36s Details CI / Backend Unit Tests (push) Successful in 7m12s Details CI / fail2ban Regex (push) Successful in 1m54s Details CI / Compose Bucket Idempotency (push) Successful in 1m41s Details Both nightly and release workflows were missing --remove-orphans on the observability compose up, while the main app deploy step already had it. Without it, containers removed from docker-compose.observability.yml linger as unnamed orphans until manually pruned. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 14:55:28 +02:00
Marcel	8cf3a2a726	devops(caddy): apply full security_headers snippet to GlitchTip vhost The GlitchTip vhost only had a manual HSTS header; the rest of the (security_headers) snippet (X-Content-Type-Options, Referrer-Policy, Permissions-Policy, -Server removal) was missing. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 14:54:54 +02:00
Marcel	553e2f8898	docs(deployment): add observability secrets to §3.3 Gitea secrets table All checks were successful CI / Unit & Component Tests (pull_request) Successful in 5m35s Details CI / OCR Service Tests (pull_request) Successful in 33s Details CI / Backend Unit Tests (pull_request) Successful in 7m10s Details CI / fail2ban Regex (pull_request) Successful in 1m54s Details CI / Compose Bucket Idempotency (pull_request) Successful in 1m39s Details GRAFANA_ADMIN_PASSWORD, GLITCHTIP_SECRET_KEY, and SENTRY_DSN were referenced in the workflow env files but absent from the secrets table, leaving the first-run operator without a complete checklist. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 13:46:01 +02:00
Marcel	4a7349543a	devops(ci): wire SENTRY_DSN into staging and production env files Adds SENTRY_DSN as an optional secret (empty by default) so it can be set after GlitchTip first-run without requiring another code change. Backend reads it via application.yaml; empty value keeps Sentry disabled. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 13:45:07 +02:00
Marcel	f15e004645	devops(ci): add --wait to observability stack startup Prometheus, Loki, Tempo, and Grafana all define healthchecks in docker-compose.observability.yml. Without --wait, the step exits 0 as soon as containers are created, masking startup failures silently. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 13:44:16 +02:00
Marcel	b137e3e72d	devops(caddy): add HSTS to GlitchTip vhost Caddy does not set Strict-Transport-Security on GlitchTip because the full security_headers snippet is intentionally omitted (Permissions-Policy interferes with the Sentry SDK CORS). Adding HSTS alone guarantees HTTPS enforcement at the Caddy layer without breaking SDK ingestion. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 13:43:35 +02:00
Marcel	4c8a23ff14	devops(caddy): add Grafana and GlitchTip vhosts All checks were successful CI / Unit & Component Tests (pull_request) Successful in 5m33s Details CI / OCR Service Tests (pull_request) Successful in 33s Details CI / Backend Unit Tests (pull_request) Successful in 7m10s Details CI / fail2ban Regex (pull_request) Successful in 1m55s Details CI / Compose Bucket Idempotency (pull_request) Successful in 1m42s Details grafana.archiv.raddatz.cloud → 127.0.0.1:3003 (with security headers) glitchtip.archiv.raddatz.cloud → 127.0.0.1:3002 (no security headers — GlitchTip manages its own; the Sentry SDK also POSTs here) Requires A records for both subdomains pointing at the server before the next `systemctl reload caddy`. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 11:27:07 +02:00
Marcel	d7d225af77	devops(observability): wire observability stack into nightly and release deploys All checks were successful CI / Unit & Component Tests (pull_request) Successful in 4m32s Details CI / OCR Service Tests (pull_request) Successful in 17s Details CI / Backend Unit Tests (pull_request) Successful in 4m3s Details CI / fail2ban Regex (pull_request) Successful in 1m55s Details CI / Compose Bucket Idempotency (pull_request) Successful in 1m42s Details - docker-compose.prod.yml: add `name: archiv-net` so the network has a stable Docker name regardless of compose project name (-p flag). Both staging and production share the same host-level network, which is correct since the observability stack is a single shared instance. - nightly.yml / release.yml: add observability env vars (POSTGRES_USER, PORT_GRAFANA=3003, PORT_GLITCHTIP=3002, PORT_PROMETHEUS=9090, GRAFANA_ADMIN_PASSWORD, GLITCHTIP_SECRET_KEY, GLITCHTIP_DOMAIN) to the env file, then `docker compose -f docker-compose.observability.yml up -d` after the app deploy step. PORT_GRAFANA=3003 avoids collision with staging frontend on 3001. Requires two new Gitea secrets: GRAFANA_ADMIN_PASSWORD, GLITCHTIP_SECRET_KEY. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 11:22:37 +02:00
Marcel	4358997482	perf(test): replace DirtiesContext(AFTER_EACH_TEST_METHOD) with @Transactional All checks were successful CI / Unit & Component Tests (pull_request) Successful in 4m40s Details CI / OCR Service Tests (pull_request) Successful in 18s Details CI / Backend Unit Tests (pull_request) Successful in 3m20s Details CI / fail2ban Regex (pull_request) Successful in 47s Details CI / Compose Bucket Idempotency (pull_request) Successful in 1m4s Details CI / Unit & Component Tests (push) Successful in 4m20s Details CI / OCR Service Tests (push) Successful in 16s Details CI / Backend Unit Tests (push) Successful in 3m8s Details CI / fail2ban Regex (push) Successful in 44s Details CI / Compose Bucket Idempotency (push) Successful in 1m1s Details 4 integration test classes were restarting the full Spring context (and a new Postgres Testcontainer, ~75s each) after every test method — 10 unnecessary container startups adding ~12 minutes to CI. Fixed by: - PersonServiceIntegrationTest, DocumentSearchPagedIntegrationTest, GeschichteServiceIntegrationTest: swap to @Transactional so each test rolls back instead of destroying the context. - AuditServiceIntegrationTest: cannot use @Transactional (logAfterCommit hooks into AFTER_COMMIT which requires a real commit); reset state with @BeforeEach deleteAll() instead. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 10:29:35 +02:00
Marcel	7c2e75facc	fix(backend): switch to sentry-spring-boot-4:8.41.0 for Spring Boot 4/SF7 compatibility Some checks failed CI / Unit & Component Tests (pull_request) Successful in 6m12s Details CI / OCR Service Tests (pull_request) Successful in 42s Details CI / Backend Unit Tests (pull_request) Failing after 17m13s Details CI / fail2ban Regex (pull_request) Successful in 2m37s Details CI / Compose Bucket Idempotency (pull_request) Successful in 2m6s Details sentry-spring-boot-starter-jakarta 8.5.0 does not support Spring Boot 4.0 — it logs an "Incompatible Spring Boot Version" warning and its SentryAutoConfiguration crashes SF7 bean-name generation. sentry-spring-boot-4 (added in 8.21.0) is the dedicated Spring Boot 4 module with a fixed auto-configuration class. - Replace sentry-spring-boot-starter-jakarta:8.5.0 with sentry-spring-boot-4:8.41.0 - Delete SentryConfig.java — workaround no longer needed, auto-config handles init - Remove spring.autoconfigure.exclude from application.yaml + application-test.yaml - Delete SentryConfigTest.java — tested the deleted workaround class - Update ApplicationContextTest: assert Sentry.isEnabled() is false when no DSN set Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 09:51:53 +02:00
Marcel	7b05b9d5a0	test(context): assert SentryAutoConfiguration is excluded from Spring context Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 09:45:32 +02:00
Marcel	20edc0474c	test(exception): verify handleGeneric captures exception in Sentry and returns 500 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 09:44:10 +02:00
Marcel	fa191b5c05	test(config): unit-test SentryConfig blank-DSN no-op and non-blank init paths Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 09:43:08 +02:00