devops(ci): add --remove-orphans to observability stack deploy steps

Both nightly and release workflows were missing --remove-orphans on the observability compose up, while the main app deploy step already had it. Without it, containers removed from docker-compose.observability.yml linger as unnamed orphans until manually pruned. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
devops(caddy): apply full security_headers snippet to GlitchTip vhost
2026-05-15 14:55:28 +02:00 · 2026-05-15 14:54:54 +02:00
3 changed files with 3 additions and 3 deletions
--- a/.gitea/workflows/nightly.yml
+++ b/.gitea/workflows/nightly.yml
@@ -136,7 +136,7 @@ jobs:
          docker compose \
            -f docker-compose.observability.yml \
            --env-file .env.staging \
-            up -d --wait
+            up -d --wait --remove-orphans

      - name: Reload Caddy
        # Apply any committed Caddyfile changes before smoke-testing the
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -109,7 +109,7 @@ jobs:
          docker compose \
            -f docker-compose.observability.yml \
            --env-file .env.production \
-            up -d --wait
+            up -d --wait --remove-orphans

      - name: Reload Caddy
        # See nightly.yml — same rationale and mechanism: DooD job containers
--- a/infra/caddy/Caddyfile
+++ b/infra/caddy/Caddyfile
@@ -95,6 +95,6 @@ grafana.archiv.raddatz.cloud {
 }

 glitchtip.archiv.raddatz.cloud {
-	header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+	import security_headers
 	reverse_proxy 127.0.0.1:3002
 }
Author	SHA1	Message	Date
Marcel	ada3a3ccaf	devops(ci): add --remove-orphans to observability stack deploy steps All checks were successful CI / Unit & Component Tests (pull_request) Successful in 5m27s Details CI / OCR Service Tests (pull_request) Successful in 34s Details CI / Backend Unit Tests (pull_request) Successful in 7m13s Details CI / fail2ban Regex (pull_request) Successful in 1m51s Details CI / Compose Bucket Idempotency (pull_request) Successful in 1m47s Details CI / Unit & Component Tests (push) Successful in 5m45s Details CI / OCR Service Tests (push) Successful in 36s Details CI / Backend Unit Tests (push) Successful in 7m12s Details CI / fail2ban Regex (push) Successful in 1m54s Details CI / Compose Bucket Idempotency (push) Successful in 1m41s Details Both nightly and release workflows were missing --remove-orphans on the observability compose up, while the main app deploy step already had it. Without it, containers removed from docker-compose.observability.yml linger as unnamed orphans until manually pruned. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 14:55:28 +02:00
Marcel	8cf3a2a726	devops(caddy): apply full security_headers snippet to GlitchTip vhost The GlitchTip vhost only had a manual HSTS header; the rest of the (security_headers) snippet (X-Content-Type-Options, Referrer-Policy, Permissions-Policy, -Server removal) was missing. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-15 14:54:54 +02:00