From ac999066dd90384fb9bc3cc7920913a837d952ab Mon Sep 17 00:00:00 2001 From: Marcel Date: Sat, 9 May 2026 16:00:03 +0200 Subject: [PATCH 1/4] fix(ci): add TZ=Europe/Berlin to frontend test step date-buckets.spec.ts midnight tests pass timezone-aware dates (+02:00) which are 22:00 UTC the prior day; setHours(0,0,0,0) uses local TZ. Co-Authored-By: Claude Sonnet 4.6 --- .gitea/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 9ab8d3e5..6db53614 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -39,6 +39,8 @@ jobs: - name: Run unit and component tests run: npm test working-directory: frontend + env: + TZ: Europe/Berlin - name: Build frontend run: npm run build -- 2.49.1 From a158048f451c10161cf522e9ef8e071f013bd3ab Mon Sep 17 00:00:00 2001 From: Marcel Date: Sat, 9 May 2026 16:00:43 +0200 Subject: [PATCH 2/4] fix(ci): expose Docker socket env vars for Testcontainers in backend job DOCKER_HOST makes the socket explicit rather than relying on runner config propagation; TESTCONTAINERS_RYUK_DISABLED=true avoids Ryuk watchdog start failures in nested container environments. Co-Authored-By: Claude Sonnet 4.6 --- .gitea/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 6db53614..491097a8 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -80,6 +80,8 @@ jobs: runs-on: ubuntu-latest env: DOCKER_API_VERSION: "1.43" # NAS runner runs Docker 24.x (max API 1.43); Testcontainers 2.x defaults to 1.44 + DOCKER_HOST: unix:///var/run/docker.sock + TESTCONTAINERS_RYUK_DISABLED: "true" steps: - uses: actions/checkout@v4 -- 2.49.1 From 5512790d5a3974cca6e1f06d889db7559e2cee78 Mon Sep 17 00:00:00 2001 From: Marcel Date: Sat, 9 May 2026 16:01:24 +0200 Subject: [PATCH 3/4] ci: track act_runner config with Docker socket mount Documents the NAS runner configuration needed for Testcontainers. Must be deployed to the runner host alongside the act_runner binary. Co-Authored-By: Claude Sonnet 4.6 --- runner-config.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 runner-config.yaml diff --git a/runner-config.yaml b/runner-config.yaml new file mode 100644 index 00000000..2110e800 --- /dev/null +++ b/runner-config.yaml @@ -0,0 +1,12 @@ +# runner-config.yaml — only the relevant section +container: + # passed as DOCKER_HOST inside the job container + docker_host: "unix:///var/run/docker.sock" + # whitelists the socket path so workflows can mount it + valid_volumes: + - "/var/run/docker.sock" + # appended to `docker run` when the runner spawns a job container + options: "-v /var/run/docker.sock:/var/run/docker.sock" + # keep network mode default (bridge) — Testcontainers handles its own networking + force_pull: false + -- 2.49.1 From 6074480482256ff82a5bc93de72b30a782d218dc Mon Sep 17 00:00:00 2001 From: Marcel Date: Sat, 9 May 2026 16:05:19 +0200 Subject: [PATCH 4/4] ci: document Docker socket security trade-off in runner config Co-Authored-By: Claude Sonnet 4.6 --- runner-config.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/runner-config.yaml b/runner-config.yaml index 2110e800..66bb616c 100644 --- a/runner-config.yaml +++ b/runner-config.yaml @@ -6,6 +6,10 @@ container: valid_volumes: - "/var/run/docker.sock" # appended to `docker run` when the runner spawns a job container + # SECURITY: Mounting the Docker socket grants job containers root-equivalent + # access to the host Docker daemon. Acceptable here because only trusted code + # from this private repo runs on this runner. Do NOT use on a runner that + # accepts untrusted PRs from external contributors. options: "-v /var/run/docker.sock:/var/run/docker.sock" # keep network mode default (bridge) — Testcontainers handles its own networking force_pull: false -- 2.49.1