fix(cd): run smoke from isolated workspace
All checks were successful
CD Pipeline / workflow-shape (push) Successful in 1s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 35s
CD Pipeline / build-and-deploy (push) Successful in 3m48s
CD Pipeline / post-deploy-checks (push) Successful in 1m38s

This commit is contained in:
Your Name
2026-07-01 17:27:11 +08:00
parent 0b3d5016ce
commit 306fa471f8
3 changed files with 56 additions and 18 deletions

View File

@@ -2394,23 +2394,38 @@ jobs:
# 首席架構師 Review I4 + 2026-04-05 Claude Code cache優化:
# playwright.config.ts import @playwright/test — 必須先安裝 pnpm node_modules
# pnpm store 持久化到 /opt/pnpm-storepnpm-lock.yaml hash 未變則 --prefer-offline
SOURCE_WORKDIR=/source
SMOKE_WORKDIR=/tmp/awoooi-smoke-workspace
cleanup_smoke_workspace_artifacts() {
# 2026-05-19 Codex: pnpm creates a symlink-heavy node_modules tree
# inside the bind-mounted checkout. Remove it before act-runner's
# post-job cleanup so successful smoke jobs do not end with
# errSymlink cleanup noise.
rm -rf /workspace/node_modules \
/workspace/apps/web/node_modules \
/workspace/apps/web/tests/e2e/.auth \
/workspace/apps/web/test-results \
/workspace/apps/web/playwright-report \
2>/dev/null || true
find /workspace/apps /workspace/packages \
-mindepth 2 -maxdepth 2 -type d -name node_modules -prune -exec rm -rf {} + \
rm -rf "$SMOKE_WORKDIR" \
/tmp/pnpm-install.log \
/tmp/playwright-install-deps.log \
2>/dev/null || true
}
trap cleanup_smoke_workspace_artifacts EXIT
rm -rf "$SMOKE_WORKDIR"
mkdir -p "$SMOKE_WORKDIR"
if command -v tar >/dev/null 2>&1; then
tar \
--exclude='./.git' \
--exclude='./node_modules' \
--exclude='./apps/web/node_modules' \
--exclude='./apps/web/test-results' \
--exclude='./apps/web/playwright-report' \
--exclude='./packages/*/node_modules' \
-cf - -C "$SOURCE_WORKDIR" . | tar -xf - -C "$SMOKE_WORKDIR"
else
cp -a "$SOURCE_WORKDIR/." "$SMOKE_WORKDIR/"
rm -rf "$SMOKE_WORKDIR/.git" \
"$SMOKE_WORKDIR/node_modules" \
"$SMOKE_WORKDIR/apps/web/node_modules" \
"$SMOKE_WORKDIR/apps/web/test-results" \
"$SMOKE_WORKDIR/apps/web/playwright-report" \
2>/dev/null || true
fi
cd "$SMOKE_WORKDIR"
PNPM_STORE=/opt/pnpm-store
PNPM_HASH_FILE=/opt/pnpm-store/.lock_hash
CURRENT_PNPM_HASH=$(md5sum pnpm-lock.yaml | awk '{print $1}')
@@ -2472,12 +2487,13 @@ jobs:
--name "awoooi-cd-${GITHUB_RUN_ID:-manual}-${GITHUB_RUN_ATTEMPT:-1}-e2e-smoke" \
--cpus "1.5" \
--memory "2g" \
-v "$PWD:/workspace" \
-v "$PWD:/source:ro" \
-v "$SMOKE_OUTPUT:/github-output" \
-v /tmp/awoooi-smoke.sh:/tmp/awoooi-smoke.sh:ro \
-v awoooi-pnpm-store:/opt/pnpm-store \
-v awoooi-playwright-browsers:/opt/playwright-browsers \
-w /workspace \
-e GITHUB_OUTPUT=/workspace/.awoooi-smoke-output \
-w /tmp \
-e GITHUB_OUTPUT=/github-output \
-e CI=true \
-e PLAYWRIGHT_BASE_URL=https://awoooi.wooo.work \
"${{ env.CI_IMAGE }}" \
@@ -2487,12 +2503,13 @@ jobs:
--name "awoooi-cd-${GITHUB_RUN_ID:-manual}-${GITHUB_RUN_ATTEMPT:-1}-e2e-smoke" \
--cpus "1.5" \
--memory "2g" \
-v "$PWD:/workspace" \
-v "$PWD:/source:ro" \
-v "$SMOKE_OUTPUT:/github-output" \
-v /tmp/awoooi-smoke.sh:/tmp/awoooi-smoke.sh:ro \
-v awoooi-pnpm-store:/opt/pnpm-store \
-v awoooi-playwright-browsers:/opt/playwright-browsers \
-w /workspace \
-e GITHUB_OUTPUT=/workspace/.awoooi-smoke-output \
-w /tmp \
-e GITHUB_OUTPUT=/github-output \
-e CI=true \
-e PLAYWRIGHT_BASE_URL=https://awoooi.wooo.work \
"${{ env.CI_IMAGE }}" \

View File

@@ -1,3 +1,15 @@
## 2026-07-01 — 17:29 Gitea CD post-deploy smoke workspace 權限修正
**照主線修正的問題**
- CD `#4272` 已成功完成 tests、image build/push、ArgoCD `Synced/Healthy`、K8s rollout 與 production deploy readback並讀回 `792de2553c` 與 GitOps desired image tag 一致;但 post-deploy browser smoke 仍回 `SMOKE_RESULT=⚠️`
- smoke log 顯示 `pnpm install` 在 bind-mounted checkout 的 `/workspace/node_modules` 建目錄時 `EACCES`,代表 smoke container 不應直接在 runner checkout 安裝依賴。
- `.gitea/workflows/cd.yaml` 改成把 source checkout 唯讀掛到 `/source`,在 container 內建立 `/tmp/awoooi-smoke-workspace` 後用 `tar` 排除 `.git``node_modules``test-results``playwright-report` 再安裝與執行 Playwright`GITHUB_OUTPUT` 改用單檔 bind mount `/github-output` 寫回,不再把整個 checkout 當可寫 workspace。
- `ops/runner/test_cd_controlled_runtime_profile.py` 新增 guard禁止 smoke 回到 `-v "$PWD:/workspace"``-w /workspace``/workspace/.awoooi-smoke-output`,避免下一次權限 / symlink cleanup 問題再讓 smoke 假黃。
**邊界**:未讀 secret / token / `.env` / raw sessions / SQLite / auth未使用 GitHub / `gh` / GitHub API未重啟主機 / Docker / Nginx / K3s / DB / firewall未 force push。
**下一步**:跑本地 workflow guard 後推 Gitea main等待下一個 CD 重新產生 post-deploy smoke `pass` 證據;若 smoke 還是黃,繼續只收斂最新失敗段落。
## 2026-07-01 — 17:18 Gitea CD post-deploy smoke 依賴證據修正
**照主線修正的問題**

View File

@@ -136,6 +136,15 @@ def test_post_deploy_smoke_uses_workspace_playwright_dependency() -> None:
assert "pnpm exec playwright install chromium --with-deps" in block
assert "pnpm exec playwright install-deps chromium" in block
assert "pnpm exec playwright test tests/e2e/smoke.spec.ts --reporter=line" in block
assert "SMOKE_WORKDIR=/tmp/awoooi-smoke-workspace" in block
assert "-v \"$PWD:/source:ro\"" in block
assert "-v \"$SMOKE_OUTPUT:/github-output\"" in block
assert "-w /tmp" in block
assert "-e GITHUB_OUTPUT=/github-output" in block
assert "-v \"$PWD:/workspace\"" not in block
assert "-w /workspace" not in block
assert "GITHUB_OUTPUT=/workspace/.awoooi-smoke-output" not in block
assert "rm -rf /workspace/node_modules" not in block
assert "npx playwright" not in block