From 306fa471f8be6c6d26d2bca570ac512ac944795d Mon Sep 17 00:00:00 2001 From: Your Name Date: Wed, 1 Jul 2026 17:27:11 +0800 Subject: [PATCH] fix(cd): run smoke from isolated workspace --- .gitea/workflows/cd.yaml | 53 ++++++++++++------- docs/LOGBOOK.md | 12 +++++ .../test_cd_controlled_runtime_profile.py | 9 ++++ 3 files changed, 56 insertions(+), 18 deletions(-) diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml index 9d79208d..698fe387 100644 --- a/.gitea/workflows/cd.yaml +++ b/.gitea/workflows/cd.yaml @@ -2394,23 +2394,38 @@ jobs: # 首席架構師 Review I4 + 2026-04-05 Claude Code cache優化: # playwright.config.ts import @playwright/test — 必須先安裝 pnpm node_modules # pnpm store 持久化到 /opt/pnpm-store,pnpm-lock.yaml hash 未變則 --prefer-offline + SOURCE_WORKDIR=/source + SMOKE_WORKDIR=/tmp/awoooi-smoke-workspace cleanup_smoke_workspace_artifacts() { - # 2026-05-19 Codex: pnpm creates a symlink-heavy node_modules tree - # inside the bind-mounted checkout. Remove it before act-runner's - # post-job cleanup so successful smoke jobs do not end with - # errSymlink cleanup noise. - rm -rf /workspace/node_modules \ - /workspace/apps/web/node_modules \ - /workspace/apps/web/tests/e2e/.auth \ - /workspace/apps/web/test-results \ - /workspace/apps/web/playwright-report \ - 2>/dev/null || true - find /workspace/apps /workspace/packages \ - -mindepth 2 -maxdepth 2 -type d -name node_modules -prune -exec rm -rf {} + \ + rm -rf "$SMOKE_WORKDIR" \ + /tmp/pnpm-install.log \ + /tmp/playwright-install-deps.log \ 2>/dev/null || true } trap cleanup_smoke_workspace_artifacts EXIT + rm -rf "$SMOKE_WORKDIR" + mkdir -p "$SMOKE_WORKDIR" + if command -v tar >/dev/null 2>&1; then + tar \ + --exclude='./.git' \ + --exclude='./node_modules' \ + --exclude='./apps/web/node_modules' \ + --exclude='./apps/web/test-results' \ + --exclude='./apps/web/playwright-report' \ + --exclude='./packages/*/node_modules' \ + -cf - -C "$SOURCE_WORKDIR" . | tar -xf - -C "$SMOKE_WORKDIR" + else + cp -a "$SOURCE_WORKDIR/." "$SMOKE_WORKDIR/" + rm -rf "$SMOKE_WORKDIR/.git" \ + "$SMOKE_WORKDIR/node_modules" \ + "$SMOKE_WORKDIR/apps/web/node_modules" \ + "$SMOKE_WORKDIR/apps/web/test-results" \ + "$SMOKE_WORKDIR/apps/web/playwright-report" \ + 2>/dev/null || true + fi + cd "$SMOKE_WORKDIR" + PNPM_STORE=/opt/pnpm-store PNPM_HASH_FILE=/opt/pnpm-store/.lock_hash CURRENT_PNPM_HASH=$(md5sum pnpm-lock.yaml | awk '{print $1}') @@ -2472,12 +2487,13 @@ jobs: --name "awoooi-cd-${GITHUB_RUN_ID:-manual}-${GITHUB_RUN_ATTEMPT:-1}-e2e-smoke" \ --cpus "1.5" \ --memory "2g" \ - -v "$PWD:/workspace" \ + -v "$PWD:/source:ro" \ + -v "$SMOKE_OUTPUT:/github-output" \ -v /tmp/awoooi-smoke.sh:/tmp/awoooi-smoke.sh:ro \ -v awoooi-pnpm-store:/opt/pnpm-store \ -v awoooi-playwright-browsers:/opt/playwright-browsers \ - -w /workspace \ - -e GITHUB_OUTPUT=/workspace/.awoooi-smoke-output \ + -w /tmp \ + -e GITHUB_OUTPUT=/github-output \ -e CI=true \ -e PLAYWRIGHT_BASE_URL=https://awoooi.wooo.work \ "${{ env.CI_IMAGE }}" \ @@ -2487,12 +2503,13 @@ jobs: --name "awoooi-cd-${GITHUB_RUN_ID:-manual}-${GITHUB_RUN_ATTEMPT:-1}-e2e-smoke" \ --cpus "1.5" \ --memory "2g" \ - -v "$PWD:/workspace" \ + -v "$PWD:/source:ro" \ + -v "$SMOKE_OUTPUT:/github-output" \ -v /tmp/awoooi-smoke.sh:/tmp/awoooi-smoke.sh:ro \ -v awoooi-pnpm-store:/opt/pnpm-store \ -v awoooi-playwright-browsers:/opt/playwright-browsers \ - -w /workspace \ - -e GITHUB_OUTPUT=/workspace/.awoooi-smoke-output \ + -w /tmp \ + -e GITHUB_OUTPUT=/github-output \ -e CI=true \ -e PLAYWRIGHT_BASE_URL=https://awoooi.wooo.work \ "${{ env.CI_IMAGE }}" \ diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index a2ab872a..0edba75d 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -1,3 +1,15 @@ +## 2026-07-01 — 17:29 Gitea CD post-deploy smoke workspace 權限修正 + +**照主線修正的問題**: +- CD `#4272` 已成功完成 tests、image build/push、ArgoCD `Synced/Healthy`、K8s rollout 與 production deploy readback,並讀回 `792de2553c` 與 GitOps desired image tag 一致;但 post-deploy browser smoke 仍回 `SMOKE_RESULT=⚠️`。 +- smoke log 顯示 `pnpm install` 在 bind-mounted checkout 的 `/workspace/node_modules` 建目錄時 `EACCES`,代表 smoke container 不應直接在 runner checkout 安裝依賴。 +- `.gitea/workflows/cd.yaml` 改成把 source checkout 唯讀掛到 `/source`,在 container 內建立 `/tmp/awoooi-smoke-workspace` 後用 `tar` 排除 `.git`、`node_modules`、`test-results`、`playwright-report` 再安裝與執行 Playwright;`GITHUB_OUTPUT` 改用單檔 bind mount `/github-output` 寫回,不再把整個 checkout 當可寫 workspace。 +- `ops/runner/test_cd_controlled_runtime_profile.py` 新增 guard,禁止 smoke 回到 `-v "$PWD:/workspace"`、`-w /workspace` 或 `/workspace/.awoooi-smoke-output`,避免下一次權限 / symlink cleanup 問題再讓 smoke 假黃。 + +**邊界**:未讀 secret / token / `.env` / raw sessions / SQLite / auth;未使用 GitHub / `gh` / GitHub API;未重啟主機 / Docker / Nginx / K3s / DB / firewall;未 force push。 + +**下一步**:跑本地 workflow guard 後推 Gitea main,等待下一個 CD 重新產生 post-deploy smoke `pass` 證據;若 smoke 還是黃,繼續只收斂最新失敗段落。 + ## 2026-07-01 — 17:18 Gitea CD post-deploy smoke 依賴證據修正 **照主線修正的問題**: diff --git a/ops/runner/test_cd_controlled_runtime_profile.py b/ops/runner/test_cd_controlled_runtime_profile.py index e688a4cf..0fb619f4 100644 --- a/ops/runner/test_cd_controlled_runtime_profile.py +++ b/ops/runner/test_cd_controlled_runtime_profile.py @@ -136,6 +136,15 @@ def test_post_deploy_smoke_uses_workspace_playwright_dependency() -> None: assert "pnpm exec playwright install chromium --with-deps" in block assert "pnpm exec playwright install-deps chromium" in block assert "pnpm exec playwright test tests/e2e/smoke.spec.ts --reporter=line" in block + assert "SMOKE_WORKDIR=/tmp/awoooi-smoke-workspace" in block + assert "-v \"$PWD:/source:ro\"" in block + assert "-v \"$SMOKE_OUTPUT:/github-output\"" in block + assert "-w /tmp" in block + assert "-e GITHUB_OUTPUT=/github-output" in block + assert "-v \"$PWD:/workspace\"" not in block + assert "-w /workspace" not in block + assert "GITHUB_OUTPUT=/workspace/.awoooi-smoke-output" not in block + assert "rm -rf /workspace/node_modules" not in block assert "npx playwright" not in block