From 4a88b24f4bc56aa74c7b6b119664e793893079ff Mon Sep 17 00:00:00 2001 From: Ilia Denisov Date: Thu, 14 May 2026 01:04:11 +0200 Subject: [PATCH 1/3] ci: drop GIT_SSL_NO_VERIFY now that runner is host-mode The act_runner now executes jobs natively on the host (no per-job container), so actions/checkout uses the host's system CA store, which already trusts the host-Caddy root CA. The workaround that disabled TLS verification for `git fetch` is no longer needed and just hides legitimate cert issues if they ever appear. Co-Authored-By: Claude Opus 4.7 (1M context) --- .gitea/workflows/dev-deploy.yaml | 6 ------ .gitea/workflows/go-unit.yaml | 9 --------- .gitea/workflows/integration.yaml | 6 ------ .gitea/workflows/prod-build.yaml | 6 ------ .gitea/workflows/ui-test.yaml | 6 ------ 5 files changed, 33 deletions(-) diff --git a/.gitea/workflows/dev-deploy.yaml b/.gitea/workflows/dev-deploy.yaml index 8337022..0ebf15f 100644 --- a/.gitea/workflows/dev-deploy.yaml +++ b/.gitea/workflows/dev-deploy.yaml @@ -24,12 +24,6 @@ on: - '.gitea/workflows/dev-deploy.yaml' - '!**/*.md' -env: - # See go-unit.yaml for the rationale; this disables TLS verify for - # actions/checkout against the LAN Gitea host signed by host-Caddy's - # internal CA. - GIT_SSL_NO_VERIFY: "true" - jobs: deploy: runs-on: ubuntu-latest diff --git a/.gitea/workflows/go-unit.yaml b/.gitea/workflows/go-unit.yaml index 7c2c10a..b961d6a 100644 --- a/.gitea/workflows/go-unit.yaml +++ b/.gitea/workflows/go-unit.yaml @@ -30,15 +30,6 @@ on: - '.gitea/workflows/go-unit.yaml' - '!**/*.md' -env: - # The Gitea host serves https://gitea.iliadenisov.ru with a cert - # signed by host-Caddy's internal CA. The runner-image's CA bundle - # does not include that root, so actions/checkout fails on `git - # fetch`. Disabling SSL verify is acceptable for this LAN-only - # infrastructure; the long-term fix is to mount the Caddy root CA - # into the runner image. - GIT_SSL_NO_VERIFY: "true" - jobs: test: runs-on: ubuntu-latest diff --git a/.gitea/workflows/integration.yaml b/.gitea/workflows/integration.yaml index dcdceec..85d61cd 100644 --- a/.gitea/workflows/integration.yaml +++ b/.gitea/workflows/integration.yaml @@ -37,12 +37,6 @@ on: - '.gitea/workflows/integration.yaml' - '!**/*.md' -env: - # See go-unit.yaml for the rationale; this disables TLS verify for - # actions/checkout against the LAN Gitea host signed by host-Caddy's - # internal CA. - GIT_SSL_NO_VERIFY: "true" - jobs: integration: runs-on: ubuntu-latest diff --git a/.gitea/workflows/prod-build.yaml b/.gitea/workflows/prod-build.yaml index fd4aa71..4e54788 100644 --- a/.gitea/workflows/prod-build.yaml +++ b/.gitea/workflows/prod-build.yaml @@ -21,12 +21,6 @@ on: - '.gitea/workflows/prod-build.yaml' - '!**/*.md' -env: - # See go-unit.yaml for the rationale; this disables TLS verify for - # actions/checkout against the LAN Gitea host signed by host-Caddy's - # internal CA. - GIT_SSL_NO_VERIFY: "true" - jobs: build: runs-on: ubuntu-latest diff --git a/.gitea/workflows/ui-test.yaml b/.gitea/workflows/ui-test.yaml index 93ee672..b064134 100644 --- a/.gitea/workflows/ui-test.yaml +++ b/.gitea/workflows/ui-test.yaml @@ -16,12 +16,6 @@ on: - '.gitea/workflows/ui-test.yaml' - '!**/*.md' -env: - # See go-unit.yaml for the rationale; this disables TLS verify for - # actions/checkout against the LAN Gitea host signed by host-Caddy's - # internal CA. - GIT_SSL_NO_VERIFY: "true" - jobs: test: runs-on: ubuntu-latest From bb74e3336e5810280a3f27fbe08d45d3439da9a1 Mon Sep 17 00:00:00 2001 From: Ilia Denisov Date: Thu, 14 May 2026 01:04:11 +0200 Subject: [PATCH 2/3] dev-deploy: restore GeoIP bind-mount, drop image bake With the runner in host-mode, compose bind-mount paths resolve to real host paths the Docker daemon can see, so the GeoIP file no longer needs to be baked into the backend image to survive CI. Bring back the bind-mount of `pkg/geoip/test-data/.../mmdb`, matching how local-dev sources it. Image now only carries the backend binary, symmetric with the production `backend/Dockerfile`. Co-Authored-By: Claude Opus 4.7 (1M context) --- tools/dev-deploy/docker-compose.yml | 6 +----- tools/local-dev/backend.Dockerfile | 11 ----------- 2 files changed, 1 insertion(+), 16 deletions(-) diff --git a/tools/dev-deploy/docker-compose.yml b/tools/dev-deploy/docker-compose.yml index a6e4e67..5a449df 100644 --- a/tools/dev-deploy/docker-compose.yml +++ b/tools/dev-deploy/docker-compose.yml @@ -125,11 +125,7 @@ services: target: ${GALAXY_DEV_GAME_STATE_DIR} bind: create_host_path: true - # The GeoIP database is baked into the backend image (see - # tools/local-dev/backend.Dockerfile); a bind-mount is not used - # here because the source path resolves inside the runner - # workspace volume and the host Docker daemon cannot see it, - # which produced an "is a directory" error in CI. + - ../../pkg/geoip/test-data/test-data/GeoIP2-Country-Test.mmdb:/var/lib/galaxy/geoip.mmdb:ro networks: - galaxy-internal healthcheck: diff --git a/tools/local-dev/backend.Dockerfile b/tools/local-dev/backend.Dockerfile index 01e5898..1cd01c3 100644 --- a/tools/local-dev/backend.Dockerfile +++ b/tools/local-dev/backend.Dockerfile @@ -24,16 +24,6 @@ COPY pkg/transcoder/ ./pkg/transcoder/ COPY pkg/util/ ./pkg/util/ COPY backend/ ./backend/ -# Bake the GeoIP test database into the build context so downstream -# stages can copy it into the runtime image. The path is the -# `MaxMind-DB` git submodule under `pkg/geoip/test-data/`; the file is -# the smallest country DB MaxMind publishes and is what every other -# dev-stack uses. Baking it lets dev-deploy skip the bind-mount that -# fails on runner-workspace volumes the host Docker daemon cannot see. -RUN mkdir -p /out/var/lib/galaxy -COPY pkg/geoip/test-data/test-data/GeoIP2-Country-Test.mmdb \ - /out/var/lib/galaxy/geoip.mmdb - RUN <<'EOF' cat > go.work go 1.26.2 @@ -77,6 +67,5 @@ EXPOSE 8080 EXPOSE 8081 COPY --from=builder /out/backend /usr/local/bin/backend -COPY --from=builder /out/var/lib/galaxy/geoip.mmdb /var/lib/galaxy/geoip.mmdb ENTRYPOINT ["/usr/local/bin/backend"] From 91359918870d35b3473551d83b9b44ce06c8eea4 Mon Sep 17 00:00:00 2001 From: Ilia Denisov Date: Thu, 14 May 2026 01:59:45 +0200 Subject: [PATCH 3/3] ci/ui-test: drop --with-deps now that runner is host-mode `playwright install --with-deps` shells out to `sudo apt-get install` for the system libraries that headless browsers need. In a job container that runs as root this is silent; on a host-mode runner the non-interactive sudo prompts for a password, fails three times, and the step exits 1. Drop --with-deps. The system .so libraries are installed once on the host via `pnpm exec playwright install-deps` (or the equivalent apt-get incantation); workflow runs only need to fetch the browser binaries themselves, which lives under the runner user's home and needs no privilege. Co-Authored-By: Claude Opus 4.7 (1M context) --- .gitea/workflows/ui-test.yaml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/ui-test.yaml b/.gitea/workflows/ui-test.yaml index b064134..5924d3c 100644 --- a/.gitea/workflows/ui-test.yaml +++ b/.gitea/workflows/ui-test.yaml @@ -45,8 +45,15 @@ jobs: run: pnpm install --frozen-lockfile - name: Install Playwright browsers + # `--with-deps` would shell out to `sudo apt-get install` for + # the system .so libraries, which the host-mode runner cannot + # run non-interactively. The host has the deps installed once, + # globally; we only need to fetch the browser binaries here. + # If a future run fails with missing libraries, install them + # on the host via `pnpm exec playwright install-deps` (one + # shot, requires sudo). working-directory: ui/frontend - run: pnpm exec playwright install --with-deps + run: pnpm exec playwright install - name: Run Vitest working-directory: ui/frontend