dev-deploy: restore GeoIP bind-mount, drop image bake

With the runner in host-mode, compose bind-mount paths resolve to real host paths the Docker daemon can see, so the GeoIP file no longer needs to be baked into the backend image to survive CI. Bring back the bind-mount of `pkg/geoip/test-data/.../mmdb`, matching how local-dev sources it. Image now only carries the backend binary, symmetric with the production `backend/Dockerfile`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ci: drop GIT_SSL_NO_VERIFY now that runner is host-mode
2026-05-14 01:04:11 +02:00 · 2026-05-14 01:04:11 +02:00
7 changed files with 1 additions and 49 deletions
@@ -24,12 +24,6 @@ on:
      - '.gitea/workflows/dev-deploy.yaml'
      - '!**/*.md'
 env:
  # See go-unit.yaml for the rationale; this disables TLS verify for
  # actions/checkout against the LAN Gitea host signed by host-Caddy's
  # internal CA.
  GIT_SSL_NO_VERIFY: "true"
 jobs:
  deploy:
    runs-on: ubuntu-latest
@@ -30,15 +30,6 @@ on:
      - '.gitea/workflows/go-unit.yaml'
      - '!**/*.md'
 env:
  # The Gitea host serves https://gitea.iliadenisov.ru with a cert
  # signed by host-Caddy's internal CA. The runner-image's CA bundle
  # does not include that root, so actions/checkout fails on `git
  # fetch`. Disabling SSL verify is acceptable for this LAN-only
  # infrastructure; the long-term fix is to mount the Caddy root CA
  # into the runner image.
  GIT_SSL_NO_VERIFY: "true"
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -37,12 +37,6 @@ on:
      - '.gitea/workflows/integration.yaml'
      - '!**/*.md'
 env:
  # See go-unit.yaml for the rationale; this disables TLS verify for
  # actions/checkout against the LAN Gitea host signed by host-Caddy's
  # internal CA.
  GIT_SSL_NO_VERIFY: "true"
 jobs:
  integration:
    runs-on: ubuntu-latest
@@ -21,12 +21,6 @@ on:
      - '.gitea/workflows/prod-build.yaml'
      - '!**/*.md'
 env:
  # See go-unit.yaml for the rationale; this disables TLS verify for
  # actions/checkout against the LAN Gitea host signed by host-Caddy's
  # internal CA.
  GIT_SSL_NO_VERIFY: "true"
 jobs:
  build:
    runs-on: ubuntu-latest
@@ -16,12 +16,6 @@ on:
      - '.gitea/workflows/ui-test.yaml'
      - '!**/*.md'
 env:
  # See go-unit.yaml for the rationale; this disables TLS verify for
  # actions/checkout against the LAN Gitea host signed by host-Caddy's
  # internal CA.
  GIT_SSL_NO_VERIFY: "true"
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -125,11 +125,7 @@ services:
        target: ${GALAXY_DEV_GAME_STATE_DIR}
        bind:
          create_host_path: true
-      # The GeoIP database is baked into the backend image (see
+      - ../../pkg/geoip/test-data/test-data/GeoIP2-Country-Test.mmdb:/var/lib/galaxy/geoip.mmdb:ro
      # tools/local-dev/backend.Dockerfile); a bind-mount is not used
      # here because the source path resolves inside the runner
      # workspace volume and the host Docker daemon cannot see it,
      # which produced an "is a directory" error in CI.
    networks:
      - galaxy-internal
    healthcheck:
@@ -24,16 +24,6 @@ COPY pkg/transcoder/ ./pkg/transcoder/
 COPY pkg/util/       ./pkg/util/
 COPY backend/        ./backend/
 # Bake the GeoIP test database into the build context so downstream
 # stages can copy it into the runtime image. The path is the
 # `MaxMind-DB` git submodule under `pkg/geoip/test-data/`; the file is
 # the smallest country DB MaxMind publishes and is what every other
 # dev-stack uses. Baking it lets dev-deploy skip the bind-mount that
 # fails on runner-workspace volumes the host Docker daemon cannot see.
 RUN mkdir -p /out/var/lib/galaxy
 COPY pkg/geoip/test-data/test-data/GeoIP2-Country-Test.mmdb \
     /out/var/lib/galaxy/geoip.mmdb
 RUN <<'EOF' cat > go.work
 go 1.26.2
@@ -77,6 +67,5 @@ EXPOSE 8080
 EXPOSE 8081
 COPY --from=builder /out/backend /usr/local/bin/backend
 COPY --from=builder /out/var/lib/galaxy/geoip.mmdb /var/lib/galaxy/geoip.mmdb
 ENTRYPOINT ["/usr/local/bin/backend"]