Cleanup after host-mode runner: drop TLS-skip env and GeoIP image bake #4

2026-05-13T23:04:25Z

developer commented

2026-05-13 23:04:25 +00:00

Status

Утренняя задача перед merge: на хосте однократно установить Playwright system deps для webkit/chromium/firefox.

В host-mode runner-у нечем sudo apt-get install сделать самому (нет passwordless sudo, и это правильно). Раньше в job-контейнере зависимости приходили с runner image, теперь хост надо один раз настроить:

cd ui/frontend
sudo pnpm exec playwright install-deps

После этого Tests · UI пройдёт — на текущем коммите 67 webkit-тестов падают с timeout, потому что webkit не может проинициализировать canvas без libwebkit2gtk-4.x и его зависимостей. После установки deps — попроси меня и я перезапущу Tests · UI через API и сразу замерджу.

Two workarounds we added for the docker-in-docker runner are no longer needed now that act_runner executes jobs natively on the host.

GIT_SSL_NO_VERIFY=true in every workflow — actions/checkout now uses the host system CA store, which already trusts the host-Caddy root.
GeoIP DB baked into tools/local-dev/backend.Dockerfile — bind-mount paths now resolve to real host paths, so dev-deploy/docker-compose.yml can mount the file directly the way local-dev does.
--with-deps removed from pnpm exec playwright install — host-mode runner has no non-interactive sudo, so the apt-get step that --with-deps shells out to fails. Browsers themselves install fine without privilege; the system .so libraries are a one-time host setup (см. выше).

## Status **Утренняя задача перед merge:** на хосте однократно установить Playwright system deps для webkit/chromium/firefox. В host-mode runner-у нечем `sudo apt-get install` сделать самому (нет passwordless sudo, и это правильно). Раньше в job-контейнере зависимости приходили с runner image, теперь хост надо один раз настроить: ```sh cd ui/frontend sudo pnpm exec playwright install-deps ``` После этого `Tests · UI` пройдёт — на текущем коммите 67 webkit-тестов падают с timeout, потому что webkit не может проинициализировать canvas без libwebkit2gtk-4.x и его зависимостей. После установки deps — попроси меня и я перезапущу `Tests · UI` через API и сразу замерджу. --- Two workarounds we added for the docker-in-docker runner are no longer needed now that act_runner executes jobs natively on the host. 1. **GIT_SSL_NO_VERIFY=true** in every workflow — actions/checkout now uses the host system CA store, which already trusts the host-Caddy root. 2. **GeoIP DB baked into `tools/local-dev/backend.Dockerfile`** — bind-mount paths now resolve to real host paths, so `dev-deploy/docker-compose.yml` can mount the file directly the way local-dev does. 3. **--with-deps removed from `pnpm exec playwright install`** — host-mode runner has no non-interactive sudo, so the apt-get step that --with-deps shells out to fails. Browsers themselves install fine without privilege; the system .so libraries are a one-time host setup (см. выше).

developer added 2 commits 2026-05-13 23:04:25 +00:00

ci: drop GIT_SSL_NO_VERIFY now that runner is host-mode 4a88b24f4b

The act_runner now executes jobs natively on the host (no per-job
container), so actions/checkout uses the host's system CA store,
which already trusts the host-Caddy root CA. The workaround that
disabled TLS verification for `git fetch` is no longer needed and
just hides legitimate cert issues if they ever appear.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

dev-deploy: restore GeoIP bind-mount, drop image bake

Tests · Integration / integration (pull_request) Successful in 2m14s

Details

Tests · Go / test (pull_request) Successful in 2m19s

Details

Tests · UI / test (pull_request) Failing after 51m17s

Details

bb74e3336e

With the runner in host-mode, compose bind-mount paths resolve to
real host paths the Docker daemon can see, so the GeoIP file no
longer needs to be baked into the backend image to survive CI. Bring
back the bind-mount of `pkg/geoip/test-data/.../mmdb`, matching how
local-dev sources it. Image now only carries the backend binary,
symmetric with the production `backend/Dockerfile`.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

developer added 1 commit 2026-05-13 23:59:48 +00:00

ci/ui-test: drop --with-deps now that runner is host-mode

Tests · Go / test (pull_request) Successful in 2m6s

Details

Tests · UI / test (push) Failing after 2m32s

Details

Tests · Integration / integration (pull_request) Successful in 1m52s

Details

Tests · UI / test (pull_request) Successful in 2m3s

Details

9135991887

`playwright install --with-deps` shells out to `sudo apt-get install`
for the system libraries that headless browsers need. In a job
container that runs as root this is silent; on a host-mode runner the
non-interactive sudo prompts for a password, fails three times, and
the step exits 1.

Drop --with-deps. The system .so libraries are installed once on the
host via `pnpm exec playwright install-deps` (or the equivalent
apt-get incantation); workflow runs only need to fetch the browser
binaries themselves, which lives under the runner user's home and
needs no privilege.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

developer merged commit 660044559c into development

2026-05-14 04:31:28 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: developer/galaxy-game#4