From 0562c13630753cbfc9ff4d2645218446f733cc30 Mon Sep 17 00:00:00 2001 From: Esdras Renan Date: Thu, 16 Oct 2025 11:59:32 -0300 Subject: [PATCH] ci: improve cleanup fallback (chown+chmod before delete) and run web container as uid 1000 to prevent root-owned caches --- .github/workflows/ci-cd-web-desktop.yml | 12 ++++++------ stack.yml | 2 ++ 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci-cd-web-desktop.yml b/.github/workflows/ci-cd-web-desktop.yml index 9a644e6..f6b769a 100644 --- a/.github/workflows/ci-cd-web-desktop.yml +++ b/.github/workflows/ci-cd-web-desktop.yml @@ -247,8 +247,8 @@ jobs: echo "Removing $dir" rm -rf "$dir" || { echo "Local rm failed, falling back to docker (root) cleanup for $dir..." - docker run --rm -v "$dir":/target alpine:3 sh -lc 'rm -rf /target/* /target/.[!.]* /target/..?* 2>/dev/null || true; rmdir /target || true' || true - rmdir "$dir" 2>/dev/null || true + docker run --rm -v "$dir":/target alpine:3 sh -lc 'chown -R 1000:1000 /target 2>/dev/null || true; chmod -R u+rwX /target 2>/dev/null || true; rm -rf /target/* /target/.[!.]* /target/..?* 2>/dev/null || true' || true + rm -rf "$dir" 2>/dev/null || rmdir "$dir" 2>/dev/null || true } done echo "Disk usage (top 10 under $ROOT):" @@ -334,7 +334,7 @@ jobs: -e MACHINE_PROVISIONING_SECRET \ -e MACHINE_TOKEN_TTL_MS \ -e FLEET_SYNC_SECRET \ - node:20-bullseye bash -lc "set -euo pipefail; unset CONVEX_DEPLOYMENT; corepack enable; corepack prepare pnpm@9 --activate; mkdir -p \"${PNPM_STORE_DIR:-/tmp/pnpm-store}\"; pnpm install --frozen-lockfile --prod=false; \ + node:20-bullseye bash -lc "set -euo pipefail; unset CONVEX_DEPLOYMENT; corepack enable; corepack prepare pnpm@9 --activate; mkdir -p \"${PNPM_STORE_DIR:-/tmp/pnpm-store}\"; pnpm config set store-dir \"${PNPM_STORE_DIR:-/tmp/pnpm-store}\"; pnpm install --frozen-lockfile --prod=false; \ if [ -n \"$MACHINE_PROVISIONING_SECRET\" ]; then pnpm exec convex env set MACHINE_PROVISIONING_SECRET \"$MACHINE_PROVISIONING_SECRET\" -y; fi; \ if [ -n \"$MACHINE_TOKEN_TTL_MS\" ]; then pnpm exec convex env set MACHINE_TOKEN_TTL_MS \"$MACHINE_TOKEN_TTL_MS\" -y; fi; \ if [ -n \"$FLEET_SYNC_SECRET\" ]; then pnpm exec convex env set FLEET_SYNC_SECRET \"$FLEET_SYNC_SECRET\" -y; fi; \ @@ -359,7 +359,7 @@ jobs: -e CI=true \ -e CONVEX_SELF_HOSTED_URL \ -e CONVEX_SELF_HOSTED_ADMIN_KEY \ - node:20-bullseye bash -lc "set -euo pipefail; unset CONVEX_DEPLOYMENT; corepack enable; corepack prepare pnpm@9 --activate; mkdir -p \"${PNPM_STORE_DIR:-/tmp/pnpm-store}\"; pnpm install --frozen-lockfile --prod=false; pnpm exec convex deploy" + node:20-bullseye bash -lc "set -euo pipefail; unset CONVEX_DEPLOYMENT; corepack enable; corepack prepare pnpm@9 --activate; mkdir -p \"${PNPM_STORE_DIR:-/tmp/pnpm-store}\"; pnpm config set store-dir \"${PNPM_STORE_DIR:-/tmp/pnpm-store}\"; pnpm install --frozen-lockfile --prod=false; pnpm exec convex deploy" - name: Cleanup old convex build workdirs (keep last 2) run: | @@ -373,8 +373,8 @@ jobs: echo "Removing $dir" rm -rf "$dir" || { echo "Local rm failed, falling back to docker (root) cleanup for $dir..." - docker run --rm -v "$dir":/target alpine:3 sh -lc 'rm -rf /target/* /target/.[!.]* /target/..?* 2>/dev/null || true; rmdir /target || true' || true - rmdir "$dir" 2>/dev/null || true + docker run --rm -v "$dir":/target alpine:3 sh -lc 'chown -R 1000:1000 /target 2>/dev/null || true; chmod -R u+rwX /target 2>/dev/null || true; rm -rf /target/* /target/.[!.]* /target/..?* 2>/dev/null || true' || true + rm -rf "$dir" 2>/dev/null || rmdir "$dir" 2>/dev/null || true } done diff --git a/stack.yml b/stack.yml index 3e14a95..975fd5c 100644 --- a/stack.yml +++ b/stack.yml @@ -4,6 +4,8 @@ version: "3.8" services: web: image: node:20-bullseye + # Run as non-root to avoid creating root-owned files on host mounts + user: "1000:1000" working_dir: /app command: > bash -lc "bash /app/scripts/start-web.sh"