ci: improve cleanup fallback (chown+chmod before delete) and run web container as uid 1000 to prevent root-owned caches

2025-10-16 11:59:32 -03:00 · 2025-10-16 11:59:32 -03:00 · 0562c13630
commit 0562c13630
parent 4376ed9c3c
2 changed files with 8 additions and 6 deletions
--- a/.github/workflows/ci-cd-web-desktop.yml
+++ b/.github/workflows/ci-cd-web-desktop.yml
@ -247,8 +247,8 @@ jobs:
            echo "Removing $dir"
            rm -rf "$dir" || {
              echo "Local rm failed, falling back to docker (root) cleanup for $dir..."
-              docker run --rm -v "$dir":/target alpine:3 sh -lc 'rm -rf /target/* /target/.[!.]* /target/..?* 2>/dev/null || true; rmdir /target || true' || true
+              docker run --rm -v "$dir":/target alpine:3 sh -lc 'chown -R 1000:1000 /target 2>/dev/null || true; chmod -R u+rwX /target 2>/dev/null || true; rm -rf /target/* /target/.[!.]* /target/..?* 2>/dev/null || true' || true
-              rmdir "$dir" 2>/dev/null || true
+              rm -rf "$dir" 2>/dev/null || rmdir "$dir" 2>/dev/null || true
            }
          done
          echo "Disk usage (top 10 under $ROOT):"
@ -334,7 +334,7 @@ jobs:
            -e MACHINE_PROVISIONING_SECRET \
            -e MACHINE_TOKEN_TTL_MS \
            -e FLEET_SYNC_SECRET \
-            node:20-bullseye bash -lc "set -euo pipefail; unset CONVEX_DEPLOYMENT; corepack enable; corepack prepare pnpm@9 --activate; mkdir -p \"${PNPM_STORE_DIR:-/tmp/pnpm-store}\"; pnpm install --frozen-lockfile --prod=false; \
+            node:20-bullseye bash -lc "set -euo pipefail; unset CONVEX_DEPLOYMENT; corepack enable; corepack prepare pnpm@9 --activate; mkdir -p \"${PNPM_STORE_DIR:-/tmp/pnpm-store}\"; pnpm config set store-dir \"${PNPM_STORE_DIR:-/tmp/pnpm-store}\"; pnpm install --frozen-lockfile --prod=false; \
              if [ -n \"$MACHINE_PROVISIONING_SECRET\" ]; then pnpm exec convex env set MACHINE_PROVISIONING_SECRET \"$MACHINE_PROVISIONING_SECRET\" -y; fi; \
              if [ -n \"$MACHINE_TOKEN_TTL_MS\" ]; then pnpm exec convex env set MACHINE_TOKEN_TTL_MS \"$MACHINE_TOKEN_TTL_MS\" -y; fi; \
              if [ -n \"$FLEET_SYNC_SECRET\" ]; then pnpm exec convex env set FLEET_SYNC_SECRET \"$FLEET_SYNC_SECRET\" -y; fi; \
@ -359,7 +359,7 @@ jobs:
            -e CI=true \
            -e CONVEX_SELF_HOSTED_URL \
            -e CONVEX_SELF_HOSTED_ADMIN_KEY \
-            node:20-bullseye bash -lc "set -euo pipefail; unset CONVEX_DEPLOYMENT; corepack enable; corepack prepare pnpm@9 --activate; mkdir -p \"${PNPM_STORE_DIR:-/tmp/pnpm-store}\"; pnpm install --frozen-lockfile --prod=false; pnpm exec convex deploy"
+            node:20-bullseye bash -lc "set -euo pipefail; unset CONVEX_DEPLOYMENT; corepack enable; corepack prepare pnpm@9 --activate; mkdir -p \"${PNPM_STORE_DIR:-/tmp/pnpm-store}\"; pnpm config set store-dir \"${PNPM_STORE_DIR:-/tmp/pnpm-store}\"; pnpm install --frozen-lockfile --prod=false; pnpm exec convex deploy"
      - name: Cleanup old convex build workdirs (keep last 2)
        run: |
@ -373,8 +373,8 @@ jobs:
            echo "Removing $dir"
            rm -rf "$dir" || {
              echo "Local rm failed, falling back to docker (root) cleanup for $dir..."
-              docker run --rm -v "$dir":/target alpine:3 sh -lc 'rm -rf /target/* /target/.[!.]* /target/..?* 2>/dev/null || true; rmdir /target || true' || true
+              docker run --rm -v "$dir":/target alpine:3 sh -lc 'chown -R 1000:1000 /target 2>/dev/null || true; chmod -R u+rwX /target 2>/dev/null || true; rm -rf /target/* /target/.[!.]* /target/..?* 2>/dev/null || true' || true
-              rmdir "$dir" 2>/dev/null || true
+              rm -rf "$dir" 2>/dev/null || rmdir "$dir" 2>/dev/null || true
            }
          done
--- a/stack.yml
+++ b/stack.yml
@ -4,6 +4,8 @@ version: "3.8"
 services:
  web:
    image: node:20-bullseye
    # Run as non-root to avoid creating root-owned files on host mounts
    user: "1000:1000"
    working_dir: /app
    command: >
      bash -lc "bash /app/scripts/start-web.sh"