From 945b29f317d32a08599644bdafee0eaf6a28b1fe Mon Sep 17 00:00:00 2001
From: Esdras Renan <monkeyesdras@gmail.com>
Date: Thu, 16 Oct 2025 15:08:12 -0300
Subject: [PATCH] ci(web): fix permission errors publishing to stable APP_DIR
 (docker chown+chmod, exclude .pnpm-store); runtime: use container-local PNPM
 store to avoid host writes

---
 .github/workflows/ci-cd-web-desktop.yml | 7 ++++++-
 scripts/start-web.sh                    | 5 ++++-
 stack.yml                               | 1 +
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci-cd-web-desktop.yml b/.github/workflows/ci-cd-web-desktop.yml
index 08ea340..e6905d6 100644
--- a/.github/workflows/ci-cd-web-desktop.yml
+++ b/.github/workflows/ci-cd-web-desktop.yml
@@ -183,7 +183,12 @@ jobs:
           set -e
           DEST="$HOME/apps/sistema"
           mkdir -p "$DEST"
-          rsync -a --delete "$EFFECTIVE_APP_DIR"/ "$DEST"/
+          # One-time fix for old root-owned files (esp. .pnpm-store) left by previous containers
+          docker run --rm -v "$DEST":/target alpine:3 sh -lc 'chown -R 1000:1000 /target 2>/dev/null || true; chmod -R u+rwX /target 2>/dev/null || true' || true
+          # Publish new build; exclude .pnpm-store to avoid Permission denied on old entries
+          rsync -a --delete \
+            --exclude '.pnpm-store' --exclude '.pnpm-store/**' \
+            "$EFFECTIVE_APP_DIR"/ "$DEST"/
           echo "Published build to: $DEST"
 
       - name: Swarm deploy (stack.yml)
diff --git a/scripts/start-web.sh b/scripts/start-web.sh
index b540e39..cc1a170 100644
--- a/scripts/start-web.sh
+++ b/scripts/start-web.sh
@@ -13,6 +13,10 @@ corepack prepare pnpm@9 --activate >/dev/null 2>&1 || true
 echo "[start-web] Using APP_DIR=$(pwd)"
 echo "[start-web] NEXT_PUBLIC_APP_URL=${NEXT_PUBLIC_APP_URL:-}"
 echo "[start-web] NEXT_PUBLIC_CONVEX_URL=${NEXT_PUBLIC_CONVEX_URL:-}"
+echo "[start-web] PNPM_STORE_DIR=${PNPM_STORE_DIR:-/tmp/pnpm-store}"
+
+# Ensure pnpm uses container-local store (not host bind mount)
+pnpm config set store-dir "${PNPM_STORE_DIR:-/tmp/pnpm-store}" >/dev/null 2>&1 || true
 
 # Prisma generate (idempotent) and apply DB migrations
 echo "[start-web] prisma generate"
@@ -27,4 +31,3 @@ pnpm auth:seed || true
 
 echo "[start-web] launching Next.js"
 exec pnpm start -p 3000
-
diff --git a/stack.yml b/stack.yml
index b8ec919..0cd6f95 100644
--- a/stack.yml
+++ b/stack.yml
@@ -14,6 +14,7 @@ services:
       - sistema_db:/app/data
     environment:
       NODE_ENV: "production"
+      PNPM_STORE_DIR: "/tmp/pnpm-store"
       # Garante instalação de devDependencies para o build (prisma CLI)
       NPM_CONFIG_PRODUCTION: "false"
       # IMPORTANTE: "NEXT_PUBLIC_*" é consumida pelo navegador (cliente). Use a URL pública do Convex.