ci(web): fix permission errors publishing to stable APP_DIR (docker chown+chmod, exclude .pnpm-store); runtime: use container-local PNPM store to avoid host writes

.github/workflows/ci-cd-web-desktop.yml

@@ -183,7 +183,12 @@ jobs:
           set -e
           DEST="$HOME/apps/sistema"
           mkdir -p "$DEST"
-          rsync -a --delete "$EFFECTIVE_APP_DIR"/ "$DEST"/
+          # One-time fix for old root-owned files (esp. .pnpm-store) left by previous containers
+          docker run --rm -v "$DEST":/target alpine:3 sh -lc 'chown -R 1000:1000 /target 2>/dev/null || true; chmod -R u+rwX /target 2>/dev/null || true' || true
+          # Publish new build; exclude .pnpm-store to avoid Permission denied on old entries
+          rsync -a --delete \
+            --exclude '.pnpm-store' --exclude '.pnpm-store/**' \
+            "$EFFECTIVE_APP_DIR"/ "$DEST"/
           echo "Published build to: $DEST"
 
       - name: Swarm deploy (stack.yml)

scripts/start-web.sh

@@ -13,6 +13,10 @@ corepack prepare pnpm@9 --activate >/dev/null 2>&1 || true
 echo "[start-web] Using APP_DIR=$(pwd)"
 echo "[start-web] NEXT_PUBLIC_APP_URL=${NEXT_PUBLIC_APP_URL:-}"
 echo "[start-web] NEXT_PUBLIC_CONVEX_URL=${NEXT_PUBLIC_CONVEX_URL:-}"
+echo "[start-web] PNPM_STORE_DIR=${PNPM_STORE_DIR:-/tmp/pnpm-store}"
+
+# Ensure pnpm uses container-local store (not host bind mount)
+pnpm config set store-dir "${PNPM_STORE_DIR:-/tmp/pnpm-store}" >/dev/null 2>&1 || true
 
 # Prisma generate (idempotent) and apply DB migrations
 echo "[start-web] prisma generate"
@@ -27,4 +31,3 @@ pnpm auth:seed || true
 
 echo "[start-web] launching Next.js"
 exec pnpm start -p 3000
-

stack.yml

@@ -14,6 +14,7 @@ services:
       - sistema_db:/app/data
     environment:
       NODE_ENV: "production"
+      PNPM_STORE_DIR: "/tmp/pnpm-store"
       # Garante instalação de devDependencies para o build (prisma CLI)
       NPM_CONFIG_PRODUCTION: "false"
       # IMPORTANTE: "NEXT_PUBLIC_*" é consumida pelo navegador (cliente). Use a URL pública do Convex.