cinny: harden + version-control the webhook web-deploy (lotus_deploy.sh)
Lint / Python (ruff) (push) Successful in 21s
Lint / Python deps (pip-audit) (push) Successful in 50s
Lint / Secret scan (gitleaks) (push) Successful in 7s
Lint / Shell (shellcheck) (push) Failing after 14s
Lint / JS (eslint) (push) Successful in 24s

The live /usr/local/bin/lotus_deploy.sh (the `lotus-deploy` webhook target) was
never under version control and had rotted into two deploy-killing bugs that
froze chat.lotusguild.org on an old build:

1. CI gate: it waited on the WHOLE workflow run with a 15-min cap. Web CI shares
   the single act_runner with the slow Tauri desktop builds, so a web run could
   sit queued >15 min -> "result: timeout" -> deploy aborted. Now it gates only
   on the "Build & Quality Checks" commit-status context (build + unit tests),
   decoupled from "Trigger Desktop Build", and waits up to 45 min.

2. Dead element-call copy: `cp node_modules/@element-hq/element-call-embedded/...`
   under `set -e` aborted every deploy after the widget was forked to
   @lotusguild/element-call-embedded. The build already emits dist/public/
   element-call; replaced the copy with a presence check.

Also: rsync now excludes config.json so the app deploy stops clobbering the
production runtime config (homeserver list / allowCustomHomeservers) that the
matrix repo owns. lxc106-cinny.sh now installs this script (syntax-checked).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
2026-06-30 18:10:10 -04:00
parent d6fd323262
commit c13549f3da
2 changed files with 146 additions and 3 deletions
+23 -3
View File
@@ -1,8 +1,8 @@
#!/bin/bash
# Auto-deploy script for LXC 106 (cinny)
# Handles: cinny/config.json, cinny/nginx.conf, cinny/upstream-check.sh,
# cinny/lotus-build.sh, deploy/hooks-lxc106.json,
# systemd/cinny-upstream-check.cron
# cinny/lotus-build.sh, cinny/lotus_deploy.sh,
# deploy/hooks-lxc106.json, systemd/cinny-upstream-check.cron
# Triggered by: Gitea webhook on push to main
set -euo pipefail
@@ -15,7 +15,7 @@ echo "=== $(date) === LXC106 deploy triggered ==="
if [ ! -d "$REPO_DIR/.git" ]; then
git clone "$CLONE_URL" "$REPO_DIR"
CHANGED="cinny/config.json cinny/nginx.conf cinny/upstream-check.sh cinny/lotus-build.sh deploy/hooks-lxc106.json systemd/cinny-upstream-check.cron"
CHANGED="cinny/config.json cinny/nginx.conf cinny/upstream-check.sh cinny/lotus-build.sh cinny/lotus_deploy.sh deploy/hooks-lxc106.json systemd/cinny-upstream-check.cron"
else
cd "$REPO_DIR"
git fetch --all
@@ -63,6 +63,26 @@ if echo "$CHANGED" | grep -q '^cinny/lotus-build.sh'; then
echo "✓ lotus-build.sh deployed"
fi
if echo "$CHANGED" | grep -q '^cinny/lotus-deploy.sh'; then
echo "Deploying lotus-deploy.sh..."
cp "$REPO_DIR/cinny/lotus-deploy.sh" /usr/local/bin/cinny-deploy.sh
chmod +x /usr/local/bin/cinny-deploy.sh
echo "✓ lotus-deploy.sh deployed"
fi
if echo "$CHANGED" | grep -q '^cinny/lotus_deploy.sh'; then
echo "Deploying lotus_deploy.sh (webhook CI-gated web deploy)..."
# The `lotus-deploy` webhook hook executes /usr/local/bin/lotus_deploy.sh.
# Validate syntax before swapping so a broken script can never wedge deploys.
if bash -n "$REPO_DIR/cinny/lotus_deploy.sh"; then
cp "$REPO_DIR/cinny/lotus_deploy.sh" /usr/local/bin/lotus_deploy.sh
chmod +x /usr/local/bin/lotus_deploy.sh
echo "✓ lotus_deploy.sh deployed"
else
echo "✗ bash -n FAILED on lotus_deploy.sh — skipping install"
fi
fi
if echo "$CHANGED" | grep -q '^deploy/hooks-lxc106.json'; then
echo "Deploying hooks-lxc106.json..."
cp "$REPO_DIR/deploy/hooks-lxc106.json" /etc/webhook/hooks.json