akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity
Files
76895a9674e714191972c0010e01c6e176e8f11c
Charon/docs/plans/current_spec.md

2.5 KiB
Raw Blame History

CI Failure Investigation: GitHub Actions run 20318460213 (PR #469 SQLite corruption guardrails)

What failed

  • Workflow: Docker Build, Publish & Test → job build-and-push.
  • Step that broke: Verify Caddy Security Patches (CVE-2025-68156) attempted docker run ghcr.io/wikid82/charon:pr-420 and returned manifest unknown; the image never existed in the registry for PR builds.
  • Trigger: PR #469 “feat: add SQLite database corruption guardrails” on branch feature/beta-release.

Evidence collected

  • Downloaded and decompressed the run artifact Wikid82~Charon~V26M7K.dockerbuild (gzip → tar) and inspected the Buildx trace; no stage errors were present.
  • GitHub Actions log for the failing step shows the manifest lookup failure only; no Dockerfile build errors surfaced.
  • Local reproduction of the CI build command (BuildKit, --pull, --platform=linux/amd64) completed successfully through all stages.

Root cause

  • PR builds set push: false in the Buildx step, and the workflow did not load the built image locally.
  • The subsequent verification step pulls ghcr.io/wikid82/charon:pr-<number> from the registry even for PR builds; because the image was never pushed and was not loaded locally, the pull returned manifest unknown, aborting the job.
  • The Dockerfile itself and base images were not at fault.

Fix applied

  • Updated .github/workflows/docker-build.yml to load the image when the event is pull_request (load: ${{ github.event_name == 'pull_request' }}) while keeping push: false for PRs. This makes the locally built image available to the verification step without publishing it.

Validation

  • Local docker build: DOCKER_BUILDKIT=1 docker build --progress=plain --pull --platform=linux/amd64 . → success.
  • Backend coverage: scripts/go-test-coverage.sh → 85.6% coverage (pass, threshold 85%).
  • Frontend tests with coverage: scripts/frontend-test-coverage.sh → coverage 89.48% (pass).
  • TypeScript check: cd frontend && npm run type-check → pass.
  • Pre-commit: ran; check-version-match fails because .version (0.9.3) does not match latest Git tag v0.11.2 (pre-existing repository state). All other hooks passed.

Follow-ups / notes

  • The verification step now succeeds in PR builds because the image is available locally; no Dockerfile or .dockerignore changes were necessary.
  • If the version mismatch hook should be satisfied, align .version with the intended release tag or skip the hook for non-release branches; left unchanged to avoid an unintended version bump.
Reference in New Issue View Git Blame Copy Permalink