From bf41b18de9e4b259564d5d410e75486f627d39ca Mon Sep 17 00:00:00 2001
From: Molecule AI Infra Lead <infra-lead@agents.moleculesai.app>
Date: Wed, 13 May 2026 22:29:04 +0000
Subject: [PATCH] fix(ci): restore proper Docker daemon gate on
 publish-workspace-server-image
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

main merged a fix (3206966e) that replaces the broken `Diagnose Docker
daemon access` step (|| true guards) with a proper `Verify Docker daemon
access` gate (docker info || { exit 1 }). The feature branch is still on
the old broken version — sync it.

mc#711: ubuntu-latest runners may lack a live Docker daemon. With the
old guards the step always succeeded even when Docker was inaccessible,
letting the build step hang for 4+ minutes before failing. The restored
gate fails in ~5s with an actionable error message.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .../publish-workspace-server-image.yml        | 24 ++++++++++---------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/.gitea/workflows/publish-workspace-server-image.yml b/.gitea/workflows/publish-workspace-server-image.yml
index c73b9dd0..68b04e93 100644
--- a/.gitea/workflows/publish-workspace-server-image.yml
+++ b/.gitea/workflows/publish-workspace-server-image.yml
@@ -65,20 +65,22 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Diagnose Docker daemon access
+      # Health check: verify Docker daemon is accessible before attempting any
+      # build steps. This fails loudly at step 1 when the runner's docker.sock
+      # is inaccessible rather than silently continuing where `docker build`
+      # fails deep in the process with a cryptic ECR auth error.
+      - name: Verify Docker daemon access
         run: |
           set -euo pipefail
-          echo "::group::Docker daemon diagnosis"
+          echo "::group::Docker daemon health check"
           echo "Runner: ${HOSTNAME:-unknown}"
-          echo "--- Socket info ---"
-          ls -la /var/run/docker.sock 2>/dev/null || echo "/var/run/docker.sock: not found"
-          stat /var/run/docker.sock 2>/dev/null || true
-          echo "--- User info ---"
-          id
-          echo "--- docker version ---"
-          docker version 2>&1 || true
-          echo "--- docker info (full) ---"
-          docker info 2>&1 || echo "docker info failed: exit $?"
+          docker info 2>&1 | head -5 || {
+            echo "::error::Docker daemon is not accessible at /var/run/docker.sock"
+            echo "::error::Runner: ${HOSTNAME:-unknown}"
+            echo "::error::Check: (1) daemon is running, (2) runner user is in docker group, (3) sock permissions are 660+"
+            exit 1
+          }
+          echo "Docker daemon OK"
           echo "::endgroup::"
 
       # Pre-clone manifest deps before docker build.