From a1cf56cdab49e4d6e57b61dda6501e8e7aaeb75f Mon Sep 17 00:00:00 2001 From: claude-ceo-assistant Date: Sat, 23 May 2026 14:01:32 -0700 Subject: [PATCH] fix(ci): use writable Docker config for canvas publish --- .gitea/workflows/ci-arm64-advisory.yml | 2 +- .gitea/workflows/publish-canvas-image.yml | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/ci-arm64-advisory.yml b/.gitea/workflows/ci-arm64-advisory.yml index 98e22b805..2520f7a47 100644 --- a/.gitea/workflows/ci-arm64-advisory.yml +++ b/.gitea/workflows/ci-arm64-advisory.yml @@ -101,7 +101,7 @@ jobs: # AND-set: only the Mac arm64 runner advertises macos-self-hosted. # See "RUNNER TARGETING" header note for why bare self-hosted is unsafe. runs-on: [self-hosted, macos-self-hosted] - # ADVISORY: never blocks. See safety contract point 3. + # ADVISORY: never blocks. See safety contract point 3. mc#774 continue-on-error: true # event_name gate: functional (only meaningful on push/PR) AND keeps # this job out of ci-required-drift.py:ci_job_names() so F1 can never diff --git a/.gitea/workflows/publish-canvas-image.yml b/.gitea/workflows/publish-canvas-image.yml index 627466aa0..12f37230d 100644 --- a/.gitea/workflows/publish-canvas-image.yml +++ b/.gitea/workflows/publish-canvas-image.yml @@ -73,6 +73,17 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + # Keep Docker auth/buildx state inside the job temp dir. Publish + # runners can inherit a HOME/DOCKER_CONFIG path that is host-owned + # and not writable from the job container; docker login otherwise + # fails before the image build starts. + - name: Prepare writable Docker config + run: | + set -euo pipefail + export DOCKER_CONFIG="$RUNNER_TEMP/docker-config" + mkdir -p "$DOCKER_CONFIG/buildx/certs" + echo "DOCKER_CONFIG=$DOCKER_CONFIG" >> "$GITHUB_ENV" + - name: Log in to ECR env: IMAGE_NAME: ${{ env.IMAGE_NAME }} -- 2.52.0