senke/veza - Talas Project: Beyond coding. We Forge.

senke/veza

Author SHA1 Message Date

Author	SHA1	Message	Date
senke	0af0a88f6d	fix(ansible): newer ansible-core via pipx + raw-bootstrap python on targets Two blockers after the runner gained incus admin and started reaching the new data containers: 1. Debian apt's ansible-core (2.14) is below community.general's minimum, which logged "Collection community.general does not support Ansible version 2.14.18". runner-bake-deps.sh now installs ansible-core via pipx (latest stable) plus the required collections (community.general, community.postgresql, ansible.posix). 2. images:debian/13 — what the data containers are launched from — ships without python3, so every module call to a freshly-launched container hit "Failed to create temporary directory" / UNREACHABLE. Added a single bootstrap play (\`hosts: veza_data\`) that uses the raw module to install python3 + python3-apt before any other Configure-X play touches the targets. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 15:14:05 +02:00
senke	6c6f2d87fc	fix(stream): vendor openssl for musl cross-compile + bake perl on runner build-stream was failing on openssl-sys because the runner has glibc libssl-dev but cargo cross-compiles to x86_64-unknown-linux-musl. Adding \`openssl = { features = ["vendored"] }\` as a direct dep forces openssl-src to build OpenSSL from source against musl, which feature- unifies through reqwest's native-tls and any other openssl-sys consumer. The vendored build needs perl + make at compile time — added them to runner-bake-deps.sh. The runner already has build-essential for the C compiler. Note: the build-web "husky: not found" error in the same run looks like a re-run of an old SHA, since main has \`npm ci --ignore-scripts\` since `d243c2e2`. A fresh workflow_dispatch should clear it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 13:05:00 +02:00
senke	6bd5d33e71	fix(deploy): pre-bake runner OS deps + skip devDeps to dodge iltorb The dpkg-lock thrashing — even with flock — was unwinnable: an unrelated apt-get had been holding the host lock for >180s. Stop installing OS packages from inside the workflow entirely; assume they're baked onto the forgejo-runner container, fail loudly with a clear pointer if they're missing. scripts/bootstrap/runner-bake-deps.sh installs them all in one shot. While here, fix the iltorb regression: --include=dev was dragging in apps/web's bundlesize devDep, which transitively pulls iltorb (a deprecated native node-gyp module that doesn't build on Node 20). Moved style-dictionary to dependencies in @veza/design-system (it's a build tool, needed by `npm run build:tokens` at deploy time, not a dev tool), and the workflow now runs plain `npm ci` with NODE_ENV=production. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-01 10:43:28 +02:00

senke

0af0a88f6d

fix(ansible): newer ansible-core via pipx + raw-bootstrap python on targets

Two blockers after the runner gained incus admin and started reaching
the new data containers:

1. Debian apt's ansible-core (2.14) is below community.general's
   minimum, which logged "Collection community.general does not
   support Ansible version 2.14.18". runner-bake-deps.sh now installs
   ansible-core via pipx (latest stable) plus the required collections
   (community.general, community.postgresql, ansible.posix).

2. images:debian/13 — what the data containers are launched from —
   ships without python3, so every module call to a freshly-launched
   container hit "Failed to create temporary directory" / UNREACHABLE.
   Added a single bootstrap play (\`hosts: veza_data\`) that uses the
   raw module to install python3 + python3-apt before any other
   Configure-X play touches the targets.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-01 15:14:05 +02:00

senke

6c6f2d87fc

fix(stream): vendor openssl for musl cross-compile + bake perl on runner

build-stream was failing on openssl-sys because the runner has glibc
libssl-dev but cargo cross-compiles to x86_64-unknown-linux-musl.
Adding \`openssl = { features = ["vendored"] }\` as a direct dep forces
openssl-src to build OpenSSL from source against musl, which feature-
unifies through reqwest's native-tls and any other openssl-sys consumer.

The vendored build needs perl + make at compile time — added them to
runner-bake-deps.sh. The runner already has build-essential for the C
compiler.

Note: the build-web "husky: not found" error in the same run looks
like a re-run of an old SHA, since main has \`npm ci --ignore-scripts\`
since d243c2e2. A fresh workflow_dispatch should clear it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-01 13:05:00 +02:00

senke

6bd5d33e71

fix(deploy): pre-bake runner OS deps + skip devDeps to dodge iltorb

The dpkg-lock thrashing — even with flock — was unwinnable: an unrelated
apt-get had been holding the host lock for >180s. Stop installing OS
packages from inside the workflow entirely; assume they're baked onto the
forgejo-runner container, fail loudly with a clear pointer if they're
missing.

scripts/bootstrap/runner-bake-deps.sh installs them all in one shot.

While here, fix the iltorb regression: --include=dev was dragging in
apps/web's bundlesize devDep, which transitively pulls iltorb (a
deprecated native node-gyp module that doesn't build on Node 20).
Moved style-dictionary to dependencies in @veza/design-system (it's a
build tool, needed by `npm run build:tokens` at deploy time, not a dev
tool), and the workflow now runs plain `npm ci` with NODE_ENV=production.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-01 10:43:28 +02:00

3 commits