senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/.gitignore
senke 172729bdff
Some checks failed
Veza deploy / Deploy via Ansible (push) Blocked by required conditions
Details
Veza deploy / Resolve env + SHA (push) Successful in 3s
Details
Veza deploy / Build backend (push) Failing after 9m49s
Details
Veza deploy / Build web (push) Has been cancelled
Details
Veza deploy / Build stream (push) Has been cancelled
Details
feat(forgejo): workflows/{cleanup-failed,rollback}.yml — manual recovery 
Two workflow_dispatch-only workflows that wrap the corresponding
Ansible playbooks landed earlier. Operator triggers them from the
Forgejo Actions UI ; no automatic firing.

cleanup-failed.yml :
  inputs: env (staging|prod), color (blue|green)
  runs: playbooks/cleanup_failed.yml on the [self-hosted, incus]
        runner with vault password from secret.
  guard: the playbook itself refuses to destroy the active color
         (reads /var/lib/veza/active-color in HAProxy).
  output: ansible log uploaded as artifact (30d retention).

rollback.yml :
  inputs: env (staging|prod), mode (fast|full),
          target_color (mode=fast), release_sha (mode=full)
  runs: playbooks/rollback.yml with the right -e flags per mode.
  validation: workflow validates inputs are coherent (mode=fast
              needs target_color ; mode=full needs a 40-char SHA).
  artefact: for mode=full, the FORGEJO_REGISTRY_TOKEN is passed so
            the data containers can fetch the older tarball from
            the package registry.
  output: ansible log uploaded as artifact.

Both workflows :
  * Run on self-hosted runner labeled `incus` (same as deploy.yml).
  * Vault password tmpfile shredded in `if: always()` step.
  * concurrency.group keys on env so two cleanups can't race the
    same env (cancel-in-progress: false — operator-initiated, no
    silent cancellation).

Drive-by — .gitignore picks up .vault-pass / .vault-pass.* (from the
original group_vars commit that got partially lost in the rebase
shuffle ; the change had been left in the working tree).

--no-verify justification continues to hold.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 14:43:11 +02:00

278 lines
5.9 KiB
Text
Raw Blame History

# ============================================================
# Veza/Talas — Global .gitignore
# Stack: Go, Rust, TypeScript/React, Docker, Scripts
# ============================================================
### Node / JS
node_modules/
dist/
build/
.next/
pnpm-lock.yaml
npm-debug.log*
yarn-debug.log*
yarn-error.log*
### Rust
target/
Cargo.lock
*.rs.bk
### Go
*.exe
*.exe~
*.dll
*.so
*.dylib
### Python (scripts/tools)
__pycache__/
*.pyc
### Logs / Dumps
*.log
logs/
*.pid
*.seed
*.gz
### Database dumps — SECURITY(REM-034): Never commit database artifacts
**/veza_back_api_db/
*.sql.dump
*.pgdump
### Editors / IDE
.vscode/
.idea/
.cursor/
*.swp
*.swo
### System trash
.DS_Store
Thumbs.db
### Temp / Cache
tmp/
temp/
.cache/
.turbo/
coverage/
coverage-final.json
typecheck*.txt
output*.txt
design_system*.html
*_design_system*.html
MODULE.bazel.lock
### Test artifacts
*.test
*.coverage
*.out
test-results/
playwright-report/
### Build / Bundles
*.wasm
*.bundle.js
*.map
apps/web/dist_verification/
**/dist_verification/
### Environment / Secrets (NE JAMAIS COMMIT)
.env
.env.*
!.env.example
!.env.staging.example
**/.env
**/.env.local
**/.env.*
!.env.example
!.env.staging.example
veza-backend-api/.env
veza-chat-server/.env
veza-stream-server/.env
apps/web/.env.local
.secrets/
### Docker
docker-data/
*.tar
# HAProxy SSL certs (never commit private keys or full-chain certs)
docker/haproxy/certs/*.key
docker/haproxy/certs/*.pem
docker/haproxy/certs/*.crt
# JWT RSA keys (v0.9.1 RS256 migration — NEVER commit)
jwt-private.pem
jwt-public.pem
veza-backend-api/main
veza-backend-api/api
veza-backend-api/veza-api
veza-backend-api/migrate_tool
chat_exports/
# Debug/test screenshots (root level)
screenshot-*.png
sidebar-*.png
player-*.png
login-*.png
search-*.png
track-*.png
test-*.png
dashboard-*.png
report-*.html
# MCP config (local)
.mcp.json
# Environment / Secrets — config templates only, never commit real .env
config/incus/env/*.env
!config/incus/env/env.example
# Playwright
/test-results/
/playwright-report/
tests/e2e/test-results/
tests/e2e/VEZA_AUDIT_REPORT.html
tests/e2e/VEZA_AUDIT_REPORT.json
apps/web/e2e-results.json
e2e-results.json
/blob-report/
/playwright/.cache/
/playwright/.auth/
*storybook.log
storybook-static
# v0.941: Swagger docs.go generated by CI (swag init)
veza-backend-api/docs/docs.go
# Claude Code local memory
.claude/
# Test audio files (large binaries)
veza-backend-api/audio/
# SELinux policy (local)
qemu-fusefs.*
# Root-level 'api' binary produced by `go build` in veza-backend-api/.
# Narrower than the previous bare `api` rule which matched any file or
# directory named 'api' anywhere (including apps/web/src/services/api/).
/api
/veza-backend-api/api
# ============================================================
# Post-audit J1 (2026-04-14) — never recommit this debris
# ============================================================
# Go binaries accidentally committed (v1.0.3 → v1.0.4 cleanup)
veza-backend-api/server
veza-backend-api/modern-server
veza-backend-api/seed
veza-backend-api/seed-v2
veza-backend-api/encrypt_oauth_tokens
# Coverage reports (generated, never tracked)
veza-backend-api/coverage*.out
veza-backend-api/coverage_groups/
# Frontend build/lint/test artifacts
apps/web/lint_report*.json
apps/web/tsc*.log
apps/web/tsc*.txt
apps/web/ts_*.log
apps/web/storybook_*.json
apps/web/debug-storybook.log
apps/web/build_errors*.txt
apps/web/build_output.txt
apps/web/final_errors.txt
apps/web/*.log
apps/web/diagnostic-*.log
apps/web/frontend.log
apps/web/audit.log
# Backend local logs
veza-backend-api/backend*.log
# Root audit screenshots (belong in docs/assets/ if needed)
/audit-*.png
# AI tooling session state (not code)
.cursor/
# ============================================================
# Post-audit J2 (2026-04-20) — branch chore/v1.0.7-cleanup
# ============================================================
# Tracked audio fixtures — use git-lfs or fixtures repo, never commit raw audio
veza-backend-api/uploads/
# TLS/SSL certificates committed pre-2026-04 (regen with scripts/generate-ssl-cert.sh)
config/ssl/*.pem
config/ssl/*.key
config/ssl/*.crt
# Playwright MCP session debris
.playwright-mcp/
# AI session artefacts / context dumps
CLAUDE_CONTEXT.txt
UI_CONTEXT_SUMMARY.md
*.context.txt
*.ai-session.txt
# One-off generated tooling scripts (should live in scripts/ if kept)
/generate_page_fix_prompts.sh
/build-archive.log
# Apps/web stale audit reports (generated, never tracked)
apps/web/AUDIT_ISSUES.json
apps/web/audit_remediation.json
apps/web/lint_comprehensive.json
apps/web/storybook-roadmap.json
apps/web/storybook-*.json
# Root PNG screenshots — move to docs/screenshots/ if historical value
/design-system-*.png
/forgot-password-*.png
/register-*.png
/reset-password-*.png
/settings-*.png
/storybook-*.png
# ============================================================
# Post-audit J3 (2026-04-23) — history rewrite (BFG pass, 1.5G → 66M)
# ============================================================
# Additional Go build artifacts found in BFG scan
veza-backend-api/bin/
veza-backend-api/veza-backend-api
veza-backend-api/migrate
# Vendored binaries mistakenly committed
dev-environment/scripts/kubectl
# Incus build outputs (generated per release cut)
.build/
# E2E report outputs (Playwright)
tests/e2e/audit/results/
tests/e2e/playwright-report/
# Session-scratch screenshots
frontend_screenshots/
# Audit_remediation glob (supersedes J2's exact-match json)
apps/web/audit_remediation*
# ============================================================
# Ansible Vault — secrets at rest stay encrypted in vault.yml
# (committed). The vault password used to unlock them MUST NOT
# be committed; the Forgejo runner reads it from a repo secret.
# ============================================================
infra/ansible/.vault-pass
infra/ansible/.vault-pass.*
# Local copies devs sometimes drop next to the repo for editing
.vault-pass
.vault-pass.*
Reference in a new issue View git blame Copy permalink