fix: fix: dispatcher cannot launch runner — docker compose context not available in edge container (#153) #155
1 changed files with 22 additions and 27 deletions
|
|
@ -9,7 +9,7 @@
|
|||
# 3. Verify TOML arrived via merged PR with admin merger (Forgejo API)
|
||||
# 4. Validate TOML using vault-env.sh validator
|
||||
# 5. Decrypt .env.vault.enc and extract only declared secrets
|
||||
# 6. Launch: docker compose run --rm runner <formula> <action-id>
|
||||
# 6. Launch: docker run --rm disinto-agents:latest <formula> <action-id>
|
||||
# 7. Write <action-id>.result.json with exit code, timestamp, logs summary
|
||||
#
|
||||
# Part of #76.
|
||||
|
|
@ -298,10 +298,8 @@ launch_runner() {
|
|||
local secrets_array
|
||||
secrets_array="${VAULT_ACTION_SECRETS:-}"
|
||||
|
||||
# Build command array (safe from shell injection)
|
||||
local -a cmd=(docker compose run --rm runner)
|
||||
|
||||
# Add environment variables for secrets (if any declared)
|
||||
# Build secret flags from TOML secrets array
|
||||
local secret_flags=""
|
||||
if [ -n "$secrets_array" ]; then
|
||||
for secret in $secrets_array; do
|
||||
secret=$(echo "$secret" | xargs)
|
||||
|
|
@ -312,42 +310,39 @@ launch_runner() {
|
|||
write_result "$action_id" 1 "Secret not found in vault: ${secret}"
|
||||
return 1
|
||||
fi
|
||||
cmd+=(-e "$secret")
|
||||
secret_flags="${secret_flags} -e ${secret}=${!secret}"
|
||||
fi
|
||||
done
|
||||
else
|
||||
log "Action ${action_id} has no secrets declared — runner will execute without extra env vars"
|
||||
fi
|
||||
|
||||
# Add formula and action id as arguments (after service name)
|
||||
local formula="${VAULT_ACTION_FORMULA:-}"
|
||||
cmd+=("$formula" "$action_id")
|
||||
# Build docker run command
|
||||
# Uses the disinto-agents image (same as agent containers)
|
||||
# Mounts Docker socket to spawn sibling containers
|
||||
local docker_cmd="docker run --rm \
|
||||
--name \"vault-runner-${action_id}\" \
|
||||
--network disinto_disinto-net \
|
||||
-e FORGE_URL=\"${FORGE_URL}\" \
|
||||
-e FORGE_TOKEN=\"${FORGE_TOKEN}\" \
|
||||
-e FORGE_REPO=\"${FORGE_REPO}\" \
|
||||
-e FORGE_OPS_REPO=\"${FORGE_OPS_REPO}\" \
|
||||
-e PRIMARY_BRANCH=\"${PRIMARY_BRANCH}\" \
|
||||
-e DISINTO_CONTAINER=1 \
|
||||
${secret_flags} \
|
||||
disinto-agents:latest \
|
||||
bash -c \"cd /home/agent/disinto && bash formulas/${VAULT_ACTION_FORMULA}.sh ${action_id}\""
|
||||
|
||||
# Log command skeleton (hide all -e flags for security)
|
||||
local -a log_cmd=()
|
||||
local skip_next=0
|
||||
for arg in "${cmd[@]}"; do
|
||||
if [[ $skip_next -eq 1 ]]; then
|
||||
skip_next=0
|
||||
continue
|
||||
fi
|
||||
if [[ "$arg" == "-e" ]]; then
|
||||
log_cmd+=("$arg" "<redacted>")
|
||||
skip_next=1
|
||||
else
|
||||
log_cmd+=("$arg")
|
||||
fi
|
||||
done
|
||||
log "Running: ${log_cmd[*]}"
|
||||
log "Running: docker run (secrets redacted)"
|
||||
|
||||
# Create temp file for logs
|
||||
local log_file
|
||||
log_file=$(mktemp /tmp/dispatcher-logs-XXXXXX.txt)
|
||||
trap 'rm -f "$log_file"' RETURN
|
||||
|
||||
# Execute with array expansion (safe from shell injection)
|
||||
# Execute docker run command
|
||||
# Capture stdout and stderr to log file
|
||||
"${cmd[@]}" > "$log_file" 2>&1
|
||||
eval "$docker_cmd" > "$log_file" 2>&1
|
||||
local exit_code=$?
|
||||
|
||||
# Read logs summary
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue