Validate step fails: build/index.html doesn't exist for adapter-node #12

New issue

Closed

opened 2026-04-30 12:12:24 +00:00 by forgejo_admin · 2 comments

forgejo_admin commented 2026-04-30 12:12:24 +00:00

Owner

Copy link

Type

Bug

Lineage

Discovered during the first manual Woodpecker pipeline run on forgejo_admin/westside-admin (pipeline #1, 2026-04-30). The webhook was installed ~5 min after #10/#11 merged, so no auto-build ever fired — the bug was latent until the manual trigger surfaced it.

Repo

forgejo_admin/westside-admin

What Broke

The validate step in .woodpecker.yaml runs test -f build/index.html as a post-build smoke check. That file is never produced by @sveltejs/adapter-node, which emits a Node server bundle (build/index.js, build/handler.js, build/server/, build/client/) instead of a static HTML entry. The index.html artifact would only exist under adapter-static.

Pipeline #1 logs:

+ npm ci          ok — 199 packages
+ npm run check   ok — svelte-check 0 errors, 0 warnings
+ npm run build   ok — vite SSR + client built; "Using @sveltejs/adapter-node done"
+ test -f build/index.html   exit 1

The SvelteKit build itself succeeds. The assertion is wrong for the chosen adapter.

Repro Steps

1. Trigger any pipeline on forgejo_admin/westside-admin@main (push or manual)
2. Observe: validate step fails at the test -f build/index.html line
3. build-and-push and update-kustomize-tag skip due to depends_on chain

Expected Behavior

The smoke check asserts on an artifact @sveltejs/adapter-node actually produces. Canonical choice: test -f build/index.js (the Node entry point started by node build).

Environment

• Repo: forgejo_admin/westside-admin@main at SHA 82ac5255a9
• Pipeline: forgejo_admin/westside-admin#1 (manual trigger, 2026-04-30)
• Adapter: @sveltejs/adapter-node
• Build image: node:22-alpine

Acceptance Criteria

• .woodpecker.yaml validate step asserts on an adapter-node artifact (build/index.js, optionally also build/handler.js)
• A fresh pipeline against main reaches the build-and-push step
• No regression in pull_request runs (validate still gates Kaniko)

Related

• westside-admin — project this affects
• forgejo_admin/westside-admin #11 — PR that introduced the bad smoke check
• pal-e-platform issue #321 — separate Woodpecker quoting bug (unrelated, but contemporaneous CI work)

### Type Bug ### Lineage Discovered during the first manual Woodpecker pipeline run on `forgejo_admin/westside-admin` (pipeline #1, 2026-04-30). The webhook was installed ~5 min after #10/#11 merged, so no auto-build ever fired — the bug was latent until the manual trigger surfaced it. ### Repo `forgejo_admin/westside-admin` ### What Broke The `validate` step in `.woodpecker.yaml` runs `test -f build/index.html` as a post-build smoke check. That file is never produced by `@sveltejs/adapter-node`, which emits a Node server bundle (`build/index.js`, `build/handler.js`, `build/server/`, `build/client/`) instead of a static HTML entry. The `index.html` artifact would only exist under `adapter-static`. Pipeline #1 logs: ``` + npm ci ok — 199 packages + npm run check ok — svelte-check 0 errors, 0 warnings + npm run build ok — vite SSR + client built; "Using @sveltejs/adapter-node done" + test -f build/index.html exit 1 ``` The SvelteKit build itself succeeds. The assertion is wrong for the chosen adapter. ### Repro Steps 1. Trigger any pipeline on `forgejo_admin/westside-admin@main` (push or manual) 2. Observe: `validate` step fails at the `test -f build/index.html` line 3. `build-and-push` and `update-kustomize-tag` skip due to `depends_on` chain ### Expected Behavior The smoke check asserts on an artifact `@sveltejs/adapter-node` actually produces. Canonical choice: `test -f build/index.js` (the Node entry point started by `node build`). ### Environment - Repo: `forgejo_admin/westside-admin@main` at SHA `82ac5255a9` - Pipeline: `forgejo_admin/westside-admin#1` (manual trigger, 2026-04-30) - Adapter: `@sveltejs/adapter-node` - Build image: `node:22-alpine` ### Acceptance Criteria - [ ] `.woodpecker.yaml` `validate` step asserts on an adapter-node artifact (`build/index.js`, optionally also `build/handler.js`) - [ ] A fresh pipeline against `main` reaches the `build-and-push` step - [ ] No regression in `pull_request` runs (validate still gates Kaniko) ### Related - `westside-admin` — project this affects - `forgejo_admin/westside-admin #11` — PR that introduced the bad smoke check - pal-e-platform issue #321 — separate Woodpecker quoting bug (unrelated, but contemporaneous CI work)

forgejo_admin commented 2026-04-30 12:17:39 +00:00

Author

Owner

Copy link

Scope Review: APPROVED

Review note: review-1117-2026-04-30

Single-line bug fix. File targets verified at SHA 82ac5255a9 (.woodpecker.yaml line 33 = test -f build/index.html; svelte.config.js confirms adapter-node; package.json start script already targets build/index.js). Traceability complete: story admin-row-crud listed on project-westside-admin, arch note arch-ci-pipeline exists. Blast radius: westside-admin is the only sibling with this bug (westside-app uses adapter-static and is correctly asserting index.html; other adapter-node repos have no smoke check). 3 AC all mechanically verifiable. ~1 min agent work, no decomposition needed.

Ready to advance backlog -> todo.

## Scope Review: APPROVED Review note: `review-1117-2026-04-30` Single-line bug fix. File targets verified at SHA `82ac5255a9` (`.woodpecker.yaml` line 33 = `test -f build/index.html`; `svelte.config.js` confirms adapter-node; `package.json` `start` script already targets `build/index.js`). Traceability complete: story `admin-row-crud` listed on `project-westside-admin`, arch note `arch-ci-pipeline` exists. Blast radius: westside-admin is the only sibling with this bug (westside-app uses adapter-static and is correctly asserting `index.html`; other adapter-node repos have no smoke check). 3 AC all mechanically verifiable. ~1 min agent work, no decomposition needed. Ready to advance backlog -> todo.

forgejo_admin referenced this issue from a commit 2026-04-30 12:20:50 +00:00

ci: assert on adapter-node artifacts in validate smoke check

forgejo_admin referenced this issue from a pull request that will close it, 2026-04-30 12:21:38 +00:00

ci: assert on adapter-node artifacts in validate smoke check #13

forgejo_admin closed this issue 2026-04-30 12:26:39 +00:00

forgejo_admin commented 2026-04-30 12:36:43 +00:00

Author

Owner

Copy link

Validation: PARTIAL

Tiers executed: Tier 3 (production)
Validation note: validation-12-2026-04-30
9 checks: 5 PASS, 1 PARTIAL, 3 FAIL

Ticket-level ACs all PASS (the PR fixed exactly what it set out to fix):

• AC1 — .woodpecker.yaml validate now asserts on build/index.js + build/handler.js (verified in pipeline #3 + #2 logs)
• AC2 — push pipeline #3 reaches build-and-push and update-kustomize-tag (all 4 steps green)
• AC3 — pull_request pipeline #2 stops cleanly after validate; Kaniko correctly skipped per when: branch: main

Deploy chain now works end-to-end for the first time:

• Image in Harbor: harbor.tail5b443a.ts.net/westside-admin/app:803e9439... pushed at 12:27:11Z
• pal-e-deployments auto-commit 576eacacde bumped overlays/westside-admin/prod newTag away from the 40-zeros placeholder
• ArgoCD synced to revision 576eacac with operation phase Succeeded

Production readiness blocker (discovered scope, NOT a regression):
The westside-admin deployment is 0/1 ready because the namespace is labeled pod-security.kubernetes.io/enforce: restricted (with enforce-version: latest) but neither bases/standard/deployment.yaml nor overlays/westside-admin/prod/deployment-patch.yaml set the required securityContext fields:

• allowPrivilegeEscalation: false
• capabilities.drop: ["ALL"]
• runAsNonRoot: true
• seccompProfile.type: RuntimeDefault

This was previously masked by the placeholder image tag (0000...0000) keeping the deploy in ImagePullBackOff before it ever reached the PSA admission controller. Sister namespace westside-streamlit has the same PSA label and the same problem (0 pods running). Other prod namespaces have no PSA enforcement.

External funnel https://westside-admin.tail5b443a.ts.net/ returns 502 (no backend pod). /health connection drops.

Recommend a follow-up issue against pal-e-deployments to add securityContext to bases/standard/deployment.yaml (preferred — also unblocks westside-streamlit) or as an overlay-specific patch.

Issue #12 itself remains correctly closed — the validate-step bug is fixed. The bootstrap goal of westside-admin serving traffic is gated on the separate PSA fix.

## Validation: PARTIAL Tiers executed: Tier 3 (production) Validation note: `validation-12-2026-04-30` 9 checks: 5 PASS, 1 PARTIAL, 3 FAIL **Ticket-level ACs all PASS** (the PR fixed exactly what it set out to fix): - AC1 — `.woodpecker.yaml` validate now asserts on `build/index.js` + `build/handler.js` (verified in pipeline #3 + #2 logs) - AC2 — push pipeline #3 reaches `build-and-push` and `update-kustomize-tag` (all 4 steps green) - AC3 — pull_request pipeline #2 stops cleanly after validate; Kaniko correctly skipped per `when: branch: main` **Deploy chain now works end-to-end for the first time:** - Image in Harbor: `harbor.tail5b443a.ts.net/westside-admin/app:803e9439...` pushed at 12:27:11Z - pal-e-deployments auto-commit `576eacacde` bumped `overlays/westside-admin/prod` newTag away from the 40-zeros placeholder - ArgoCD synced to revision `576eacac` with operation phase `Succeeded` **Production readiness blocker (discovered scope, NOT a regression):** The `westside-admin` deployment is 0/1 ready because the namespace is labeled `pod-security.kubernetes.io/enforce: restricted` (with `enforce-version: latest`) but neither `bases/standard/deployment.yaml` nor `overlays/westside-admin/prod/deployment-patch.yaml` set the required securityContext fields: - `allowPrivilegeEscalation: false` - `capabilities.drop: ["ALL"]` - `runAsNonRoot: true` - `seccompProfile.type: RuntimeDefault` This was previously masked by the placeholder image tag (`0000...0000`) keeping the deploy in `ImagePullBackOff` before it ever reached the PSA admission controller. Sister namespace `westside-streamlit` has the same PSA label and the same problem (0 pods running). Other prod namespaces have no PSA enforcement. External funnel `https://westside-admin.tail5b443a.ts.net/` returns 502 (no backend pod). `/health` connection drops. Recommend a follow-up issue against `pal-e-deployments` to add securityContext to `bases/standard/deployment.yaml` (preferred — also unblocks `westside-streamlit`) or as an overlay-specific patch. Issue #12 itself remains correctly closed — the validate-step bug is fixed. The bootstrap goal of westside-admin serving traffic is gated on the separate PSA fix.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/westside-admin#12

No description provided.