feat(3 U2.3): serve per-run artifacts at /runs/<id>/<file> (whitelisted, traversal-guarded) + bind-mount runs dir RO into dashboard

2026-05-31 07:12:32 +00:00
parent 6322065082
commit fa56f6bcaa
2 changed files with 50 additions and 0 deletions
--- a/nix/modules/dashboard.nix
+++ b/nix/modules/dashboard.nix
@ -37,8 +37,17 @@ let
          - CI_REPO=recipe-maintainers/cc-ci
          - DASH_LISTEN=0.0.0.0:8080
          - DRONE_TOKEN_FILE=/run/secrets/drone_token
+          - CCCI_RUNS_DIR=/var/lib/cc-ci-runs
        secrets:
          - drone_token
+        # Phase 3 (U2.3): the per-run artifacts (results.json, summary.png, screenshot.png, badge.svg)
+        # the runner writes under /var/lib/cc-ci-runs are bind-mounted READ-ONLY so the dashboard can
+        # serve them at /runs/<id>/<file>. Read-only: the dashboard never writes run artifacts.
+        volumes:
+          - type: bind
+            source: /var/lib/cc-ci-runs
+            target: /var/lib/cc-ci-runs
+            read_only: true
        networks:
          - proxy
        deploy: