From 4fb3e568fb0cf02021807b7cdf5992a6109bc31b Mon Sep 17 00:00:00 2001
From: Dakera Ops <ferhi.med.amine@gmail.com>
Date: Fri, 12 Jun 2026 06:37:45 +0000
Subject: [PATCH 1/3] fix(deploy): remove stale container before recreate to
 prevent naming conflict
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When docker compose --force-recreate runs on a container with an explicit
container_name, Docker can fail with "name already in use" if the compose
project-hash internal alias conflicts with the existing container registration.

Fix: explicitly docker rm -f the dakera container before compose up so there
is no stale name entry to collide with.

Root cause of DAK-6541: v0.11.90 deploy failed with
"/fdbaa06c2bb4_dakera is already in use" — production was on v0.11.89,
container was already created by compose during the failed run, leaving a
stale registration. v0.11.90 was already healthy post-failure; this PR
prevents recurrence.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/deploy-production.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
index a7d7c00..09e33fc 100644
--- a/.github/workflows/deploy-production.yml
+++ b/.github/workflows/deploy-production.yml
@@ -91,6 +91,9 @@ jobs:
             COMPOSE_DIR=$(docker inspect "$CONTAINER" --format '{{ index .Config.Labels "com.docker.compose.project.working_dir" }}' 2>/dev/null || echo "")
             if [ -n "$COMPOSE_DIR" ] && [ -d "$COMPOSE_DIR" ]; then
               cd "$COMPOSE_DIR"
+              # Remove stale container before recreate to prevent Docker naming conflicts
+              # (container_name + compose project-hash alias can collide on --force-recreate)
+              docker rm -f dakera 2>/dev/null || true
               # Force-recreate minio so new resource limits (cpus/memory) take effect
               DAKERA_IMAGE=ghcr.io/dakera-ai/dakera:${{ inputs.version }} docker compose up -d --force-recreate minio minio-setup dakera
             else

From 71646feb49b2ac31e08585eef4d9f0fd14dd5fe7 Mon Sep 17 00:00:00 2001
From: Dakera Ops <ferhi.med.amine@gmail.com>
Date: Fri, 12 Jun 2026 10:17:13 +0000
Subject: [PATCH 2/3] fix(ci): add GHCR login before hadolint on self-hosted
 ARM runner
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

hadolint/hadolint-action@v3.3.0 pulls ghcr.io/hadolint/hadolint:v2.14.0-debian
at build time. Self-hosted ARM runners lack ambient GHCR auth — the action
fails with 403 Forbidden even though the workflow has packages:read permission.

Fix: explicit docker/login-action@v3 step before hadolint using GITHUB_TOKEN.
This is a permanent infra fix, not a flake workaround.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/ci.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 463838f..623d647 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,6 +21,13 @@ jobs:
     steps:
       - uses: actions/checkout@v6
 
+      - name: Log in to GHCR (needed for hadolint container image on self-hosted runner)
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Validate docker-compose.yml
         env:
           DAKERA_ROOT_API_KEY: ci-validation-placeholder

From cd3257bc43843de234278a86e2754a247f36296d Mon Sep 17 00:00:00 2001
From: Dakera Ops <ferhi.med.amine@gmail.com>
Date: Fri, 12 Jun 2026 10:19:01 +0000
Subject: [PATCH 3/3] fix(ci): run Dockerfile validation on GitHub-hosted
 runner
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

hadolint/hadolint-action@v3.3.0 needs to pull ghcr.io/hadolint/hadolint via
BuildKit. Self-hosted ARM runners lack the ambient GHCR credentials that
BuildKit requires — explicit docker/login-action does not help because BuildKit
uses its own credential store separate from the Docker CLI daemon.

GitHub-hosted (ubuntu-latest) runners have the ambient token that BuildKit can
use for ghcr.io pulls. The validate job (docker-compose config + hadolint lint)
is static analysis — it does not need ARM64 architecture.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/ci.yml | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 623d647..a27802a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -17,17 +17,12 @@ permissions:
 jobs:
   validate:
     name: Validate Docker Configs
-    runs-on: [self-hosted, linux, arm64]
+    # GitHub-hosted: hadolint-action pulls ghcr.io/hadolint/hadolint which needs
+    # authenticated GHCR access; GitHub-hosted runners have ambient auth, self-hosted ARM do not.
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
 
-      - name: Log in to GHCR (needed for hadolint container image on self-hosted runner)
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Validate docker-compose.yml
         env:
           DAKERA_ROOT_API_KEY: ci-validation-placeholder