Add deprecate-editions workflow; switch release to client-id#123
Open
bschwedler wants to merge 8 commits into
Open
Add deprecate-editions workflow; switch release to client-id#123bschwedler wants to merge 8 commits into
bschwedler wants to merge 8 commits into
Conversation
Replace `license-manager activate-file` with a direct file copy to `/var/lib/rstudio-connect/license.lic`. The `activate-file` command hard-rejects non-root callers (exit code 44), breaking pods configured with `runAsNonRoot: true`. Connect reads `*.lic` files from its data directory natively, so no license-manager invocation is needed. Also move `trap deactivate EXIT` inside the key and server license branches — file-based licenses have nothing to deactivate on shutdown. Mirrors the fix applied to rstudio-docker-products in June 2025 (commit d0eea7b).
If PCT_LICENSE_FILE_PATH points to a file already inside /var/lib/rstudio-connect/, the previous rm -f would delete it before cp could read it. Copy to a mktemp file first, then rm and mv, so the source is safely read regardless of its location.
If PCT_LICENSE_FILE_PATH already points to the destination (/var/lib/rstudio-connect/license.lic), skip the copy entirely. This avoids a redundant write when the license is pre-placed via a subPath volume mount directly into the data directory. Also removes the rm -f /var/lib/rstudio-connect/*.lic glob that preceded the copy. Writing to a mounted volume is unavoidable when the source is outside the data directory, but blanket-removing all *.lic files is destructive to any pre-placed files in that directory. With the copy now writing to a fixed filename (license.lic), the rm is unnecessary. Removes the mktemp intermediate since it was only needed to guard the source file from the rm -f step. With rm -f gone and the equality check ensuring source != destination, a direct cp is safe.
- Add echo to each license activation branch (key, server, file) - Add elif ls *.lic branch to detect pre-placed license files, matching PPM and rstudio-docker-products behavior - Replace specific filename equality check with dirname check so any *.lic file already inside /var/lib/rstudio-connect/ is treated as pre-placed (docs mandate no specific filename) - Extract _license_dir variable to avoid repeating the path
Writing a license file into a mounted volume pollutes shared persistent storage and causes race conditions in multi-pod deployments. Fail loudly with a clear error instead, directing users to mount the license Secret directly into the data directory via subPath.
Remove echo before license-manager key/server activation — silent success is fine, the failure from license-manager itself is the signal. Redirect remaining file-based license messages to stderr so they surface correctly in log aggregators and don't pollute stdout.
The actions/create-github-app-token action recommends client-id over the legacy app-id input. All three credential secrets (APP_ID, CLIENT_ID, PEM) are already provisioned; this switches to CLIENT_ID. Also adds a monthly deprecate-editions workflow that removes product editions older than 18 months and creates a PR.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a scheduled workflow that runs on the 1st of each month and creates a PR to remove product editions older than 18 months (per the Posit supported-versions policy). This stops those editions from being built going forward — it does not remove any already-published images from Docker Hub or GHCR.
Also switches the release workflow from the legacy
app-idGitHub App input toclient-id, as recommended byactions/create-github-app-token.Depends on posit-dev/images-shared being merged first.