Commit Graph

4 Commits

Author SHA1 Message Date
Marc Chan
7abb7888df fix(deploy): align Docker defaults with GHCR releases (#4327)
* fix(deploy): align Docker defaults with GHCR releases

Generated-By: looper 0.9.9 (runner=worker, agent=opencode)

* fix(ci): publish stable Docker tags from release workflow

Generated-By: looper 0.9.9 (runner=fixer, agent=opencode)

* fix(ci): fold reusable workflow guard expression

Generated-By: looper 0.9.9 (runner=fixer, agent=opencode)

* fix(ci): gate Docker release publish

Generated-By: looper 0.9.9 (runner=fixer, agent=opencode)

* fix(ci): publish stable Docker tags after release

Generated-By: looper 0.9.9 (runner=fixer, agent=opencode)

* fix(ci): guard Docker latest tag enable expression

Generated-By: looper 0.9.9 (runner=fixer, agent=opencode)

* fix(deploy): update Helm chart GHCR defaults

Generated-By: looper 0.9.9 (runner=fixer, agent=opencode)

* fix(ci): publish latest from release workflow inputs

Generated-By: looper 0.9.9 (runner=fixer, agent=opencode)
2026-06-17 12:25:18 +08:00
PerishFire
a0afc584bb [codex] centralize daemon data directory docs (#4222)
* docs: centralize daemon data directory contract

* fix(e2e): allow slower artifact consistency navigation

Generated-By: looper 0.9.5 (runner=fixer, agent=codex)

* docs: localize daemon data directory pointers

Generated-By: looper 0.9.5 (runner=fixer, agent=codex)

---------

Co-authored-by: Looper <looper@noreply.github.com>
2026-06-15 02:52:05 +00:00
Shivam
3f165b5498 docs(deploy): add Azure Container Instances guide (#3163)
* docs(deploy): add Azure Container Instances guide

* docs(deploy): clarify Azure proxy topology

* docs(deploy): keep Azure proxy streams unbuffered

---------

Co-authored-by: Shivam <shivam2931120@users.noreply.github.com>
2026-06-02 08:14:21 +00:00
Dhakshin V
484ec7c664 docs: add Alibaba Cloud (阿里云) deployment guide (#3275)
* docs: add Alibaba Cloud (阿里云) deployment guide

Adds docs/deployment/cloud/aliyun.md with:
- ECS single-machine deployment using the existing Docker Compose stack
- ACK (Kubernetes) reference manifest and multi-replica caveats
- Image acceleration setup via Alibaba Cloud Container Registry
- ICP filing (备案) overview for mainland China public hosting
- Common pitfalls and references to existing Docker / install-guide docs

Docs-only slice for #1025. Live ROS templates, one-click scripts, and
verification screenshots are out of scope here and tracked as follow-up
work in the issue.

* docs: fix ACK manifest reachability and OD_ALLOWED_ORIGINS alias

Address PerishCode review on PR #3275:

- The daemon defaults to OD_BIND_HOST=127.0.0.1 (apps/daemon/src/server.ts),
  so the readinessProbe and ClusterIP Service in the previous manifest could
  never reach the Pod. Add OD_BIND_HOST=0.0.0.0 + OD_API_TOKEN (required by
  the bound-API-token guard for non-loopback binds) and a kubectl secret step.

- The daemon reads OD_ALLOWED_ORIGINS, not OPEN_DESIGN_ALLOWED_ORIGINS.
  OPEN_DESIGN_* names are Compose-only aliases mapped in deploy/docker-compose.yml.
  Use OD_ALLOWED_ORIGINS for the direct-container ACK path and call out both
  names in the network-exposure section and the pitfalls table.

Also adds an Ingress / Bearer-token note for operators fronting the
Service externally.

* docs: document OD_API_TOKEN bearer-token forwarding in Nginx block

PerishCode follow-up review on PR #3275:

The Path A Nginx block as written would 401 every UI call except the
three open probes (/api/health, /api/version, /api/daemon/status). Same
root cause as the ACK fix in 9d5f6ec — the auth model affects both paths,
not just direct-container deployments.

Verified against source:
- deploy/scripts/install.sh:386 always writes a generated OD_API_TOKEN
  into deploy/.env (no opt-out flag).
- deploy/docker-compose.yml:18 requires OD_API_TOKEN (Compose ? syntax)
  and binds OD_BIND_HOST=0.0.0.0, so the daemon-side bearer middleware
  is always active for the Compose path.
- apps/daemon/src/server.ts:3777 keys the loopback short-circuit on
  isLoopbackPeerAddress(req.socket?.remoteAddress) — the TCP peer, not
  X-Forwarded-For — so a reverse-proxied request from a Docker bridge
  IP never gets the localhost bypass.

Adds proxy_set_header Authorization to the Nginx block, a paragraph
explaining where OD_API_TOKEN comes from, and updates the pitfalls row
that previously only mentioned CORS to also list the missing-bearer
cause.
2026-06-02 05:53:06 +00:00