From 6e635c32e4ce436dc67f76fa79c7cc748eb6f624 Mon Sep 17 00:00:00 2001
From: philipp <klein.philipp@gmail.com>
Date: Wed, 1 Apr 2026 01:19:25 +0200
Subject: [PATCH] Harden deploy runner checkout

---
 .forgejo/workflows/deploy.yml | 23 ++++++++++++++++++-----
 README.md                     |  2 ++
 src/bus/kafka/producer.mjs    |  2 ++
 3 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/.forgejo/workflows/deploy.yml b/.forgejo/workflows/deploy.yml
index 87b0b24..f57fa57 100644
--- a/.forgejo/workflows/deploy.yml
+++ b/.forgejo/workflows/deploy.yml
@@ -40,6 +40,13 @@ jobs:
           echo "missing git/kubectl and no supported package manager found" >&2
           exit 1
 
+      - name: Prepare workspace
+        run: |
+          workspace_root="${RUNNER_TEMP:-/tmp}"
+          workspace_dir="$(mktemp -d "${workspace_root%/}/unrip-deploy-XXXXXX")"
+          echo "WORKSPACE_DIR=$workspace_dir" >> "$GITHUB_ENV"
+          echo "runner workspace: $workspace_dir"
+
       - name: Load kubeconfig
         run: |
           mkdir -p "$HOME/.kube"
@@ -50,10 +57,16 @@ jobs:
         env:
           REPO_TOKEN: ${{ github.token }}
         run: |
-          git -c credential.username=oauth2 -c http.extraHeader="Authorization: Bearer ${REPO_TOKEN}" clone --depth=1 "${REPO_CLONE_URL}" /workspace
-          cd /workspace
-          git -c credential.username=oauth2 -c http.extraHeader="Authorization: Bearer ${REPO_TOKEN}" fetch --depth=1 origin "${GITHUB_SHA}"
-          git checkout --detach "${GITHUB_SHA}"
+          git -c credential.username=oauth2 -c http.extraHeader="Authorization: Bearer ${REPO_TOKEN}" clone --depth=1 "${REPO_CLONE_URL}" "$WORKSPACE_DIR"
+          cd "$WORKSPACE_DIR"
+          current_sha="$(git rev-parse HEAD)"
+          if [ "$current_sha" != "$GITHUB_SHA" ]; then
+            git -c credential.username=oauth2 -c http.extraHeader="Authorization: Bearer ${REPO_TOKEN}" fetch --depth=1 origin "${GITHUB_SHA}"
+            git checkout --detach "${GITHUB_SHA}"
+          else
+            git checkout --detach "$current_sha"
+          fi
+          git rev-parse HEAD
 
       - name: Resolve deployment settings
         run: |
@@ -66,7 +79,7 @@ jobs:
 
       - name: Apply manifests
         run: |
-          kubectl apply -k /workspace/deploy/k8s/base
+          kubectl apply -k "$WORKSPACE_DIR/deploy/k8s/base"
 
       - name: Build and push image in-cluster
         env:
diff --git a/README.md b/README.md
index b38bdcc..c77d64a 100644
--- a/README.md
+++ b/README.md
@@ -96,6 +96,8 @@ git push forgejo main
 - builds the image from this repo root inside the cluster with Kaniko
 - pushes it to the shared registry
 - rolls the `unrip` deployments
+- uses a fresh temporary runner workspace on each run, so reruns do not require
+  manual cleanup on the Forgejo runner
 
 ### Observe rollout
 
diff --git a/src/bus/kafka/producer.mjs b/src/bus/kafka/producer.mjs
index 5405d12..3f07de0 100644
--- a/src/bus/kafka/producer.mjs
+++ b/src/bus/kafka/producer.mjs
@@ -1,6 +1,8 @@
 import { Kafka, logLevel } from 'kafkajs';
 import { serializeError } from '../../core/log.mjs';
 
+process.env.KAFKAJS_NO_PARTITIONER_WARNING ??= '1';
+
 function createKafka({ brokers = ['127.0.0.1:9092'], clientId = 'unrip' } = {}) {
   return new Kafka({
     clientId,