Add Arcane Docker Compose Deploy GitHub Action#1
Conversation
Adds a reusable GitHub Action that automatically deploys Docker Compose stacks to Arcane's container management platform via its GitOps sync API. Supports directory-based compose file discovery, explicit file lists, shared environment variables, and create-or-update semantics (no deletes). https://claude.ai/code/session_01PrmzWtCEcxJTMjxXje3ndd
The root README now has a brief entry matching the style of other actions, with a link to the full docs in .github/actions/arcane-deploy/README.md. https://claude.ai/code/session_01PrmzWtCEcxJTMjxXje3ndd
Triggered by: 420104a Workflow run: https://github.com/nsheaps/github-actions/actions/runs/22290862379
Review agents for simplicity, flexibility, security, and usability have completed. Remaining categories (documentation, patterns, best-practices, quality-assurance) are still running and will be added in a follow-up commit. https://claude.ai/code/session_01PrmzWtCEcxJTMjxXje3ndd
Triggered by: 166213a Workflow run: https://github.com/nsheaps/github-actions/actions/runs/22321183132
Triggered by: 877bd47 Workflow run: https://github.com/nsheaps/github-actions/actions/runs/22321202828
All 8 category reviews complete plus overall summary. https://claude.ai/code/session_01PrmzWtCEcxJTMjxXje3ndd
Triggered by: 2afd682 Workflow run: https://github.com/nsheaps/github-actions/actions/runs/22321236572
There was a problem hiding this comment.
⬇️ Superseded by v4 review — Original v1 review (69/100)
Structured 8-Category Review — Overall Score: 69/100 🚨
This review has been superseded by the v4 review which scores 90/100 with all 8 categories passing.
All findings from this review were addressed in subsequent iterations.
…docs Security (Critical): - C1: Move ::add-mask:: for API key to top of script, before any logging - C2: Add ::add-mask:: for git token immediately after assignment Security/Reliability (High): - H1: Mask env-var values, validate key format, reject newline injection - H2: Replace curl || true with proper transport error handling + timeouts - H3: Validate sync-interval is a positive integer before jq --argjson - H7: Add jq_extract_id() helper to guard against null/malformed API IDs Usability (High): - H4: Reject unsupported auth-type values (remove ssh until implemented) - H5: Validate git-token is required when auth-type is http (the default) - H6: Correct env-vars description — these are runner env vars, not container env Simplicity: - Deduplicate trigger-sync logic (was in both if/else branches) - Remove unnecessary auto_sync_val intermediate variable - Extract trim() and require_input() helper functions - Add comment explaining sync name dedup logic Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Triggered by: d556cfd Workflow run: https://github.com/nsheaps/github-actions/actions/runs/22332835231
There was a problem hiding this comment.
⬇️ Superseded by v4 review — Original v2 review (85/100)
Re-Review (v2): Overall Score 85/100 (up from 69)
This review has been superseded by the v4 review which scores 90/100 with all 8 categories passing.
Remaining findings from this review were addressed in v3 and v4.
| while IFS= read -r -d '' file; do | ||
| local rel_path="${file#"${GITHUB_WORKSPACE:-.}/"}" | ||
| files+=("${rel_path}") | ||
| done < <(find "${search_dir}" -maxdepth 2 -type f \( \ |
There was a problem hiding this comment.
N3 (Medium): jq and curl runtime dependencies undeclared/unguarded
Both are required but no pre-flight check exists. On self-hosted or container runners, a missing jq or curl produces an obscure error deep in execution.
Fix (add near top of script):
for cmd in curl jq; do
command -v "${cmd}" >/dev/null 2>&1 || {
log_error "Required dependency '${cmd}' is not installed"
exit 1
}
doneReported in: Pattern Matching
- Validate auto-sync is 'true' or 'false' before passing to jq --argjson - Reject arcane-url values that don't use HTTPS - Document maxdepth 2 scan limit in compose-dir descriptions (action.yml, README) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Triggered by: 11bdea1 Workflow run: https://github.com/nsheaps/github-actions/actions/runs/22333108862
There was a problem hiding this comment.
⬇️ Superseded by v4 review — Original v3 review (88/100)
Re-Review (v3): Overall Score 88/100 (up from 85)
This review has been superseded by the v4 review which scores 90/100 with all 8 categories passing.
General QA findings (M5, M7, N2) were fixed in v4.
| if [[ "${name}" != "${SYNC_NAME_PREFIX}" ]]; then | ||
| name="${SYNC_NAME_PREFIX}-${name}" | ||
| fi | ||
| fi |
There was a problem hiding this comment.
M4 (Medium, still present): sync_name_from_path collisions on multi-level directories
The function uses only basename of the parent directory. Two different compose files with matching leaf directory names (e.g., services/backend/api/compose.yml and services/frontend/api/compose.yml) will both produce prefix-api, causing one sync to silently overwrite the other.
Mitigated by the maxdepth 2 scan limit but not eliminated. Non-blocking — track as follow-up.
Reported in: General QA, Simplicity
…igger failures - M7: Omit token field from create-repository payload when auth-type=none - M5: Deduplicate compose files when compose-dir scan overlaps explicit list - N2: Log a warning when trigger-sync API call fails instead of silently continuing Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
nsheaps
left a comment
nsheaps
left a comment
There was a problem hiding this comment.
Re-Review (v4): Overall Score 90/100 — ALL 8 CATEGORIES PASS
| Category | v1 | v2 | v3 | v4 | Status |
|---|---|---|---|---|---|
| Best Practices | 74 | 95 | 96 | 97 | ✅ |
| Documentation | 81 | 94 | 96 | 96 | ✅ |
| Security | 42 | 82 | 90 | 90 | ✅ |
| Flexibility | 62 | 82 | 90 | 90 | ✅ |
| General QA | 62 | 76 | 80 | 88 | ✅ |
| Simplicity | 72 | 82 | 86 | 87 | ✅ |
| Pattern Matching | 88 | 84 | 85 | 85 | ✅ |
| Usability | 72 | 83 | 85 | 85 | ✅ |
✅ ≥85% — Target: 85%+ all categories — TARGET MET
Verdict: All 8 categories at 85%+. Ready to merge.
All 3 General QA fixes verified:
- M5: Compose file deduplication (action.sh:155-165) —
seenarray eliminates duplicates, handles empty array safely - M7: Omit token on auth-type=none (action.sh:222-235) — conditional payload matches update path pattern
- N2: Log trigger-sync failures (action.sh:319-324) —
if !with warning replaces silent|| true
Journey: 0/8 passing (v1, score 69) → 2/8 (v2, 85) → 7/8 (v3, 88) → 8/8 (v4, 90)
3 medium findings remain (M3 no trap, M4 sync collisions, M14 no tests) — tracked for follow-up, do not block merge.
Full report: .claude/pr-reviews/nsheaps/github-actions/1/1771898462-v4/OVERALL-REPORT.md
2 participants
Summary
This PR introduces a new GitHub Action for deploying Docker Compose stacks to Arcane via GitOps sync. The action automates the discovery and management of compose files, eliminating the need for manual git sync configuration in Arcane.
Key Changes
New Action:
arcane-deploy— A composite GitHub Action that:Implementation Details:
action.yml— Defines 13 configurable inputs and 3 outputsaction.sh— 344-line bash script with:Documentation — Updated README with:
Notable Implementation Details
docker-compose.y[a]mlandcompose.y[a]mlnaming conventionsstacks/myapp/compose.yml→{prefix}-myapp)https://claude.ai/code/session_01PrmzWtCEcxJTMjxXje3ndd