From c79d3054ec91cc311b6a9e7db6e9feb45c03c27b Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Mon, 1 Jun 2026 12:25:05 +0800
Subject: [PATCH] ci: bound post-deploy smoke cleanup

---
 .gitea/workflows/cd.yaml | 57 ++++++++++++++++++++++++++++++----------
 1 file changed, 43 insertions(+), 14 deletions(-)

diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml
index d703227e..e45940f3 100644
--- a/.gitea/workflows/cd.yaml
+++ b/.gitea/workflows/cd.yaml
@@ -1421,20 +1421,49 @@ jobs:
           rm -f "$SMOKE_OUTPUT"
           touch "$SMOKE_OUTPUT"
           chmod 666 "$SMOKE_OUTPUT"
-          docker run --rm \
-            --name "awoooi-cd-${GITHUB_RUN_ID:-manual}-${GITHUB_RUN_ATTEMPT:-1}-e2e-smoke" \
-            --cpus "1.5" \
-            --memory "2g" \
-            -v "$PWD:/workspace" \
-            -v /tmp/awoooi-smoke.sh:/tmp/awoooi-smoke.sh:ro \
-            -v awoooi-pnpm-store:/opt/pnpm-store \
-            -v awoooi-playwright-browsers:/opt/playwright-browsers \
-            -w /workspace \
-            -e GITHUB_OUTPUT=/workspace/.awoooi-smoke-output \
-            -e CI=true \
-            -e PLAYWRIGHT_BASE_URL=https://awoooi.wooo.work \
-            "${{ env.CI_IMAGE }}" \
-            bash /tmp/awoooi-smoke.sh
+          SMOKE_DOCKER_STATUS=0
+          # 2026-06-01 Codex: post-deploy smoke can pass, then hang in
+          # runner cleanup and incorrectly mark the deploy failed. Bound only
+          # the smoke container; preserve pass evidence if it was written.
+          if command -v timeout >/dev/null 2>&1; then
+            timeout --kill-after=20s 300s docker run --rm \
+              --name "awoooi-cd-${GITHUB_RUN_ID:-manual}-${GITHUB_RUN_ATTEMPT:-1}-e2e-smoke" \
+              --cpus "1.5" \
+              --memory "2g" \
+              -v "$PWD:/workspace" \
+              -v /tmp/awoooi-smoke.sh:/tmp/awoooi-smoke.sh:ro \
+              -v awoooi-pnpm-store:/opt/pnpm-store \
+              -v awoooi-playwright-browsers:/opt/playwright-browsers \
+              -w /workspace \
+              -e GITHUB_OUTPUT=/workspace/.awoooi-smoke-output \
+              -e CI=true \
+              -e PLAYWRIGHT_BASE_URL=https://awoooi.wooo.work \
+              "${{ env.CI_IMAGE }}" \
+              bash /tmp/awoooi-smoke.sh || SMOKE_DOCKER_STATUS=$?
+          else
+            docker run --rm \
+              --name "awoooi-cd-${GITHUB_RUN_ID:-manual}-${GITHUB_RUN_ATTEMPT:-1}-e2e-smoke" \
+              --cpus "1.5" \
+              --memory "2g" \
+              -v "$PWD:/workspace" \
+              -v /tmp/awoooi-smoke.sh:/tmp/awoooi-smoke.sh:ro \
+              -v awoooi-pnpm-store:/opt/pnpm-store \
+              -v awoooi-playwright-browsers:/opt/playwright-browsers \
+              -w /workspace \
+              -e GITHUB_OUTPUT=/workspace/.awoooi-smoke-output \
+              -e CI=true \
+              -e PLAYWRIGHT_BASE_URL=https://awoooi.wooo.work \
+              "${{ env.CI_IMAGE }}" \
+              bash /tmp/awoooi-smoke.sh || SMOKE_DOCKER_STATUS=$?
+          fi
+          if [ "$SMOKE_DOCKER_STATUS" != "0" ] && ! grep -q '^smoke_status=pass$' "$SMOKE_OUTPUT"; then
+            echo "smoke_status=fail" > "$SMOKE_OUTPUT"
+            echo "E2E smoke container failed before pass evidence: ${SMOKE_DOCKER_STATUS}"
+            exit "$SMOKE_DOCKER_STATUS"
+          fi
+          if [ "$SMOKE_DOCKER_STATUS" != "0" ]; then
+            echo "E2E smoke pass evidence was written; treating container exit ${SMOKE_DOCKER_STATUS} as cleanup timeout"
+          fi
           cat "$SMOKE_OUTPUT" >> "$GITHUB_OUTPUT"
         env:
           CI: "true"