fix(cd): run post deploy checks on host runner

.gitea/workflows/cd.yaml

@@ -739,7 +739,9 @@ jobs:
   post-deploy-checks:
     needs: build-and-deploy
     timeout-minutes: 30
-    runs-on: ubuntu-latest
+    # 2026-04-30 Codex: keep post-deploy on the host runner too. Playwright
+    # install-deps can also kill the act-managed job container with RWLayer=nil.
+    runs-on: awoooi-host
     steps:
       - uses: actions/checkout@v4
 
@@ -758,22 +760,33 @@ jobs:
         id: alert_chain_smoke
         run: |
           # 2026-04-05 Claude Code: 使用真實 API 地址（192.168.0.121:32334 NodePort）
-          # CI job container 的 localhost 不等於 K3s 節點，必須用內網 IP
-          # 首席架構師 Review C2: 修正永遠 pass — || true 移除，結果正確寫入 GITHUB_OUTPUT
-          source /opt/api-venv/bin/activate
-          python3 scripts/alert_chain_smoke_test.py \
-            --api-url http://192.168.0.121:32334 \
-            --json | tee /tmp/alert_chain_result.json \
-            && echo "alert_chain_status=pass" >> $GITHUB_OUTPUT \
-            || echo "alert_chain_status=fail" >> $GITHUB_OUTPUT
+          # Host runner launches the CI image explicitly to avoid act RWLayer=nil.
+          if docker run --rm \
+            -v "$PWD:/workspace" \
+            -v awoooi-api-venv-cache:/opt/api-venv \
+            -w /workspace \
+            "${{ env.CI_IMAGE }}" \
+            bash -lc 'source /opt/api-venv/bin/activate && python3 scripts/alert_chain_smoke_test.py --api-url http://192.168.0.121:32334 --json | tee /tmp/alert_chain_result.json'; then
+            echo "alert_chain_status=pass" >> $GITHUB_OUTPUT
+          else
+            echo "alert_chain_status=fail" >> $GITHUB_OUTPUT
+          fi
 
       # Phase O-5 Wave C.2 2026-04-02 ogt: 監控覆蓋率驗證 (generate_monitoring.py --check)
       # 2026-04-10 ogt: 移除 continue-on-error — 覆蓋率不足必須阻塞部署
       - name: Monitoring Coverage Check
         id: monitoring_coverage
         run: |
-          source /opt/api-venv/bin/activate
-          python3 scripts/generate_monitoring.py --check && echo "coverage_status=pass" >> $GITHUB_OUTPUT || echo "coverage_status=fail" >> $GITHUB_OUTPUT
+          if docker run --rm \
+            -v "$PWD:/workspace" \
+            -v awoooi-api-venv-cache:/opt/api-venv \
+            -w /workspace \
+            "${{ env.CI_IMAGE }}" \
+            bash -lc 'source /opt/api-venv/bin/activate && python3 scripts/generate_monitoring.py --check'; then
+            echo "coverage_status=pass" >> $GITHUB_OUTPUT
+          else
+            echo "coverage_status=fail" >> $GITHUB_OUTPUT
+          fi
 
       # [首席架構師] 新增 Playwright E2E Smoke Test 步驟 v1.0.0 2026-04-01 (台北時間)
       # continue-on-error: true — smoke 失敗不阻塞部署，但結果會反映在 TG 通知
@@ -781,6 +794,7 @@ jobs:
         id: smoke
         continue-on-error: true
         run: |
+          cat > /tmp/awoooi-smoke.sh <<'CI_SCRIPT'
           # 首席架構師 Review I4 + 2026-04-05 Claude Code cache優化:
           # playwright.config.ts import @playwright/test — 必須先安裝 pnpm node_modules
           # pnpm store 持久化到 /opt/pnpm-store，pnpm-lock.yaml hash 未變則 --prefer-offline
@@ -826,6 +840,21 @@ jobs:
           npx playwright test tests/e2e/smoke.spec.ts --reporter=line \
             && echo "smoke_status=pass" >> $GITHUB_OUTPUT \
             || echo "smoke_status=fail" >> $GITHUB_OUTPUT
+          CI_SCRIPT
+          touch /tmp/awoooi-smoke-output
+          docker run --rm \
+            -v "$PWD:/workspace" \
+            -v /tmp/awoooi-smoke.sh:/tmp/awoooi-smoke.sh:ro \
+            -v /tmp/awoooi-smoke-output:/tmp/awoooi-smoke-output \
+            -v awoooi-pnpm-store:/opt/pnpm-store \
+            -v awoooi-playwright-browsers:/opt/playwright-browsers \
+            -w /workspace \
+            -e GITHUB_OUTPUT=/tmp/awoooi-smoke-output \
+            -e CI=true \
+            -e PLAYWRIGHT_BASE_URL=https://awoooi.wooo.work \
+            "${{ env.CI_IMAGE }}" \
+            bash /tmp/awoooi-smoke.sh
+          cat /tmp/awoooi-smoke-output >> "$GITHUB_OUTPUT"
         env:
           CI: "true"
           # 直接測試已部署的生產環境，不啟動本地 dev server