From 4106d7ba75a4a2d9d184a999f90cba3bbd410c45 Mon Sep 17 00:00:00 2001
From: Rasmus Wejlgaard <pez@pez.sh>
Date: Fri, 3 Apr 2026 19:49:20 +0000
Subject: [PATCH] fix: remove || true from compose lint so validation errors
 fail CI

The lint-docker-compose workflow was swallowing all validation errors with
|| true, meaning broken compose files would never fail the check.

- Remove || true and let validation failures propagate
- Add a pre-step that creates empty stubs for referenced env_file entries
  (e.g. bitwarden/settings.env) so docker compose config can validate
  structure without needing real secrets
- Track per-file pass/fail and exit non-zero if any file fails

Closes PESO-130
---
 .github/workflows/lint-docker-compose.yml | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/lint-docker-compose.yml b/.github/workflows/lint-docker-compose.yml
index dabcd35..f23eab2 100644
--- a/.github/workflows/lint-docker-compose.yml
+++ b/.github/workflows/lint-docker-compose.yml
@@ -10,16 +10,36 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Stub missing env files referenced by Compose
+        run: |
+          shopt -s globstar nullglob
+          for f in ansible/services/**/docker-compose.yml ansible/services/**/docker-compose.yaml ansible/services/**/compose.yml ansible/services/**/compose.yaml; do
+            dir=$(dirname "$f")
+            # Create empty stubs for any env_file entries that don't exist
+            grep -oP 'env_file:\s*\K.*|^\s*-\s*\K\S+\.env' "$f" 2>/dev/null | while read -r envfile; do
+              envfile=$(echo "$envfile" | sed 's/^["'\'']*//;s/["'\'']*$//')
+              if [ -n "$envfile" ] && [ ! -f "$dir/$envfile" ]; then
+                echo "Creating stub: $dir/$envfile"
+                touch "$dir/$envfile"
+              fi
+            done
+          done
+
       - name: Validate Compose files
         run: |
+          failed=0
           found=0
           shopt -s globstar nullglob
           for f in ansible/services/**/docker-compose.yml ansible/services/**/docker-compose.yaml ansible/services/**/compose.yml ansible/services/**/compose.yaml; do
             echo "::group::Validating $f"
-            docker compose -f "$f" config --quiet 2>&1 || true
+            if ! docker compose -f "$f" config --quiet 2>&1; then
+              echo "::error file=$f::Compose validation failed"
+              failed=1
+            fi
             echo "::endgroup::"
             found=1
           done
           if [ "$found" -eq 0 ]; then
             echo "No Compose files found — skipping."
           fi
+          exit $failed