Public Data Packaging for Cloud Run

Cloud Run packaging is a security boundary. The wiki should be public, but the rest of a private operations folder should not ride along for convenience.

Packaging principle

  • Public JSON data can be packaged with the app when it is intentionally safe.
  • Private app data, backups, screenshots, and local QA artifacts should stay out of the Docker and Cloud Build context.
  • Use narrow allowlists rather than copying whole data directories.

Checklist

  • Keep public wiki content in a dedicated file such as data/hermes-wiki.json.
  • Allowlist only that public file in ignore rules when data directories are otherwise ignored.
  • Use explicit Dockerfile copy steps for public data.
  • Bump CSS or JS cache-bust query strings when rendering/search behavior changes.
  • Run local route checks before building the image.

Pitfalls

  • Uploading private data to Cloud Build is a leak even if the app never serves it.
  • A deploy can succeed while the runtime container is missing the public JSON.
  • Stale cached CSS can make a fixed route look broken after deploy.

Verification steps

  • Check the local container or dev server can render /wiki.
  • Deploy only after JSON validity and route checks pass.
  • Fetch the live mapped domain and sample article routes.
  • Verify sitemap entries for newly published article URLs.