Public Data Packaging for Cloud Run
Cloud Run packaging is a security boundary. The wiki should be public, but the rest of a private operations folder should not ride along for convenience.
Packaging principle
- Public JSON data can be packaged with the app when it is intentionally safe.
- Private app data, backups, screenshots, and local QA artifacts should stay out of the Docker and Cloud Build context.
- Use narrow allowlists rather than copying whole data directories.
Checklist
- Keep public wiki content in a dedicated file such as
data/hermes-wiki.json. - Allowlist only that public file in ignore rules when data directories are otherwise ignored.
- Use explicit Dockerfile copy steps for public data.
- Bump CSS or JS cache-bust query strings when rendering/search behavior changes.
- Run local route checks before building the image.
Pitfalls
- Uploading private data to Cloud Build is a leak even if the app never serves it.
- A deploy can succeed while the runtime container is missing the public JSON.
- Stale cached CSS can make a fixed route look broken after deploy.
Verification steps
- Check the local container or dev server can render
/wiki. - Deploy only after JSON validity and route checks pass.
- Fetch the live mapped domain and sample article routes.
- Verify sitemap entries for newly published article URLs.
