From bc32096e9c78b8dab2d23081fee96adbdf28258e Mon Sep 17 00:00:00 2001 From: Shun Kakinoki Date: Mon, 5 Jan 2026 00:08:53 +0900 Subject: [PATCH] fix: prevent race condition in objectstore auth sync Remove os.RemoveAll() call in syncAuthFromBucket() that was causing a race condition with the file watcher. Problem: 1. syncAuthFromBucket() wipes local auth directory with RemoveAll 2. File watcher detects deletions and propagates them to remote store 3. syncAuthFromBucket() then pulls from remote, but files are now gone Solution: Use incremental sync instead of delete-then-pull. Just ensure the directory exists and overwrite files as they're downloaded. This prevents the watcher from seeing spurious delete events. --- internal/store/objectstore.go | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/internal/store/objectstore.go b/internal/store/objectstore.go index 726ebc9f..8492eab7 100644 --- a/internal/store/objectstore.go +++ b/internal/store/objectstore.go @@ -386,11 +386,12 @@ func (s *ObjectTokenStore) syncConfigFromBucket(ctx context.Context, example str } func (s *ObjectTokenStore) syncAuthFromBucket(ctx context.Context) error { - if err := os.RemoveAll(s.authDir); err != nil { - return fmt.Errorf("object store: reset auth directory: %w", err) - } + // NOTE: We intentionally do NOT use os.RemoveAll here. + // Wiping the directory triggers file watcher delete events, which then + // propagate deletions to the remote object store (race condition). + // Instead, we just ensure the directory exists and overwrite files incrementally. if err := os.MkdirAll(s.authDir, 0o700); err != nil { - return fmt.Errorf("object store: recreate auth directory: %w", err) + return fmt.Errorf("object store: create auth directory: %w", err) } prefix := s.prefixedKey(objectStoreAuthPrefix + "/")