Arm on Yarang's Tech Lairhttps://blog.fcoinfup.com/tags/arm/Recent content in Arm on Yarang's Tech LairHugo -- gohugo.ioenSun, 03 May 2026 01:20:00 +0900Building a Blog AI Auto-Comment System (3/3): Deployment and Troubleshootinghttps://blog.fcoinfup.com/post/ai-auto-comment-system-part3-deployment/Sun, 03 May 2026 01:20:00 +0900https://blog.fcoinfup.com/post/ai-auto-comment-system-part3-deployment/<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-gdscript3" data-lang="gdscript3"><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">## Overview</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>In [Part <span style="color:#ae81ff">1</span>](<span style="color:#f92672">/</span>ko<span style="color:#f92672">/</span>post<span style="color:#f92672">/</span>ai<span style="color:#f92672">-</span>auto<span style="color:#f92672">-</span>comment<span style="color:#f92672">-</span>system<span style="color:#f92672">-</span>part1<span style="color:#f92672">-</span>architecture<span style="color:#f92672">/</span>), we covered the architecture <span style="color:#f92672">and</span> implementation, <span style="color:#f92672">and</span> <span style="color:#f92672">in</span> [Part <span style="color:#ae81ff">2</span>](<span style="color:#f92672">/</span>ko<span style="color:#f92672">/</span>post<span style="color:#f92672">/</span>ai<span style="color:#f92672">-</span>auto<span style="color:#f92672">-</span>comment<span style="color:#f92672">-</span>system<span style="color:#f92672">-</span>part2<span style="color:#f92672">-</span>security<span style="color:#f92672">/</span>), we looked at security enhancements<span style="color:#f92672">.</span> In this <span style="color:#ae81ff">3</span>rd part, we record the process of deploying to an actual OCI ARM server <span style="color:#f92672">and</span> the troubleshooting encountered<span style="color:#f92672">.</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>In particular, we share <span style="color:#f92672">in</span> detail the actual debugging process where we tracked <span style="color:#f92672">and</span> resolved the issue of <span style="color:#f92672">**</span>GITHUB_TOKEN <span style="color:#f92672">not</span> loading<span style="color:#f92672">**</span> over <span style="color:#ae81ff">4</span> steps<span style="color:#f92672">.</span> The core of this article is how we narrowed down the cause <span style="color:#f92672">in</span> a situation where <span style="color:#e6db74">&#34;it&#39;s set up, so why isn&#39;t it working?&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">---</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">## Infrastructure Configuration</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">### Server Configuration</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">|</span> Server <span style="color:#f92672">|</span> Role <span style="color:#f92672">|</span> Specs <span style="color:#f92672">|</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">|------|------|------|</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">|</span> ec1 (x86) <span style="color:#f92672">|</span> Web Server (nginx, Hugo blog) <span style="color:#f92672">|</span> OCI <span style="color:#f92672">|</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">|</span> arm1 (ARM) <span style="color:#f92672">|</span> Worker Server (Flask, Claude Code) <span style="color:#f92672">|</span> OCI ARM <span style="color:#f92672">|</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>The blog is built <span style="color:#f92672">and</span> served with Hugo on ec1, <span style="color:#66d9ef">while</span> the AI comment worker runs on arm1<span style="color:#f92672">.</span> The GitHub Webhook is delivered directly to arm1<span style="color:#f92672">.</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">### Worker Server Directory Structure</span> </span></span></code></pre></div><p>/var/www/auto-comment-worker/ # Application ├── scripts/ │ └── auto-comment-worker.py ├── deploy/ │ └── auto-comment-worker.service ├── venv/ # Python virtual environment └── logs/</p> <p>/etc/auto-comment-worker/ # Credentials ├── github-token # 640, ubuntu:ubuntu └── credentials/ └── webhook-secret # 600, ubuntu:ubuntu</p> <p>/home/ubuntu/.local/bin/claude # Claude Code CLI</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-gdscript3" data-lang="gdscript3"><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#f92672">---</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">## systemd Service Configuration</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">### Service File</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#960050;background-color:#1e0010">```</span>ini </span></span><span style="display:flex;"><span>[Unit] </span></span><span style="display:flex;"><span>Description<span style="color:#f92672">=</span>Auto Comment Worker <span style="color:#66d9ef">for</span> Blog </span></span><span style="display:flex;"><span>After<span style="color:#f92672">=</span>network<span style="color:#f92672">.</span>target </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>[Service] </span></span><span style="display:flex;"><span>Type<span style="color:#f92672">=</span>simple </span></span><span style="display:flex;"><span>User<span style="color:#f92672">=</span>ubuntu </span></span><span style="display:flex;"><span>WorkingDirectory<span style="color:#f92672">=/</span><span style="color:#66d9ef">var</span><span style="color:#f92672">/</span>www<span style="color:#f92672">/</span>auto<span style="color:#f92672">-</span>comment<span style="color:#f92672">-</span>worker </span></span><span style="display:flex;"><span><span style="color:#a6e22e">Environment</span><span style="color:#f92672">=</span>PORT<span style="color:#f92672">=</span><span style="color:#ae81ff">8081</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">Environment</span><span style="color:#f92672">=</span>CLAUDE_CODE_PATH<span style="color:#f92672">=/</span>home<span style="color:#f92672">/</span>ubuntu<span style="color:#f92672">/.</span>local<span style="color:#f92672">/</span>bin<span style="color:#f92672">/</span>claude </span></span><span style="display:flex;"><span><span style="color:#a6e22e">Environment</span><span style="color:#f92672">=</span>BLOG_OWNERS<span style="color:#f92672">=</span>yarang </span></span><span style="display:flex;"><span><span style="color:#a6e22e">Environment</span><span style="color:#f92672">=</span>GITHUB_TOKEN_FILE<span style="color:#f92672">=/</span>etc<span style="color:#f92672">/</span>auto<span style="color:#f92672">-</span>comment<span style="color:#f92672">-</span>worker<span style="color:#f92672">/</span>github<span style="color:#f92672">-</span>token </span></span><span style="display:flex;"><span><span style="color:#a6e22e">Environment</span><span style="color:#f92672">=</span>GITHUB_WEBHOOK_SECRET_FILE<span style="color:#f92672">=/</span>etc<span style="color:#f92672">/</span>auto<span style="color:#f92672">-</span>comment<span style="color:#f92672">-</span>worker<span style="color:#f92672">/</span>credentials<span style="color:#f92672">/</span>webhook<span style="color:#f92672">-</span>secret </span></span><span style="display:flex;"><span>ExecStart<span style="color:#f92672">=/</span><span style="color:#66d9ef">var</span><span style="color:#f92672">/</span>www<span style="color:#f92672">/</span>auto<span style="color:#f92672">-</span>comment<span style="color:#f92672">-</span>worker<span style="color:#f92672">/</span>venv<span style="color:#f92672">/</span>bin<span style="color:#f92672">/</span>python <span style="color:#f92672">/</span><span style="color:#66d9ef">var</span><span style="color:#f92672">/</span>www<span style="color:#f92672">/</span>auto<span style="color:#f92672">-</span>comment<span style="color:#f92672">-</span>worker<span style="color:#f92672">/</span>scripts<span style="color:#f92672">/</span>auto<span style="color:#f92672">-</span>comment<span style="color:#f92672">-</span>worker<span style="color:#f92672">.</span>py </span></span><span style="display:flex;"><span>Restart<span style="color:#f92672">=</span>always </span></span><span style="display:flex;"><span>RestartSec<span style="color:#f92672">=</span><span style="color:#ae81ff">10</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Logging</span> </span></span><span style="display:flex;"><span>StandardOutput<span style="color:#f92672">=</span>journal </span></span><span style="display:flex;"><span>StandardError<span style="color:#f92672">=</span>journal </span></span><span style="display:flex;"><span>SyslogIdentifier<span style="color:#f92672">=</span>auto<span style="color:#f92672">-</span>comment<span style="color:#f92672">-</span>worker </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Security</span> </span></span><span style="display:flex;"><span>NoNewPrivileges<span style="color:#f92672">=</span>true </span></span><span style="display:flex;"><span>PrivateTmp<span style="color:#f92672">=</span>true </span></span><span style="display:flex;"><span>ProtectSystem<span style="color:#f92672">=</span>strict </span></span><span style="display:flex;"><span>ProtectHome<span style="color:#f92672">=</span>false </span></span><span style="display:flex;"><span>ReadWritePaths<span style="color:#f92672">=/</span><span style="color:#66d9ef">var</span><span style="color:#f92672">/</span>www<span style="color:#f92672">/</span>auto<span style="color:#f92672">-</span>comment<span style="color:#f92672">-</span>worker <span style="color:#f92672">/</span><span style="color:#66d9ef">var</span><span style="color:#f92672">/</span>log<span style="color:#f92672">/</span>auto<span style="color:#f92672">-</span>comment<span style="color:#f92672">-</span>worker </span></span><span style="display:flex;"><span>ReadOnlyPaths<span style="color:#f92672">=</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Resource Limits</span> </span></span><span style="display:flex;"><span>MemoryMax<span style="color:#f92672">=</span><span style="color:#ae81ff">512</span>M </span></span><span style="display:flex;"><span>CPUQuota<span style="color:#f92672">=</span><span style="color:#ae81ff">50</span><span style="color:#f92672">%</span> </span></span><span style="display:flex;"><span>TasksMax<span style="color:#f92672">=</span><span style="color:#ae81ff">100</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>[Install] </span></span><span style="display:flex;"><span>WantedBy<span style="color:#f92672">=</span>multi<span style="color:#f92672">-</span>user<span style="color:#f92672">.</span>target </span></span></code></pre></div><h3 id="key-configuration-explanation">Key Configuration Explanation </h3><p><strong><code>Type=simple</code></strong>: Since the Flask worker runs in the foreground, <code>simple</code> is appropriate. <code>forking</code> is used for processes that daemonize.</p> <p><strong><code>User=ubuntu</code></strong>: Although a dedicated service account could be created, it runs as <code>ubuntu</code> because the Claude Code CLI depends on the <code>ubuntu</code> user&rsquo;s home directory configuration.</p> <p><strong><code>ProtectHome=false</code></strong>: Usually set to <code>true</code>, but allows home directory access because Claude Code requires the <code>~/.agent_forge_for_zai.json</code> configuration file.</p> <p><strong><code>ReadOnlyPaths=</code></strong> (Empty value): Initially specified <code>/etc/auto-comment-worker</code>, but left empty due to conflict with <code>ProtectSystem=strict</code>.</p> <h3 id="service-management-commands">Service Management Commands </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Copy service file</span> </span></span><span style="display:flex;"><span>sudo cp deploy/auto-comment-worker.service /etc/systemd/system/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Register and start service</span> </span></span><span style="display:flex;"><span>sudo systemctl daemon-reload </span></span><span style="display:flex;"><span>sudo systemctl enable auto-comment-worker </span></span><span style="display:flex;"><span>sudo systemctl start auto-comment-worker </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Check status</span> </span></span><span style="display:flex;"><span>sudo systemctl status auto-comment-worker </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Check logs (real-time)</span> </span></span><span style="display:flex;"><span>sudo journalctl -u auto-comment-worker -f </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Check recent logs</span> </span></span><span style="display:flex;"><span>sudo journalctl -u auto-comment-worker --since <span style="color:#e6db74">&#34;10 minutes ago&#34;</span> </span></span></code></pre></div><hr> <h2 id="nginx-reverse-proxy">nginx Reverse Proxy </h2><h3 id="webhook-endpoint-configuration">Webhook Endpoint Configuration </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#66d9ef">server</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">listen</span> <span style="color:#ae81ff">443</span> <span style="color:#e6db74">ssl</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">server_name</span> <span style="color:#e6db74">your-domain.com</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># SSL Configuration </span></span></span><span style="display:flex;"><span> <span style="color:#f92672">ssl_certificate</span> <span style="color:#e6db74">/etc/letsencrypt/live/your-domain.com/fullchain.pem</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">ssl_certificate_key</span> <span style="color:#e6db74">/etc/letsencrypt/live/your-domain.com/privkey.pem</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Webhook Proxy </span></span></span><span style="display:flex;"><span> <span style="color:#f92672">location</span> <span style="color:#e6db74">/webhook</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_pass</span> <span style="color:#e6db74">http://localhost:8081</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">Host</span> $host; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">X-Real-IP</span> $remote_addr; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">X-Forwarded-For</span> $proxy_add_x_forwarded_for; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">X-Forwarded-Proto</span> $scheme; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># GitHub Webhook signature header forwarding (Required!) </span></span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">X-Hub-Signature-256</span> $http_x_hub_signature_256; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Timeout (Waiting for Claude Code response) </span></span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_read_timeout</span> <span style="color:#e6db74">120s</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_connect_timeout</span> <span style="color:#e6db74">10s</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># Health check </span></span></span><span style="display:flex;"><span> <span style="color:#f92672">location</span> <span style="color:#e6db74">/health</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_pass</span> <span style="color:#e6db74">http://localhost:8081</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p><code>proxy_read_timeout 120s</code> is set generously because the Claude Code CLI can take up to 60 seconds to generate an AI response. Since the default timeout for GitHub Webhooks is 10 seconds, asynchronous processing could be considered in practice.</p> <hr> <h2 id="deployment-process">Deployment Process </h2><h3 id="manual-deployment-after-rsync-failure">Manual Deployment (After rsync Failure) </h3><p>Initially, we attempted deployment with rsync, but it failed because the target directory did not exist on the server:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-gdscript3" data-lang="gdscript3"><span style="display:flex;"><span>rsync: [Receiver] mkdir <span style="color:#e6db74">&#34;/var/www/auto-comment-worker/scripts&#34;</span> failed: </span></span><span style="display:flex;"><span>No such file <span style="color:#f92672">or</span> directory </span></span></code></pre></div><p>As an alternative, we proceeded with scp-based manual deployment:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 1. Create directory on server</span> </span></span><span style="display:flex;"><span>ssh ubuntu@arm1 <span style="color:#e6db74">&#34;sudo mkdir -p /var/www/auto-comment-worker/scripts&#34;</span> </span></span><span style="display:flex;"><span>ssh ubuntu@arm1 <span style="color:#e6db74">&#34;sudo chown -R ubuntu:ubuntu /var/www/auto-comment-worker&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 2. Transfer files</span> </span></span><span style="display:flex;"><span>scp scripts/auto-comment-worker.py ubuntu@arm1:/var/www/auto-comment-worker/scripts/ </span></span><span style="display:flex;"><span>scp deploy/auto-comment-worker.service ubuntu@arm1:/tmp/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 3. Install service file</span> </span></span><span style="display:flex;"><span>ssh ubuntu@arm1 <span style="color:#e6db74">&#34;sudo cp /tmp/auto-comment-worker.service /etc/systemd/system/&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 4. Set up Python virtual environment</span> </span></span><span style="display:flex;"><span>ssh ubuntu@arm1 <span style="color:#e6db74">&#34;cd /var/www/auto-comment-worker &amp;&amp; python3 -m venv venv&#34;</span> </span></span><span style="display:flex;"><span>ssh ubuntu@arm1 <span style="color:#e6db74">&#34;cd /var/www/auto-comment-worker &amp;&amp; venv/bin/pip install flask flask-limiter marshmallow requests&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 5. Configure authentication files</span> </span></span><span style="display:flex;"><span>ssh ubuntu@arm1 <span style="color:#e6db74">&#34;sudo mkdir -p /etc/auto-comment-worker/credentials&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># Token file is created directly on the server (not transferred via scp)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 6. Start service</span> </span></span><span style="display:flex;"><span>ssh ubuntu@arm1 <span style="color:#e6db74">&#34;sudo systemctl daemon-reload &amp;&amp; sudo systemctl enable --now auto-comment-worker&#34;</span> </span></span></code></pre></div><h3 id="heredoc-variable-expansion-pitfall">Heredoc Variable Expansion Pitfall </h3><p>A common mistake when writing installation scripts with heredoc:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># Single quotes: Variables are NOT expanded!</span> </span></span><span style="display:flex;"><span>ssh ubuntu@arm1 <span style="color:#e6db74">&lt;&lt; &#39;ENDSSH&#39; </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">echo $CREDENTIALS_DIR # Prints empty string </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">ENDSSH</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># No quotes: Variables are expanded locally</span> </span></span><span style="display:flex;"><span>ssh ubuntu@arm1 <span style="color:#e6db74">&lt;&lt; ENDSSH </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">echo $CREDENTIALS_DIR # Expanded to local variable value </span></span></span><span style="display:flex;"><span><span style="color:#e6db74">ENDSSH</span> </span></span></code></pre></div><p>To avoid this problem, we switched to executing commands individually instead of using a script.</p> <hr> <h2 id="troubleshooting-github_token-loading-failure">Troubleshooting: GITHUB_TOKEN Loading Failure </h2><p>This was the issue that consumed the most time while deploying this system. When the comment Webhook arrived, the following error repeated:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-fallback" data-lang="fallback"><span style="display:flex;"><span>INFO:__main__:GITHUB_TOKEN configured: False </span></span><span style="display:flex;"><span>INFO:__main__:GitHub API response status: 401 </span></span><span style="display:flex;"><span>ERROR:__main__:Failed to get Discussion GraphQL ID </span></span></code></pre></div><p>We record the process of tracking down the cause step by step.</p> <h3 id="step-1-loadcredential-path-issue">Step 1: LoadCredential Path Issue </h3><p>Initially, we used the <code>LoadCredential</code> directive in systemd:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-ini" data-lang="ini"><span style="display:flex;"><span><span style="color:#a6e22e">LoadCredential</span><span style="color:#f92672">=</span><span style="color:#e6db74">github-token:/etc/auto-comment-worker/github-token</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">Environment</span><span style="color:#f92672">=</span><span style="color:#e6db74">GITHUB_TOKEN_FILE=%d/github-token</span> </span></span></code></pre></div><p><code>%d</code> is a systemd special variable replaced with the credentials directory path. However, this variable was not interpreted as intended, causing the token file path to be set incorrectly.</p> <p><strong>Solution</strong>: Instead of <code>LoadCredential</code>, we specified the absolute path directly.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-ini" data-lang="ini"><span style="display:flex;"><span><span style="color:#a6e22e">Environment</span><span style="color:#f92672">=</span><span style="color:#e6db74">GITHUB_TOKEN_FILE=/etc/auto-comment-worker/github-token</span> </span></span></code></pre></div><h3 id="step-2-file-ownership-issue">Step 2: File Ownership Issue </h3><p><code>GITHUB_TOKEN configured: False</code> still appeared. Checking the file revealed:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ ls -la /etc/auto-comment-worker/github-token </span></span><span style="display:flex;"><span>-rw------- <span style="color:#ae81ff">1</span> root root <span style="color:#ae81ff">93</span> May <span style="color:#ae81ff">3</span> 01:10 github-token </span></span></code></pre></div><p>Since the file owner is <code>root</code> and permissions are <code>600</code>, the service running as the <code>ubuntu</code> user cannot read this file.</p> <p><strong>Solution</strong>:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>sudo chown ubuntu:ubuntu /etc/auto-comment-worker/github-token </span></span><span style="display:flex;"><span>sudo chmod <span style="color:#ae81ff">640</span> /etc/auto-comment-worker/github-token </span></span></code></pre></div><h3 id="step-3-readonlypaths-conflict">Step 3: ReadOnlyPaths Conflict </h3><p>Even after changing ownership, <code>GITHUB_TOKEN configured: False</code> persisted. The cause was the <code>ReadOnlyPaths</code> setting in the systemd service file:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-ini" data-lang="ini"><span style="display:flex;"><span><span style="color:#75715e"># This setting blocked file reading</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">ReadOnlyPaths</span><span style="color:#f92672">=</span><span style="color:#e6db74">/etc/auto-comment-worker</span> </span></span></code></pre></div><p><code>ProtectSystem=strict</code> already mounts the entire filesystem read-only. Adding <code>ReadOnlyPaths</code> on top of that can cause mount namespace conflicts in some environments.</p> <p><strong>Solution</strong>: Changed <code>ReadOnlyPaths</code> to an empty value.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-ini" data-lang="ini"><span style="display:flex;"><span><span style="color:#a6e22e">ReadOnlyPaths</span><span style="color:#f92672">=</span> </span></span></code></pre></div><h3 id="step-4-python-file-permission-validation-code-root-cause">Step 4: Python File Permission Validation Code (Root Cause) </h3><p>Even after resolving all previous 3 steps, the token still did not load. The final cause was the overly strict file permission validation in the Python code:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#75715e"># File permission 640 → Group read bit (0o040) is set → Denied!</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> st<span style="color:#f92672">.</span>st_mode <span style="color:#f92672">&amp;</span> (stat<span style="color:#f92672">.</span>S_IRWXO <span style="color:#f92672">|</span> stat<span style="color:#f92672">.</span>S_IRWXG): </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">raise</span> <span style="color:#a6e22e">PermissionError</span>(<span style="color:#e6db74">&#34;Token file must be 600 or 400&#34;</span>) </span></span></code></pre></div><p>Because we changed to <code>chmod 640</code> in Step 2, the group read bit was set, triggering this validation. However, the error message did not appear in the logs, delaying discovery — because the <code>PermissionError</code> occurred at the module import time, preventing the service from starting at all.</p> <p><strong>Solution</strong>: As explained in Part 2, we modified it to check only <code>stat.S_IWOTH</code>.</p> <h3 id="importance-of-debugging-logs">Importance of Debugging Logs </h3><p>The debugging logs added to track this issue:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-python" data-lang="python"><span style="display:flex;"><span>logger<span style="color:#f92672">.</span>info(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;GITHUB_TOKEN configured: </span><span style="color:#e6db74">{</span>bool(GITHUB_TOKEN)<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>) </span></span><span style="display:flex;"><span>logger<span style="color:#f92672">.</span>info(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;GitHub API response status: </span><span style="color:#e6db74">{</span>response<span style="color:#f92672">.</span>status_code<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>) </span></span><span style="display:flex;"><span>logger<span style="color:#f92672">.</span>info(<span style="color:#e6db74">f</span><span style="color:#e6db74">&#34;GitHub API response body: </span><span style="color:#e6db74">{</span>response<span style="color:#f92672">.</span>text[:<span style="color:#ae81ff">500</span>]<span style="color:#e6db74">}</span><span style="color:#e6db74">&#34;</span>) </span></span></code></pre></div><p>Without these logs, it would have taken much longer to identify the cause. Always log token load success/failure and API response status for authentication-related code.</p> <h3 id="debugging-flow-summary">Debugging Flow Summary </h3><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-zed" data-lang="zed"><span style="display:flex;"><span>[<span style="color:#960050;background-color:#1e0010">1</span>] LoadCredential <span style="color:#f92672">%</span>d not interpreted <span style="color:#960050;background-color:#1e0010">→</span> Changed to absolute path </span></span><span style="display:flex;"><span> <span style="color:#960050;background-color:#1e0010">↓</span> (Still failed) </span></span><span style="display:flex;"><span>[<span style="color:#960050;background-color:#1e0010">2</span>] File owner root<span style="color:#f92672">:</span>root <span style="color:#960050;background-color:#1e0010">→</span> Changed to ubuntu<span style="color:#f92672">:</span>ubuntu </span></span><span style="display:flex;"><span> <span style="color:#960050;background-color:#1e0010">↓</span> (Still failed) </span></span><span style="display:flex;"><span>[<span style="color:#960050;background-color:#1e0010">3</span>] ReadOnlyPaths conflict <span style="color:#960050;background-color:#1e0010">→</span> Removed </span></span><span style="display:flex;"><span> <span style="color:#960050;background-color:#1e0010">↓</span> (Still failed) </span></span><span style="display:flex;"><span>[<span style="color:#960050;background-color:#1e0010">4</span>] Python <span style="color:#66d9ef">permission</span> check S_IRWXG <span style="color:#960050;background-color:#1e0010">→</span> Relaxed to S_IWOTH </span></span><span style="display:flex;"><span> <span style="color:#960050;background-color:#1e0010">↓</span> </span></span><span style="display:flex;"><span> [Resolved<span style="color:#f92672">!</span>] </span></span></code></pre></div><p>Lessons learned from this 4-step debugging:</p> <ol> <li><strong>Change one at a time and verify</strong>: If you change multiple settings at once, you won&rsquo;t know which one is the cause.</li> <li><strong>Trust logs, but suspect where there are no logs</strong>: Exceptions at module load time may not appear in standard logs.</li> <li><strong>Security validation code can also be a source of bugs</strong>: When security code blocks normal operation — balancing security and operations.</li> </ol> <hr> <h2 id="health-check">Health Check </h2><p>A health check endpoint to verify the service is running correctly:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-python" data-lang="python"><span style="display:flex;"><span><span style="color:#a6e22e">@app.route</span>(<span style="color:#e6db74">&#39;/health&#39;</span>, methods<span style="color:#f92672">=</span>[<span style="color:#e6db74">&#39;GET&#39;</span>]) </span></span><span style="display:flex;"><span><span style="color:#66d9ef">def</span> <span style="color:#a6e22e">health</span>(): </span></span><span style="display:flex;"><span> <span style="color:#e6db74">&#34;&#34;&#34;Health check&#34;&#34;&#34;</span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> jsonify({<span style="color:#e6db74">&#39;status&#39;</span>: <span style="color:#e6db74">&#39;healthy&#39;</span>}) </span></span></code></pre></div><p>Monitoring systems periodically call <code>/health</code> to verify the service status:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>curl -s http://localhost:8081/health </span></span><span style="display:flex;"><span><span style="color:#75715e"># {&#34;status&#34;: &#34;healthy&#34;}</span> </span></span></code></pre></div><hr> <h2 id="future-improvements">Future Improvements </h2><ol> <li><strong>Asynchronous Processing</strong>: Asynchronize AI response generation using Celery or Redis Queue to respond within the GitHub Webhook timeout (10 seconds).</li> <li><strong>Retry Logic</strong>: Exponential backoff retry on GitHub API call failures.</li> <li><strong>Monitoring Dashboard</strong>: Monitor response time, success rate, and error rate with Prometheus + Grafana.</li> <li><strong>Automated Deployment</strong>: Build an automated deployment pipeline with GitHub Actions on code changes.</li> <li><strong>Testing</strong>: Write integration tests mocking Webhook payloads.</li> </ol> <hr> <h2 id="conclusion">Conclusion </h2><p>Over three parts, we have recorded the entire build process of the blog AI auto-comment system:</p> <ul> <li><strong>Part 1</strong>: Full architecture of giscus → GitHub Webhook → Flask → Claude Code → GraphQL</li> <li><strong>Part 2</strong>: File-based authentication, HMAC verification, input sanitization, systemd security</li> <li><strong>Part 3</strong>: Actual deployment, nginx proxy, 4-step debugging process</li> </ul> <p>The greatest value of this system is that it <strong>automates communication with blog readers</strong>. While it is difficult for blog operators to respond to every comment immediately, an AI assistant can provide a first response, improving the reader experience.</p> <p>The full code is available at the <a class="link" href="https://github.com/yarang/blogs" target="_blank" rel="noopener" >GitHub repository</a>.</p> <hr> <p><em>This article is Part 3 (the final part) of the AgentForge blog auto-comment system series.</em></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-fallback" data-lang="fallback"></code></pre></div>