diff --git a/cc-ci-plan/IDEAS.md b/cc-ci-plan/IDEAS.md index 10eebd0..5111724 100644 --- a/cc-ci-plan/IDEAS.md +++ b/cc-ci-plan/IDEAS.md @@ -41,13 +41,13 @@ item into the project `BACKLOG.md` as `[idea]` if/when it becomes relevant. real bottleneck **AND** the cache lives on **recreate-surviving storage** (Incus volume / host-b1 path, not the VM's ephemeral disk). Otherwise it's complexity without payoff. *Added:* 2026-05-29. -- [ ] **Optional `--extra-tests` flag for heavy / operational tests (opt-in heavy suite).** +- [ ] **Optional `--extra` flag for heavy / operational tests (opt-in heavy suite).** Some recipe tests are "more than needed" for the default CI signal — state-management / long-running-instance / load / helper-script operational tests that don't fit the ephemeral per-run-deploy model cheaply but are useful occasionally. Today they're deferred to `cc-ci/machine-docs/DEFERRED.md` (e.g. matrix-synapse `compress_state.sh`, `test_complexity_limit.sh`, `test_purge.sh`) and don't run. - *Idea:* add an **opt-in `--extra-tests` flag** (e.g. `!testme --extra-tests` on a PR comment, or + *Idea:* add an **opt-in `--extra` flag** (e.g. `!testme --extra` on a PR comment, or a `STAGES=extra` / `EXTRA_TESTS=1` Drone build parameter) that the orchestrator passes through; recipes declare an `extra/` test dir or mark tests with `@pytest.mark.extra`; on opt-in the orchestrator runs them **alongside** the default tiers (still one deploy, still teardown). Default @@ -70,3 +70,15 @@ item into the project `BACKLOG.md` as `[idea]` if/when it becomes relevant. least-privilege (read-only) default is preserved. *Why deferred:* polling already satisfies D1 and the read-only posture is the goal; this is a convenience optimization for a different deployment profile. *Added:* 2026-05-27. + +- **Docker Hub `registry:2` pull-through cache (deferred from Phase 2pc).** A local registry in + proxy/pull-through mode, daemon `registry-mirrors`-wired, so all `docker.io` pulls are cached + locally across recipes/runs/prunes. **Deferred (operator, 2026-05-29):** on the current + **single, PAT-authenticated, non-pruning** host, Docker's own local image store already IS the + cache (redeploys reuse local layers — proven in Phase 2pc), so a separate registry adds a service + + mirror config + cache GC for marginal gain; its distinctive wins (multi-node fan-out, surviving + prune/VM-rebuild on *separate* storage, cache-miss auth) don't apply here. **Revisit ONLY if** (a) + cc-ci goes **multi-node**, OR (b) Phase-2b measurement shows **cold-deploy pull time is a real + bottleneck** (e.g. D8 throwaway-rebuild / fresh-canonical seeding) **AND** the cache lives on + **recreate-surviving storage** (an Incus volume / a path on host b1, not the VM's ephemeral disk). + Otherwise it's complexity without payoff. See DECISIONS.md "Phase 2pc". *Added:* 2026-05-29. diff --git a/cc-ci-plan/plan-sso-dep-testing.md b/cc-ci-plan/plan-sso-dep-testing.md index a216b0c..d335306 100644 --- a/cc-ci-plan/plan-sso-dep-testing.md +++ b/cc-ci-plan/plan-sso-dep-testing.md @@ -180,7 +180,7 @@ These are **loop work** under this plan, not deferred: with keycloak, use keycloak. So DEFERRED #9's re-entry trigger narrows to "a recipe requires authentik" — the cross-provider-coverage trigger is dropped. (E.g. cryptpad: its upstream test uses authentik, but test it under **keycloak** — equally valid.) -- The `--extra-tests` flag IDEA is **not** a precondition for this plan; OIDC-dep tests are part +- The `--extra` flag IDEA is **not** a precondition for this plan; OIDC-dep tests are part of the default suite for the recipes that need them. ## 7. Definition of done for this pattern