recipe-maintainers/cc-ci-orchestrator
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

plan: document recipe mirror+PR flow and bot org scope for enrollment

Browse Source 
Recipe repos under test live on the private mirror git.autonomic.zone/recipe-maintainers,
mirrored from upstream git.coopcloud.tech. autonomic-bot is admin on that org (can create
repos + add webhooks). A recipe missing from the mirror is not a blocker — fetch from
upstream and open a PR via the recipe-create-pr procedure. Updated D10 (§2) and enrollment (§4.1).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
2026-05-26 20:53:27 +01:00
parent 001ff29190
commit 8ea3276d20
1 changed files with 20 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
cc-ci-plan/plan.md
View File

@ -185,6 +185,14 @@ output). Partial credit does not count.
(TLS-passthrough/atproto). Pick six that together satisfy the categories; record the chosen
set and per-recipe green-run evidence in `REVIEW.md`. Any recipe that genuinely cannot be CI'd
is a documented finding (in `DECISIONS.md`) with the reason, not a silent omission.
*Recipe availability:* the testable repos live on the **private mirror**
`git.autonomic.zone/recipe-maintainers/<recipe>` (already mirrored as of bootstrap:
`bluesky-pds`, `cryptpad`, `keycloak`, `lasuite-docs`, `lasuite-meet`, `matrix-synapse`, `n8n`,
`custom-html`, `custom-html-tiny`). Any recipe **not** yet mirrored (e.g. `hedgedoc`,
`authentik`, `immich`, `lasuite-drive`) is pulled from upstream **git.coopcloud.tech** and
created on the mirror via the **recipe mirror+PR flow** (§4.1) — so the target set is not capped
by what currently exists. If the chosen simple/stateless app isn't mirrored, `custom-html` /
`custom-html-tiny` already are.
When all of D1D10 hold and are Adversary-verified, write `## DONE` to `STATUS.md` with the
evidence links and stop scheduling new iterations.
@ -317,7 +325,18 @@ Bridge posts/updates a Gitea PR comment with the run URL and (on completion) pas
- The bridge is a tiny service (Go or Python+FastAPI). Keep it dependency-light; it's a NixOS
systemd service behind Traefik at e.g. `ci.commoninternet.net/hook` (§4.0).
- Enrollment = registering the Gitea webhook on a recipe repo (script in `runner/` or documented
in `enroll-recipe.md`) + ensuring a `tests/<recipe>/` dir exists.
in `enroll-recipe.md`) + ensuring a `tests/<recipe>/` dir exists. The `autonomic-bot` account is
**admin on the `recipe-maintainers` org**, so it can create repos there and add webhooks to any
recipe repo — no extra grant needed.
- **Recipe mirror+PR flow (how a recipe gets a testable PR).** Recipe repos under test live on the
**private mirror** `git.autonomic.zone/recipe-maintainers/<recipe>`, mirrored from the **official
upstream `git.coopcloud.tech`**. To bring a recipe under CI: `abra recipe fetch <recipe>` (pulls
from upstream into `~/.abra/recipes/<recipe>`), then mirror it to the org + open a PR via the
**recipe mirror+PR procedure** — reference implementation:
`/srv/recipe-maintainer/.claude/commands/recipe-create-pr.md` (creates `recipe-maintainers/<recipe>`
if absent, force-syncs `main` from upstream so the PR diff is clean, pushes a branch, opens the PR).
`!testme` on that PR is what kicks off a run. So a recipe missing from the mirror is **not** a
blocker — mirror it first.
- Decide and record in DECISIONS.md: one shared Gitea org-level webhook vs per-repo webhooks.
Org-level is fewer moving parts; per-repo is more explicit. Default: per-repo via enroll script.