From 8ea3276d20a6f9b3569464496b328e5823f480e9 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Tue, 26 May 2026 20:53:27 +0100 Subject: [PATCH] plan: document recipe mirror+PR flow and bot org scope for enrollment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Recipe repos under test live on the private mirror git.autonomic.zone/recipe-maintainers, mirrored from upstream git.coopcloud.tech. autonomic-bot is admin on that org (can create repos + add webhooks). A recipe missing from the mirror is not a blocker — fetch from upstream and open a PR via the recipe-create-pr procedure. Updated D10 (§2) and enrollment (§4.1). Co-Authored-By: Claude Opus 4.7 (1M context) --- cc-ci-plan/plan.md | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/cc-ci-plan/plan.md b/cc-ci-plan/plan.md index fade52c..b7b0a7b 100644 --- a/cc-ci-plan/plan.md +++ b/cc-ci-plan/plan.md @@ -185,6 +185,14 @@ output). Partial credit does not count. (TLS-passthrough/atproto). Pick six that together satisfy the categories; record the chosen set and per-recipe green-run evidence in `REVIEW.md`. Any recipe that genuinely cannot be CI'd is a documented finding (in `DECISIONS.md`) with the reason, not a silent omission. + *Recipe availability:* the testable repos live on the **private mirror** + `git.autonomic.zone/recipe-maintainers/` (already mirrored as of bootstrap: + `bluesky-pds`, `cryptpad`, `keycloak`, `lasuite-docs`, `lasuite-meet`, `matrix-synapse`, `n8n`, + `custom-html`, `custom-html-tiny`). Any recipe **not** yet mirrored (e.g. `hedgedoc`, + `authentik`, `immich`, `lasuite-drive`) is pulled from upstream **git.coopcloud.tech** and + created on the mirror via the **recipe mirror+PR flow** (§4.1) — so the target set is not capped + by what currently exists. If the chosen simple/stateless app isn't mirrored, `custom-html` / + `custom-html-tiny` already are. When all of D1–D10 hold and are Adversary-verified, write `## DONE` to `STATUS.md` with the evidence links and stop scheduling new iterations. @@ -317,7 +325,18 @@ Bridge posts/updates a Gitea PR comment with the run URL and (on completion) pas - The bridge is a tiny service (Go or Python+FastAPI). Keep it dependency-light; it's a NixOS systemd service behind Traefik at e.g. `ci.commoninternet.net/hook` (§4.0). - Enrollment = registering the Gitea webhook on a recipe repo (script in `runner/` or documented - in `enroll-recipe.md`) + ensuring a `tests//` dir exists. + in `enroll-recipe.md`) + ensuring a `tests//` dir exists. The `autonomic-bot` account is + **admin on the `recipe-maintainers` org**, so it can create repos there and add webhooks to any + recipe repo — no extra grant needed. +- **Recipe mirror+PR flow (how a recipe gets a testable PR).** Recipe repos under test live on the + **private mirror** `git.autonomic.zone/recipe-maintainers/`, mirrored from the **official + upstream `git.coopcloud.tech`**. To bring a recipe under CI: `abra recipe fetch ` (pulls + from upstream into `~/.abra/recipes/`), then mirror it to the org + open a PR via the + **recipe mirror+PR procedure** — reference implementation: + `/srv/recipe-maintainer/.claude/commands/recipe-create-pr.md` (creates `recipe-maintainers/` + if absent, force-syncs `main` from upstream so the PR diff is clean, pushes a branch, opens the PR). + `!testme` on that PR is what kicks off a run. So a recipe missing from the mirror is **not** a + blocker — mirror it first. - Decide and record in DECISIONS.md: one shared Gitea org-level webhook vs per-repo webhooks. Org-level is fewer moving parts; per-repo is more explicit. Default: per-repo via enroll script.