plan: finalize report PR-STATUS column (binary open/✓; proxy in reports.nix; decisions locked)
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
@ -2,10 +2,16 @@
|
||||
|
||||
Goal (operator request): in the weekly Recipe Report table,
|
||||
1. **rename the current `Status` column → `TESTS`** (it shows the test/CI verdict: GREEN/FAILED/STALE/SKIPPED/UPTODATE — unchanged content, new label),
|
||||
2. **add a new `STATUS` column** showing the live state of the recipe's PR — **open** (still to review) or a **✓** when closed/merged,
|
||||
2. **add a new `STATUS` column** showing the live state of the recipe's PR — **`open`** (still to review) vs a **✓** for **any state that is not open** (merged OR closed-without-merge both show ✓; no separate "closed unmerged" treatment — operator-decided),
|
||||
3. the PR state is fetched **client-side with JavaScript so it updates in realtime** (a visitor sees the current state, even on an archived past report),
|
||||
4. to support (3), **make the recipe repo mirrors public** (operator: this is fine).
|
||||
|
||||
> **Operator decisions (locked):** (a) STATUS is binary — `open` vs ✓ (not-open). (b) The realtime
|
||||
> proxy goes on the **cc-ci server via nix**, in the SAME stack/way the report itself is served
|
||||
> (`reports.nix`) — NOT a separate service. (c) Exclusion set for the public flip confirmed: make the
|
||||
> recipe mirrors public; keep `cc-ci-secrets`, `cc-ci-orchestrator`, `archived-cc-ci-orchestrator`,
|
||||
> and `cc-ci` private.
|
||||
|
||||
## Findings that shape the plan
|
||||
- The table is built by `cc-ci-plan/recipe-report.py::_table`. Current columns:
|
||||
`Recipe | Change | Status | CVEs | CI | PR | Notes`. The `Status` cell carries a CSS class
|
||||
@ -62,11 +68,16 @@ needs no token (and the PRs are publicly viewable, which is the point).
|
||||
`recipe-maintainers` org itself is visible enough that public repos are reachable.
|
||||
4. Verify an **unauthenticated** read now works: `curl https://git.autonomic.zone/api/v1/repos/recipe-maintainers/cryptpad/pulls/5` → 200 with `state`/`merged`.
|
||||
|
||||
### B. Reports nginx proxy (cc-ci repo — via /ci-dev-workflow)
|
||||
1. Add the `/pr/<recipe>/<n>` proxy location to the reports nginx config; rebuild/redeploy the
|
||||
`ccci-reports` stack. Verify `curl https://report.ci.commoninternet.net/pr/cryptpad/5` returns the
|
||||
PR JSON same-origin.
|
||||
2. (Optional hardening) small `proxy_cache` (e.g. 30–60 s) so many visitors don't hammer Gitea.
|
||||
### B. Reports nginx proxy — in `reports.nix`, via nix (cc-ci repo, /ci-dev-workflow)
|
||||
The proxy lives in the SAME place and is shipped the SAME way as the report serving itself: in the
|
||||
cc-ci repo's `reports.nix` (the `ccci-reports` nginx stack), deployed via the nix rebuild — NOT a
|
||||
separate service or a hand-edited container.
|
||||
1. Locate how `reports.nix` defines the nginx config for `ccci-reports` (the static `/var/lib/cc-ci-reports`
|
||||
server). Add the `/pr/<recipe>/<n>` `location` (above) into that same nginx config, so it's built
|
||||
and deployed by the same mechanism. Resolver/SNI as needed for the `git.autonomic.zone` https upstream.
|
||||
2. Ship via `/ci-dev-workflow` (branch cc-ci → adversary verify → merge → `nixos-rebuild` deploy).
|
||||
Verify `curl https://report.ci.commoninternet.net/pr/cryptpad/5` returns the PR JSON same-origin.
|
||||
3. (Optional hardening) a small `proxy_cache` (e.g. 30–60 s) so many visitors don't hammer Gitea.
|
||||
|
||||
### C. Report generator (`cc-ci-plan/recipe-report.py` — orchestrator repo)
|
||||
1. `_table` header: rename `Status` → `TESTS`; add a `STATUS` column. Proposed order:
|
||||
@ -81,10 +92,10 @@ needs no token (and the PRs are publicly viewable, which is the point).
|
||||
`DOMContentLoaded` and then on a ~30 s `setInterval` (true realtime while the tab is open), for each
|
||||
`.pr-status[data-pr]`:
|
||||
- `fetch('/pr/' + repo + '/' + pr)` → JSON;
|
||||
- render: `merged===true` → green **✓** (title "merged"); `state==='closed'` → grey **✗**
|
||||
(title "closed, not merged"); `state==='open'` → an **open** badge (amber/blue);
|
||||
- render **binary**: `state === 'open'` → an **`open`** badge; **any other state** (closed/merged) →
|
||||
a green **✓** (title shows merged vs closed for hover detail, but the glyph is ✓ either way);
|
||||
network/parse error → a muted "?" (never break the page).
|
||||
5. Add CSS for the three states (`.pr-open`, `.pr-merged`, `.pr-closed`) + reuse the muted style.
|
||||
5. Add CSS for the two states (`.pr-open` badge, `.pr-done` ✓) + reuse the muted style.
|
||||
6. Keep it dependency-free (vanilla fetch), CSP-safe (inline script in the self-contained page), and
|
||||
resilient (try/catch per cell; the page renders fully even if the proxy is down).
|
||||
|
||||
@ -99,12 +110,11 @@ needs no token (and the PRs are publicly viewable, which is the point).
|
||||
4. Update `recipe-report/SKILL.md` + the `_table`/page docstring to describe the new columns and the
|
||||
`/pr/<recipe>/<n>` dependency.
|
||||
|
||||
## Risks / decisions for the operator
|
||||
## Risks / notes
|
||||
- **Public exposure is one-way in practice** (mirrors get cloned/indexed). The secret-scan (A.1/A.2)
|
||||
is the gate. Confirm the excluded set (cc-ci-secrets, cc-ci-orchestrator, archived, cc-ci) is right.
|
||||
- **Proxy vs CORS allow-list:** plan defaults to the same-origin proxy (no external dependency). If you
|
||||
can get `report.ci.commoninternet.net` added to the autonomic Gitea `[cors] ALLOW_DOMAIN`, we can
|
||||
drop the proxy and have the JS hit Gitea directly — say which you prefer.
|
||||
- **Load:** ~20 unauth PR reads per page view. With proxy caching (B.2) this is negligible.
|
||||
- **"closed not merged"** rendering: do you want ✓ only for merged, and a distinct ✗/grey for
|
||||
closed-without-merge? (Plan assumes yes.)
|
||||
is the hard gate before any flip — do not flip a repo that doesn't pass. Excluded set locked:
|
||||
`cc-ci-secrets`, `cc-ci-orchestrator`, `archived-cc-ci-orchestrator`, `cc-ci` stay private.
|
||||
- **Load:** ~20 unauth PR reads per page view. With proxy caching (B.3) this is negligible.
|
||||
- **Order of ops:** the STATUS column is useless until the proxy is live AND the repos are public, but
|
||||
it degrades gracefully (muted "?") if either is missing — so the generator change can ship first and
|
||||
light up once B + A land. Recommended order: A (public) → B (proxy) → C (generator) → D (verify).
|
||||
|
||||
Reference in New Issue
Block a user