feat(recipe-upgrade): upstream release-notes registry + recipe-README read (recipe-maintainer parity)

Close the two gaps vs recipe-maintainer's recipe-upgrade-plan: - Per-recipe release-notes registry at cc-ci-plan/upstream/<recipe>.md (discover the source repo + releases/changelog URL for each image once, persist+commit, reuse) — fetch release notes FROM those URLs instead of rediscovering ad-hoc each run. Format doc + cryptpad seed included. - Explicitly read the recipe's README for shipped upgrade/migration notes. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-05 01:28:27 +00:00
parent f4b1befbdd
commit f0716764db
3 changed files with 55 additions and 4 deletions
--- a/cc-ci-plan/upstream/README.md
+++ b/cc-ci-plan/upstream/README.md
@ -0,0 +1,30 @@
+# Upstream release-notes registry
+
+Per-recipe maps of **where each image's release notes / changelog live**. This is the cc-ci analog of
+recipe-maintainer's `recipe-info/<recipe>/upstream.md`: the `/recipe-upgrade` skill reads
+`cc-ci-plan/upstream/<recipe>.md` so it doesn't have to rediscover the upstream source for every image
+on every weekly run — discover once, persist, reuse.
+
+## How `/recipe-upgrade` uses it (step 1)
+1. Read `cc-ci-plan/upstream/<recipe>.md`.
+2. If it's **missing**, or an image in the recipe's `compose.yml` **isn't covered** (new/renamed
+   service), discover the upstream project + releases page for each uncovered image (WebSearch the
+   image → its GitHub/source repo → its releases/changelog page), then **write/update** this file and
+   commit it (`git -C /srv/cc-ci-orch add cc-ci-plan/upstream/<recipe>.md && commit && push`).
+3. Fetch the release notes **from these URLs** between the current → target version of each service.
+
+## Format (one file per recipe)
+```markdown
+# Upstream sources — <recipe>
+
+| service | image | source repo | releases / changelog |
+|---------|-------|-------------|----------------------|
+| app     | cryptpad/cryptpad | https://github.com/cryptpad/cryptpad | https://github.com/cryptpad/cryptpad/releases |
+| web     | nginx             | https://github.com/nginx/nginx       | https://nginx.org/en/CHANGES |
+
+## Standing notes
+- <recipe-specific upgrade gotchas worth remembering between runs, e.g. "n8n: postgres volume path
+  changed from /var/lib/postgresql/data to /var/lib/postgresql in 2.2x">
+```
+Keep URLs canonical (the project's own releases/CHANGES page, not a mirror). Add a **Standing notes**
+section for migration gotchas you only want to learn once.
--- a/cc-ci-plan/upstream/cryptpad.md
+++ b/cc-ci-plan/upstream/cryptpad.md
@ -0,0 +1,12 @@
+# Upstream sources — cryptpad
+
+| service | image | source repo | releases / changelog |
+|---------|-------|-------------|----------------------|
+| app     | cryptpad/cryptpad | https://github.com/cryptpad/cryptpad | https://github.com/cryptpad/cryptpad/releases |
+| web     | nginx             | https://github.com/nginx/nginx       | https://nginx.org/en/CHANGES |
+
+## Standing notes
+- `abra recipe upgrade` cannot parse the `version-YYYY.M.D` tag format of the cryptpad/cryptpad image,
+  so the app image is bumped by hand; the nginx sidecar is what `abra recipe upgrade` actually moves.
+- nginx is HTTP/1.1-only here (sidecar on :8083, `proxy_http_version 1.1`), so HTTP/2/3 CVE changes in
+  nginx releases generally don't affect this recipe — but still note them.