From 1d6d93fca819f6bc06e83f0d48c8756001dda680 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Mon, 15 Jun 2026 21:04:51 +0000 Subject: [PATCH] journal(gtea): M2 root cause analysis + fix details Co-Authored-By: Claude Sonnet 4.6 --- machine-docs/JOURNAL-gtea.md | 54 ++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/machine-docs/JOURNAL-gtea.md b/machine-docs/JOURNAL-gtea.md index 754f930..cd3162a 100644 --- a/machine-docs/JOURNAL-gtea.md +++ b/machine-docs/JOURNAL-gtea.md @@ -119,3 +119,57 @@ Adversary findings from BUILDER-INBOX consumed in 446bafe. M1 claim commit: see `claim(gtea):` below. ### Next: await Adversary M1 PASS → proceed to BACKLOG items 6-8 (real CI + LFS PR) + +--- + +## 2026-06-15 — M2 builds analysis + fixes + +### Adversary inbox consumed @20:50Z + +BUILDER-INBOX had two critical M2 blockers: +1. LFS roundtrip FAIL (run 676): LFS not running in upgrade deploy +2. Upgrade FAIL on main (run 674): REF="main" fails HC1 SHA comparison + +### Root cause analysis + +**Blocker 1 (LFS):** +Recipe checkout timeline in run 676: +- 20:35:35: Initial clone at 357926f2 (compose.lfs.yml present) +- 20:35:37: abra base-deploy checks out 3.5.2+1.24.2-rootless (compose.lfs.yml REMOVED) +- 20:35:58: harness re-checks out 357926f2 for upgrade (compose.lfs.yml RESTORED) + +The key: EXTRA_ENV is called AFTER abra.recipe_checkout(version) in deploy_app. At that point +compose.lfs.yml is absent → EXTRA_ENV returns sqlite3-only → install runs without LFS. +Then UPGRADE_EXTRA_ENV (undefined for gitea) → no update to COMPOSE_FILE → chaos redeploy +also without compose.lfs.yml. But _lfs_available() checks disk and finds compose.lfs.yml +(restored at 20:35:58) → test runs but LFS server is off → batch endpoint: "not found". + +Fix: Added UPGRADE_EXTRA_ENV to recipe_meta.py (returns compose.lfs.yml in COMPOSE_FILE +when present after PR-head checkout) + abra.secret_generate() call in generic.perform_upgrade +when upgrade_env is non-empty (to generate lfs_jwt_secret before chaos redeploy). + +**Blocker 2 (REF=main HC1):** +HC1 check: `head_ref.startswith(chaos_commit) or chaos_commit.startswith(head_ref)` +When head_ref="main" and chaos_commit="e6a1cc79": both checks fail. +Fix: always use `lifecycle.recipe_head_commit(recipe)` (git rev-parse HEAD) for head_ref +instead of `ref` directly. After the fetch/checkout, HEAD is at the correct SHA. + +**Blocker 3 (stale creds file, build #675):** +/tmp/ccci-gitea-admin-{domain}.json persists across runs. Fresh install wipes the DB, but +pre_install finds the stale file and returns old credentials → 401 on all API calls. +Fix: pre_install deletes the creds file before calling _ensure_admin. + +### Fixes applied (commit a121d2c) + +- tests/gitea/ops.py: delete stale creds file in pre_install +- tests/gitea/recipe_meta.py: add UPGRADE_EXTRA_ENV (LFS upgrade trigger) +- runner/harness/generic.py: abra.secret_generate() in upgrade when upgrade_env non-empty +- runner/run_recipe_ci.py: head_ref = recipe_head_commit() always (not ref directly) + +Unit tests: 53/53 pass (test_gitea_dep.py 10/10, test_meta.py 43/43) + +### CI builds re-triggered + +Build #684: RECIPE=gitea REF=main PR=0 (main branch, all tiers) +Build #685: RECIPE=gitea REF=357926f2 PR=1 (LFS PR capstone) +Both running as of 21:04Z.