style(1b): auto-format + lint-clean the whole codebase (RL1)

Mechanical, semantics-preserving cleanup so the codebase passes the new lint stage: - ruff format: all 32 Python files (wraps long signatures, normalizes quotes/blank lines). - nixpkgs-fmt: modules/drone-runner.nix. - shfmt (-i 2 -ci): scripts/*.sh. Lint fixes (reviewed, behavior-preserving — no test weakened): - ruff SIM105: try/except-pass -> contextlib.suppress (abra.py app_config rm; lifecycle.py janitor). - ruff SIM115: open().read() -> with open() (run_recipe_ci.py redaction-values + gitea-token). - statix: merge repeated sops `secrets.*` keys into one `secrets = { ... }` (comments kept); empty fn pattern `{ ... }:` -> `_:` (packages.nix). - deadnix: drop unused lambda args (flake `self`; configuration.nix `lib`; overlay `final` -> `_`). Verified on cc-ci: `scripts/lint.sh` -> lint: PASS; nixosConfigurations.cc-ci evaluates; all Python byte-compiles. The deployed bridge/dashboard/runner source changes hash (reformat), so cc-ci will be rebuilt to the new closure in W2 before the cold D1-D10 re-verification. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-27 20:52:05 +01:00
parent a0ea2f0aa9
commit 2cede01ed7
35 changed files with 431 additions and 185 deletions
--- a/runner/run_recipe_ci.py
+++ b/runner/run_recipe_ci.py
@ -14,6 +14,7 @@ tests/<recipe>/. Teardown is guaranteed by the conftest fixture finalizer.
 Run env (python with pytest+playwright, PLAYWRIGHT_BROWSERS_PATH) is provided by `cc-ci-run`
 (modules/harness.nix); invoke as:  cc-ci-run runner/run_recipe_ci.py
 """
+
 from __future__ import annotations

 import glob
@ -26,6 +27,7 @@ import tempfile
 ROOT = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 sys.path.insert(0, os.path.join(ROOT, "runner"))
 from harness import lifecycle, naming  # noqa: E402
+
 STAGE_FILES = {
    "install": "test_install.py",
    "upgrade": "test_upgrade.py",
@ -40,7 +42,8 @@ def _redact_values() -> list[str]:
    vals = set()
    for p in glob.glob("/run/secrets/*"):
        try:
-            v = open(p).read().strip()
+            with open(p) as f:
+                v = f.read().strip()
        except OSError:
            continue
        if len(v) >= 8:
@ -55,8 +58,15 @@ def run_stage_redacted(cmd: list[str], env: dict | None = None) -> int:
    """Run a stage subprocess, streaming its output live (so Drone logs stay tail-able) but masking
    any known infra-secret value first. Belt-and-suspenders: the harness already never prints
    secrets and abra doesn't echo generated ones."""
-    proc = subprocess.Popen(cmd, cwd=ROOT, env=env, stdout=subprocess.PIPE,
-                            stderr=subprocess.STDOUT, text=True, bufsize=1)
+    proc = subprocess.Popen(
+        cmd,
+        cwd=ROOT,
+        env=env,
+        stdout=subprocess.PIPE,
+        stderr=subprocess.STDOUT,
+        text=True,
+        bufsize=1,
+    )
    assert proc.stdout is not None
    for line in proc.stdout:
        for v in _REDACT:
@ -70,7 +80,8 @@ def run_stage_redacted(cmd: list[str], env: dict | None = None) -> int:
 def _gitea_token() -> str | None:
    tok = os.environ.get("GITEA_TOKEN")
    if not tok and os.path.exists("/run/secrets/bridge_gitea_token"):
-        tok = open("/run/secrets/bridge_gitea_token").read().strip()
+        with open("/run/secrets/bridge_gitea_token") as f:
+            tok = f.read().strip()
    return tok or None


@ -97,8 +108,10 @@ def fetch_recipe(recipe: str, ref: str | None, src: str | None) -> None:
        # to a foreign host). Non-fatal: if upstream is unreachable, upgrade degrades to a skip.
        upstream = f"https://git.coopcloud.tech/coop-cloud/{recipe}.git"
        # Explicit tags refspec — a bare `fetch --tags <url>` errors "couldn't find remote ref HEAD".
-        subprocess.run(["git", "-C", dest, "fetch", "--quiet", upstream,
-                        "refs/tags/*:refs/tags/*"], check=False)
+        subprocess.run(
+            ["git", "-C", dest, "fetch", "--quiet", upstream, "refs/tags/*:refs/tags/*"],
+            check=False,
+        )
    else:
        # Clean re-fetch from the catalogue. rm first so a leftover dir from a prior SRC+REF run
        # (which points origin at the private mirror and may lack version tags) can't poison the
@ -178,7 +191,9 @@ def run_recipe_local(recipe: str, local_tests: str | None) -> int | None:
        lifecycle.deploy_app(recipe, domain, version=os.environ.get("VERSION") or None)
        lifecycle.wait_healthy(domain)
        env = dict(os.environ, CCCI_APP_DOMAIN=domain, CCCI_BASE_URL=f"https://{domain}")
-        return run_stage_redacted([sys.executable, "-m", "pytest", "-v", "-rA", local_tests], env=env)
+        return run_stage_redacted(
+            [sys.executable, "-m", "pytest", "-v", "-rA", local_tests], env=env
+        )
    finally:
        lifecycle.teardown_app(domain, verify=False)