style(1b): auto-format + lint-clean the whole codebase (RL1)

Mechanical, semantics-preserving cleanup so the codebase passes the new lint stage: - ruff format: all 32 Python files (wraps long signatures, normalizes quotes/blank lines). - nixpkgs-fmt: modules/drone-runner.nix. - shfmt (-i 2 -ci): scripts/*.sh. Lint fixes (reviewed, behavior-preserving — no test weakened): - ruff SIM105: try/except-pass -> contextlib.suppress (abra.py app_config rm; lifecycle.py janitor). - ruff SIM115: open().read() -> with open() (run_recipe_ci.py redaction-values + gitea-token). - statix: merge repeated sops `secrets.*` keys into one `secrets = { ... }` (comments kept); empty fn pattern `{ ... }:` -> `_:` (packages.nix). - deadnix: drop unused lambda args (flake `self`; configuration.nix `lib`; overlay `final` -> `_`). Verified on cc-ci: `scripts/lint.sh` -> lint: PASS; nixosConfigurations.cc-ci evaluates; all Python byte-compiles. The deployed bridge/dashboard/runner source changes hash (reformat), so cc-ci will be rebuilt to the new closure in W2 before the cold D1-D10 re-verification. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-27 20:52:05 +01:00
parent a0ea2f0aa9
commit 2cede01ed7
35 changed files with 431 additions and 185 deletions
--- a/scripts/bootstrap-drone-oauth.sh
+++ b/scripts/bootstrap-drone-oauth.sh
@ -10,7 +10,8 @@
 #   GITEA_USERNAME=autonomic-bot GITEA_PASSWORD=… bash scripts/bootstrap-drone-oauth.sh
 # Optionally ACTIVATE a repo: REPO=recipe-maintainers/cc-ci (default).
 set -euo pipefail
-: "${GITEA_USERNAME:?set GITEA_USERNAME}"; : "${GITEA_PASSWORD:?set GITEA_PASSWORD}"
+: "${GITEA_USERNAME:?set GITEA_USERNAME}"
+: "${GITEA_PASSWORD:?set GITEA_PASSWORD}"
 GITEA="${GITEA:-https://git.autonomic.zone}"
 DRONE="${DRONE:-https://drone.ci.commoninternet.net}"
 CLIENT_ID="${CLIENT_ID:-ab4cdb9d-ee96-4867-875f-87384505fc52}"
@ -18,7 +19,9 @@ REPO="${REPO:-recipe-maintainers/cc-ci}"
 RES=(--resolve "drone.ci.commoninternet.net:443:127.0.0.1")
 export PATH=/run/current-system/sw/bin:"$PATH"

-cj=$(mktemp); dj=$(mktemp); az=$(mktemp)
+cj=$(mktemp)
+dj=$(mktemp)
+az=$(mktemp)
 trap 'rm -f "$cj" "$dj" "$az"' EXIT

 # 1) Gitea web login (CSRF cookie -> form field).
@ -31,9 +34,10 @@ curl -s -b "$cj" -c "$cj" -o /dev/null \
  "$GITEA/user/login"

 # 2) Drone /login -> Gitea authorize URL.
-loc=$(curl -sk -c "$dj" -o /dev/null -D - "${RES[@]}" "$DRONE/login" \
-  | awk 'tolower($1)=="location:"{print $2}' | tr -d '\r')
-azh=$(mktemp); trap 'rm -f "$cj" "$dj" "$az" "$azh"' EXIT
+loc=$(curl -sk -c "$dj" -o /dev/null -D - "${RES[@]}" "$DRONE/login" |
+  awk 'tolower($1)=="location:"{print $2}' | tr -d '\r')
+azh=$(mktemp)
+trap 'rm -f "$cj" "$dj" "$az" "$azh"' EXIT
 curl -sk -b "$cj" -c "$cj" -o "$az" -D "$azh" "$loc"

 # 3) Either the OAuth app auto-approves (bot already granted it earlier => Gitea 302s straight to the
--- a/scripts/lint.sh
+++ b/scripts/lint.sh
@ -9,7 +9,7 @@
 # (shfmt/shellcheck), YAML (yamllint). Run from the repo root.
 set -uo pipefail

-cd "$(dirname "$0")/.."
+cd "$(dirname "$0")/.." || exit 1

 FIX=0
 [ "${1:-}" = "--fix" ] && FIX=1
@ -19,7 +19,7 @@ SHFMT_FLAGS=(-i 2 -ci)

 fail=0
 section() { printf '\n=== %s ===\n' "$1"; }
-note()    { printf '  %s\n' "$1"; }
+note() { printf '  %s\n' "$1"; }

 # Nix files (exclude the `secrets/` submodule).
 mapfile -t NIX_FILES < <(find . -name '*.nix' -not -path './.git/*' -not -path './secrets/*' | sort)
@ -30,7 +30,10 @@ section "Nix — nixpkgs-fmt"
 if [ "$FIX" = 1 ]; then
  nixpkgs-fmt "${NIX_FILES[@]}" || fail=1
 else
-  nixpkgs-fmt --check "${NIX_FILES[@]}" || { note "run: scripts/lint.sh --fix"; fail=1; }
+  nixpkgs-fmt --check "${NIX_FILES[@]}" || {
+    note "run: scripts/lint.sh --fix"
+    fail=1
+  }
 fi

 section "Nix — statix"
@ -51,7 +54,10 @@ section "Python — ruff format"
 if [ "$FIX" = 1 ]; then
  ruff format . || fail=1
 else
-  ruff format --check . || { note "run: scripts/lint.sh --fix"; fail=1; }
+  ruff format --check . || {
+    note "run: scripts/lint.sh --fix"
+    fail=1
+  }
 fi

 section "Python — ruff check"
@ -66,7 +72,10 @@ if [ "${#SH_FILES[@]}" -gt 0 ]; then
  if [ "$FIX" = 1 ]; then
    shfmt "${SHFMT_FLAGS[@]}" -w "${SH_FILES[@]}" || fail=1
  else
-    shfmt "${SHFMT_FLAGS[@]}" -d "${SH_FILES[@]}" || { note "run: scripts/lint.sh --fix"; fail=1; }
+    shfmt "${SHFMT_FLAGS[@]}" -d "${SH_FILES[@]}" || {
+      note "run: scripts/lint.sh --fix"
+      fail=1
+    }
  fi

  section "Shell — shellcheck"