journal(2): drone Q4.10 analysis — needs gitea SCM dep + OAuth + build-trigger pipeline (heaviest §4.3)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@ -1097,3 +1097,26 @@ Hold the deploy until the Adversary's mumble cold-verify frees the single node.
|
||||
- Build approach: EXTRA_ENV callable(domain)→{MAIL_DOMAIN:domain, HOSTNAMES:domain, TRAEFIK_STACK_NAME:
|
||||
"traefik_ci_commoninternet_net", SITENAME:"ccci", POSTMASTER:"admin", TLS_FLAVOR:"notls"}. Smoke
|
||||
install,custom first to confirm convergence (esp. certdumper) + find `flask mailu` syntax + health path.
|
||||
|
||||
## 2026-05-29 — drone (Q4.10) investigation: needs a gitea SCM dep + OAuth + build-trigger pipeline
|
||||
drone = single `app` (drone/drone:2.26.0), HEALTH=/healthz, NO backupbot (P4 N/A), real upgrade tags
|
||||
(1.8.0+2.25.0→1.9.0+2.26.0). KEY: drone is a CI server that REQUIRES exactly one SCM provider — the
|
||||
base compose's drone.env.tmpl only sets DRONE_RPC_SECRET; the SCM (DRONE_GITEA_CLIENT_ID/SERVER +
|
||||
client_secret) is supplied by compose.gitea.yml. drone's server FATALs without an SCM provider
|
||||
configured, so it cannot even BOOT standalone. gitea recipe IS fetchable (dep-deployable).
|
||||
**Full §4.3 enrollment cost (the heaviest of any §5 recipe):**
|
||||
1. Deploy gitea as a DEP (deps.py — but gitea is a full git service, heavier than keycloak).
|
||||
2. Create a gitea OAuth2 application via the gitea admin API → client_id + client_secret.
|
||||
3. Wire DRONE_GITEA_SERVER/CLIENT_ID + client_secret secret into drone (compose.gitea.yml +
|
||||
install_steps), then drone boots.
|
||||
4. §4.3 "create/list builds" needs a drone USER API TOKEN — which drone only issues AFTER an OAuth
|
||||
login flow against gitea (headless OAuth consent is itself complex), PLUS a synced repo with a
|
||||
.drone.yml PLUS a push/webhook to trigger a build. That is a full CI-trigger pipeline, multi-system.
|
||||
**Assessment:** deploying drone+gitea (boot+/healthz) is achievable; the §4.3 create-an-object (a
|
||||
build) requires OAuth-token + repo-sync + webhook-trigger infra that is disproportionate. §7.1 says
|
||||
"needs another app"/"needs SSO" are NOT valid excuses (dep resolver exists) — but drone's blocker is
|
||||
the OAuth-token + build-trigger PIPELINE, beyond a simple dep. **Proposed: build the gitea-dep +
|
||||
OAuth-at-install wiring so drone BOOTS (install+upgrade green + a health/version/SCM-config functional
|
||||
= maximal subset), and DEFER the build-creation §4.3 with a DEFERRED.md entry + Adversary §7.1
|
||||
sign-off** (the create-build pipeline is a dedicated unit). Decide next iteration; gitea-dep wiring is
|
||||
the main effort. Do NOT deploy concurrently with the Adversary's mailu cold-verify.
|
||||
|
||||
Reference in New Issue
Block a user