From 3c79e3de32b2cd6e20233fd515de42cf3e4af1ac Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Fri, 29 May 2026 21:46:06 +0100 Subject: [PATCH] =?UTF-8?q?journal(2):=20drone=20Q4.10=20analysis=20?= =?UTF-8?q?=E2=80=94=20needs=20gitea=20SCM=20dep=20+=20OAuth=20+=20build-t?= =?UTF-8?q?rigger=20pipeline=20(heaviest=20=C2=A74.3)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Opus 4.8 (1M context) --- machine-docs/JOURNAL-2.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/machine-docs/JOURNAL-2.md b/machine-docs/JOURNAL-2.md index 4fd85fd..9db9d29 100644 --- a/machine-docs/JOURNAL-2.md +++ b/machine-docs/JOURNAL-2.md @@ -1097,3 +1097,26 @@ Hold the deploy until the Adversary's mumble cold-verify frees the single node. - Build approach: EXTRA_ENV callable(domain)→{MAIL_DOMAIN:domain, HOSTNAMES:domain, TRAEFIK_STACK_NAME: "traefik_ci_commoninternet_net", SITENAME:"ccci", POSTMASTER:"admin", TLS_FLAVOR:"notls"}. Smoke install,custom first to confirm convergence (esp. certdumper) + find `flask mailu` syntax + health path. + +## 2026-05-29 — drone (Q4.10) investigation: needs a gitea SCM dep + OAuth + build-trigger pipeline +drone = single `app` (drone/drone:2.26.0), HEALTH=/healthz, NO backupbot (P4 N/A), real upgrade tags +(1.8.0+2.25.0→1.9.0+2.26.0). KEY: drone is a CI server that REQUIRES exactly one SCM provider — the +base compose's drone.env.tmpl only sets DRONE_RPC_SECRET; the SCM (DRONE_GITEA_CLIENT_ID/SERVER + +client_secret) is supplied by compose.gitea.yml. drone's server FATALs without an SCM provider +configured, so it cannot even BOOT standalone. gitea recipe IS fetchable (dep-deployable). +**Full §4.3 enrollment cost (the heaviest of any §5 recipe):** +1. Deploy gitea as a DEP (deps.py — but gitea is a full git service, heavier than keycloak). +2. Create a gitea OAuth2 application via the gitea admin API → client_id + client_secret. +3. Wire DRONE_GITEA_SERVER/CLIENT_ID + client_secret secret into drone (compose.gitea.yml + + install_steps), then drone boots. +4. §4.3 "create/list builds" needs a drone USER API TOKEN — which drone only issues AFTER an OAuth + login flow against gitea (headless OAuth consent is itself complex), PLUS a synced repo with a + .drone.yml PLUS a push/webhook to trigger a build. That is a full CI-trigger pipeline, multi-system. +**Assessment:** deploying drone+gitea (boot+/healthz) is achievable; the §4.3 create-an-object (a +build) requires OAuth-token + repo-sync + webhook-trigger infra that is disproportionate. §7.1 says +"needs another app"/"needs SSO" are NOT valid excuses (dep resolver exists) — but drone's blocker is +the OAuth-token + build-trigger PIPELINE, beyond a simple dep. **Proposed: build the gitea-dep + +OAuth-at-install wiring so drone BOOTS (install+upgrade green + a health/version/SCM-config functional += maximal subset), and DEFER the build-creation §4.3 with a DEFERRED.md entry + Adversary §7.1 +sign-off** (the create-build pipeline is a dedicated unit). Decide next iteration; gitea-dep wiring is +the main effort. Do NOT deploy concurrently with the Adversary's mailu cold-verify.