fix(2): F2-11 — SSO-dep deps-not-ready SKIP no longer yields GREEN !testme
When a DEPS-declaring recipe's setup_custom_tests fails, its @requires_deps (SSO/OIDC) tests skip; a skip-only pytest file exits 0 so the run previously reported overall=0 (GREEN) while the only SSO test never ran (violates P7). Fix preserves generic-tier failure-isolation but corrects the green SIGNAL: - conftest.pytest_collection_modifyitems counts skipped requires_deps tests and appends to $CCCI_DEPS_SKIP_REPORT. - run_recipe_ci: sums the count, surfaces it in RUN SUMMARY, and new pure predicate sso_dep_unverified(declared, deps_ready, skipped) flips overall=1. - 7 new unit tests (tests/unit/test_f211_sso_skip.py). Verified deploy-free (rate-limit-independent): 35/35 unit PASS; cold real-test proof on lasuite-docs test_oidc_with_keycloak.py -> 1 skipped + skip-report==1 -> orchestrator would set overall=1. Full e2e deferred until Docker Hub rate limit lifts. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@ -544,3 +544,48 @@ re-pulls that burn the anonymous quota; let the cache persist). Disk pressure mu
|
||||
by pruning ONLY truly-dangling images, or by the operator growing the cc-ci disk.
|
||||
(Also noted: recipe env is `ONLY_OFFICE_DOMAIN`, underscore — my EXTRA_ENV flattened COLLABORA/MINIO
|
||||
domains but not onlyoffice's; only matters for the WOPI/TLS path, to revisit when base converges.)
|
||||
|
||||
## 2026-05-28 (later) — Gitea restored; consumed Adversary inbox; fixed F2-11 (SSO-skip-goes-green)
|
||||
|
||||
Gitea (git.autonomic.zone) recovered ~21:08Z (orchestrator confirmed). Reconciled: `git pull --rebase`
|
||||
(up to date), pushed my 2 queued local commits (1138d77 + 4a118ea → origin), then a 3rd pull picked up
|
||||
the Adversary's `b941f55` (its outage-queued writes: F2-11 + REVIEW-2 idle checkpoint + BUILDER-INBOX).
|
||||
Consumed + deleted BUILDER-INBOX. The 3 watchdog pings during the outage were phantoms (Adversary's
|
||||
failed push retries) — nothing was lost.
|
||||
|
||||
**Adversary's BUILDER-INBOX (digested):** DONE-gate warnings (F2-7 authentik, F2-9 cryptpad create-pad,
|
||||
ghost §4.3 create-post floor, Q3.2 drive specifics, full P1–P8 Q5 re-verify) — all need deploys, so
|
||||
gated on the Docker Hub rate limit. Plus **F2-11** (medium, not a VETO), which is pure code → fixed it
|
||||
now (rate-limit-independent).
|
||||
|
||||
**F2-11 — SSO-dep "deps-not-ready" SKIP must not yield a GREEN run.** Adversary cold-proved: when
|
||||
`setup_custom_tests` fails for a DEPS-declaring recipe, `CCCI_DEPS_READY=0` → conftest skips every
|
||||
`@requires_deps` test → a skip-only pytest file exits 0 → `run_custom` returns "pass" → `overall=0` →
|
||||
`!testme` GREEN while the only SSO/OIDC test never ran. Violates P7.
|
||||
|
||||
Why my fix is shaped this way: the failure-isolation design (a transient SSO-setup failure must not
|
||||
break the *generic* tier signal) is correct and I kept it — generic tier results stand untouched. The
|
||||
defect was only that the green SIGNAL was indistinguishable from "SSO verified." So I correct the
|
||||
signal, not the isolation:
|
||||
- `conftest.pytest_collection_modifyitems` now COUNTS the requires_deps tests it skips and appends the
|
||||
count to `$CCCI_DEPS_SKIP_REPORT` (one line per pytest invocation; orchestrator sums across the
|
||||
per-custom-file loop). Chose a filesystem report (not exit code) because pytest has no "fail on
|
||||
skip" and a skip-only file legitimately exits 0 — the orchestrator already shares run-scoped temp
|
||||
files with the pytest subprocess (depsfile/statefile/countfile), so this matches the pattern.
|
||||
- `run_recipe_ci`: reads + sums the count, surfaces it in RUN SUMMARY (`custom: pass (N requires_deps
|
||||
SKIPPED ... SSO UNVERIFIED)`), and a new pure predicate `sso_dep_unverified(declared, deps_ready,
|
||||
skipped)` flips `overall=1` when a recipe declares DEPS + deps not ready + ≥1 requires_deps skipped.
|
||||
Gated on skip>0 so a deps-declaring recipe with no requires_deps tests isn't false-failed.
|
||||
|
||||
Verified (both deploy-free — rate-limit-independent):
|
||||
1. `cc-ci-run -m pytest tests/unit -q` → **35 passed** (28 prior + 7 new in test_f211_sso_skip.py:
|
||||
predicate truth table + conftest skip/record/append/noop-when-ready).
|
||||
2. Cold real-test proof on cc-ci: `CCCI_DEPS_READY=0 CCCI_DEPS_SKIP_REPORT=/tmp/f211-skip.txt
|
||||
cc-ci-run -m pytest tests/lasuite-docs/functional/test_oidc_with_keycloak.py -rs` → `1 skipped`,
|
||||
`PYTEST_EXIT=0` (the hazard), but `/tmp/f211-skip.txt` now contains `1` → orchestrator would compute
|
||||
`sso_dep_unverified(["keycloak"], False, 1)=True` → `overall=1`. Hazard closed.
|
||||
|
||||
Full e2e (real deploy with a forced setup_custom_tests failure → observe overall=1) deferred to when
|
||||
the Docker Hub rate limit lifts; the unit + cold-real-test proofs cover the predicate, the conftest
|
||||
signal on real files, and the count flow — only the sequential read→sum→predicate→overall wiring is
|
||||
unexercised by a live run, and it's straight-line code.
|
||||
|
||||
@ -69,6 +69,38 @@ Remaining substantial: Q3.2 lasuite-drive (needs mirror), Q3.3 lasuite-meet (mir
|
||||
immich (needs mirror), Q4.2/Q4.5-7/Q4.9-10 (mostly need mirror). The mirror-and-enroll path is
|
||||
established (recipe-create-pr skill); pausing this sprint for Adversary cold-verify.
|
||||
|
||||
## Adversary findings — Builder response
|
||||
|
||||
**F2-11 — FIXED, awaiting Adversary re-verify** (commit: `git log --oneline | grep 'F2-11'`).
|
||||
SSO-dep "deps-not-ready"
|
||||
SKIP no longer yields a GREEN `!testme`.
|
||||
- **WHAT:** when a recipe declares `DEPS` and `setup_custom_tests` fails (deps not ready) so its
|
||||
`@requires_deps` (SSO/OIDC) tests SKIP, the run now reports **FAIL** (`overall=1`), not green —
|
||||
while generic-tier failure-isolation is preserved (install/upgrade/backup/restore results stand).
|
||||
- **WHERE (code):**
|
||||
- `tests/conftest.py::pytest_collection_modifyitems` — now counts the requires_deps tests it skips
|
||||
and appends the count to `$CCCI_DEPS_SKIP_REPORT`.
|
||||
- `runner/run_recipe_ci.py` — sets `CCCI_DEPS_SKIP_REPORT` (run-scoped temp, near `depsfile`);
|
||||
after teardown sums the count into `requires_deps_skipped`; RUN SUMMARY annotates the custom tier
|
||||
(`custom: pass (N requires_deps SKIPPED ... SSO UNVERIFIED)`); new pure predicate
|
||||
`sso_dep_unverified(declared, deps_ready, requires_deps_skipped)` flips `overall=1`.
|
||||
- `tests/unit/test_f211_sso_skip.py` — 7 new unit tests.
|
||||
- **HOW to verify (both deploy-free, rate-limit-independent):**
|
||||
1. `ssh cc-ci 'cd /root/cc-ci && cc-ci-run -m pytest tests/unit -q'` → **EXPECTED: 35 passed**
|
||||
(28 prior + 7 F2-11).
|
||||
2. Cold real-test signal proof:
|
||||
`ssh cc-ci 'cd /root/cc-ci && rm -f /tmp/f211-skip.txt && CCCI_DEPS_READY=0 \
|
||||
CCCI_DEPS_NOT_READY_REASON=boom CCCI_DEPS_SKIP_REPORT=/tmp/f211-skip.txt \
|
||||
cc-ci-run -m pytest tests/lasuite-docs/functional/test_oidc_with_keycloak.py -rs; \
|
||||
cat /tmp/f211-skip.txt'`
|
||||
→ **EXPECTED:** `1 skipped`, pytest exit 0 (the hazard), and `/tmp/f211-skip.txt` == `1`. Since
|
||||
lasuite-docs declares `DEPS=["keycloak"]`, the orchestrator computes
|
||||
`sso_dep_unverified(["keycloak"], False, 1)=True` → `overall=1`.
|
||||
- **NOT verified by a live run yet:** full e2e (real deploy with forced setup_custom_tests failure →
|
||||
observe `overall=1`) is deferred until the Docker Hub rate limit (## Blocked) lifts. The two proofs
|
||||
above cover the predicate, the conftest signal on real files, and the count flow; only the
|
||||
straight-line read→sum→predicate→overall wiring is unexercised by a live deploy.
|
||||
|
||||
## Gate
|
||||
**Gate: Q2 — Adversary PASS @2026-05-28** (REVIEW-2 `## Q2 — PASS @2026-05-28 (re-verify after
|
||||
F2-5 fix + F2-6 collateral resolution)`; cold e2e on `/root/adv-verify` HEAD `874bfbb`:
|
||||
|
||||
Reference in New Issue
Block a user