From 6dd79eac0c951849ef75723935e280da1fd92576 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Mon, 15 Jun 2026 21:54:37 +0000 Subject: [PATCH] status(gtea): Blocker 4 fixed; builds #691/#692 in flight --- machine-docs/STATUS-gtea.md | 50 ++++++++++++++++++++++++------------- 1 file changed, 32 insertions(+), 18 deletions(-) diff --git a/machine-docs/STATUS-gtea.md b/machine-docs/STATUS-gtea.md index 760c76c..3179411 100644 --- a/machine-docs/STATUS-gtea.md +++ b/machine-docs/STATUS-gtea.md @@ -4,32 +4,46 @@ ## Current state -Phase: **BUILDING M2 — M2 blocker fixes applied; CI runs #681/#682 in flight** +Phase: **BUILDING M2 — Blocker 4 fixed; CI runs #691/#692 in flight** -Fixed two M2 blockers (commit a121d2c @~2026-06-15T21:00Z): - 1. LFS upgrade: added UPGRADE_EXTRA_ENV to recipe_meta.py (adds compose.lfs.yml to - COMPOSE_FILE after PR-head checkout) + abra.secret_generate in upgrade path in - generic.py so lfs_jwt_secret is generated before chaos redeploy. - 2. REF=main HC1 fail: run_recipe_ci.py now always uses recipe_head_commit (git SHA) - for head_ref instead of the branch name "main". - 3. Stale creds: ops.py pre_install deletes creds file before _ensure_admin (fresh - install wipes DB; old creds are stale and cause 401s). +Fixes applied since last STATUS update (commits d832b35 + 2d865f0 @~2026-06-15T22:00Z): -Unit tests: 53/53 PASS (test_gitea_dep.py 10/10, test_meta.py 43/43) +**Blocker 4 fix (lfs_jwt_secret wrong format → upgrade rollback):** +- Root cause: `abra secret generate --all` reads length hints from `.env.sample`. The + lfs-plain-gitea PR has `# SECRET_LFS_JWT_SECRET_VERSION=v1 # length=43` COMMENTED OUT, + so abra uses a wrong default length. gitea requires exactly 43 chars (32-byte base64 + URL-safe); wrong length → gitea fatals on read-only app.ini → health check fails → + Docker swarm rollback_completed. +- Fix: new `UPGRADE_SECRET_PREP` hook (meta.py) called before `abra secret generate --all` + in `generic.py perform_upgrade()`. abra's `--all` is idempotent (skips existing secrets), + so the correctly pre-inserted secret survives. +- gitea recipe_meta.py: `UPGRADE_SECRET_PREP(ctx)` uses `docker secret create` directly + to insert `{STACK_NAME}_lfs_jwt_secret_v1` with exactly 43-char base64 URL-safe value. -Adversary M2 blockers (from BUILDER-INBOX @20:50Z): - - Blocker 1 (run 676): LFS roundtrip FAIL — gitea deployed without LFS (compose.lfs.yml - missing from upgrade chaos redeploy COMPOSE_FILE). Fixed by UPGRADE_EXTRA_ENV + secret gen. - - Blocker 2 (run 674): upgrade FAIL — head_ref="main" failed HC1 SHA comparison. Fixed. - - Blocker 3 (run 675): stale creds file caused 401s on all API calls. Fixed. +**Ruff lint fixes:** All cc-ci self-test lint failures cleared: +- `ruff format`: 9 files reformatted (all gtea test files + test_discovery.py) +- `ruff check --fix`: bridge.py UP017 + 6 gtea check errors auto-fixed +- manifest.py B007: unused loop variable `path` → `_path` (manual fix) +- `scripts/lint.sh` now exits 0 on builder-clone (verified 2026-06-15T22:00Z) + +Unit tests: 53/53 PASS (test_gitea_dep.py 10/10, test_meta.py 43/43, including new +UPGRADE_SECRET_PREP key in registry) + +## Fixes applied across all M2 blockers + +- Blocker 1 (run 676): LFS not enabled in upgrade → Fixed: UPGRADE_EXTRA_ENV + secret gen +- Blocker 2 (run 674): REF=main HC1 fail → Fixed: run_recipe_ci uses git SHA for head_ref +- Blocker 3 (run 675): stale creds 401 → Fixed: pre_install deletes creds before _ensure_admin +- Blocker 4 (run 685): lfs_jwt_secret wrong length → Fixed: UPGRADE_SECRET_PREP hook ## Gate status - Gate M1: **ADVERSARY PASS** @2026-06-15T20:32Z (commit a106036) - Gate M2: IN PROGRESS - Builds #681/#682 FAILED immediately (trigger API format wrong — no params passed). - Build #684 (RECIPE=gitea REF=main PR=0): PENDING @21:04Z - Build #685 (RECIPE=gitea REF=357926f2 PR=1): PENDING @21:04Z + - Build #684 (RECIPE=gitea REF=main PR=0): PASS level=5 ✓ (Adversary verified) + - Build #685 (RECIPE=gitea REF=357926f2 PR=1): FAIL level=1 (Blocker 4, now fixed) + - Build #691 (RECIPE=gitea REF=357926f26e69 PR=1): PENDING @~2026-06-15T22:05Z + - Build #692 (RECIPE=drone REF=main PR=0): PENDING @~2026-06-15T22:05Z ## Prerequisites verified