fix(2): R014 — chaos base deploy for recipes with lightweight tags (replaces fragile origin-repoint)

The origin-repoint approach hit go-git 'reference not found' (mirror HEAD→master vs main). Simpler +
robust: detect lightweight version tags (has_lightweight_version_tags, read-only) and, for the pinned
base deploy of such a recipe, use chaos — which SKIPS abra lint (so no R014 FATA) and deploys the
EXPLICITLY-checked-out pinned version (recipe_checkout already ran; chaos uses the current checkout,
so it's the prev version, NOT LATEST — F1d-2's hazard was the missing checkout). No-op / stays pinned
for all-annotated recipes. The upgrade tier's prev→PR-head crossover + HC1 (chaos-version==head_ref)
still hold (verified by the run's upgrade-tier log).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-05-29 14:15:07 +01:00
parent ad06a5dd3f
commit 72719fe0d7
2 changed files with 28 additions and 58 deletions

View File

@ -145,12 +145,22 @@ def deploy_app(
# on-disk compose/.env match, and deploy NON-chaos below (chaos ignores the pin → deployed LATEST,
# Adversary F1d-2). Chaos is correct ONLY for the version=None case (deploy the current PR-head
# checkout). Order matters: checkout before secret_generate (-C) so secrets match the pinned tree.
chaos = version is None
if version:
abra.recipe_checkout(recipe, version)
# A pinned (non-chaos) deploy runs `abra recipe lint`; normalize any stray lightweight
# upstream tags to annotated so R014 doesn't FATA the whole recipe (changes no deployed
# content — see abra.normalize_recipe_tags). No-op for recipes with all-annotated tags.
abra.normalize_recipe_tags(recipe)
# A pinned (non-chaos) deploy runs `abra recipe lint`, which FATAs R014 ('only annotated
# tags') if the upstream recipe ships a stray lightweight version tag (e.g. lasuite-meet's
# 0.3.0+v1.16.0). In that case deploy the EXPLICITLY-checked-out pinned version with chaos:
# chaos skips lint and deploys the current checkout (we just checked out `version`), so it
# still deploys the intended pinned version — not LATEST (the F1d-2 hazard was a *missing*
# checkout, which recipe_checkout above fixes). No-op for all-annotated recipes (stays pinned).
if abra.has_lightweight_version_tags(recipe):
print(
f" deploy_app({recipe}@{version}): lightweight upstream tag present → chaos base "
"deploy of the checked-out pinned version (skips R014 lint; not LATEST)",
flush=True,
)
chaos = True
# Pin DOMAIN to the run domain explicitly. `abra app new -D` fills it for recipes whose
# .env.sample uses a literal placeholder, but NOT for ones using a `{{ .Domain }}` Go-template
# (this abra version leaves it unexpanded → deploy fails "can't evaluate field Domain"). Setting
@ -163,7 +173,7 @@ def deploy_app(
abra.secret_generate(domain)
if install_steps_hook:
_run_install_steps(install_steps_hook, recipe, domain)
abra.deploy(domain, chaos=(version is None), timeout=deploy_timeout)
abra.deploy(domain, chaos=chaos, timeout=deploy_timeout)
def _stack_name(domain: str) -> str: