claim(gtea): M2 PASS + ## DONE — all DoD verified by Adversary
Build #695 (RECIPE=gitea PR=1 REF=357926f26e69): level=5/5, test_lfs_roundtrip PASS (18s). Build #692 (RECIPE=drone REF=main): level=5/5, dep path confirmed. All 6 M2 DoD conditions met per Adversary REVIEW-gtea.md @2026-06-15T22:10Z. Phase gtea complete. Gitea enrolled as a fully-tested recipe with LFS PR verified. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
@ -21,8 +21,9 @@
|
||||
FIXED in commit a121d2c. Retriggered as build #682 (PR=1 REF=357926f2) @21:00Z
|
||||
- [x] 8. Post !testme on PR #1 so result lands in PR
|
||||
DONE (posted 20:34Z, build #676, PENDING; re-triggered as #682)
|
||||
- [ ] 9. CLAIM M2 (await Adversary PASS)
|
||||
- [ ] 10. Write ## DONE (all Adversary PASSes)
|
||||
- [x] 9. CLAIM M2 — ADVERSARY PASS @2026-06-15T22:10Z (commit 90522ee)
|
||||
Build #695 (PR=1 LFS): level=5, test_lfs_roundtrip PASS. Build #692 (drone): level=5.
|
||||
- [x] 10. Write ## DONE — STATUS-gtea.md updated; phase complete.
|
||||
|
||||
## Adversary findings
|
||||
(Adversary-owned — only the Adversary writes this section)
|
||||
|
||||
@ -2,58 +2,41 @@
|
||||
|
||||
**Last updated:** 2026-06-15
|
||||
|
||||
## Current state
|
||||
## DONE
|
||||
|
||||
Phase: **BUILDING M2 — Blocker 4 fixed; CI runs #691/#692 in flight**
|
||||
Gate M2: **ADVERSARY PASS** @2026-06-15T22:10Z (commit 90522ee)
|
||||
|
||||
Fixes applied since last STATUS update (commits d832b35 + 2d865f0 @~2026-06-15T22:00Z):
|
||||
All phase-gtea Definition-of-Done conditions verified by Adversary:
|
||||
|
||||
**Blocker 4 fix (lfs_jwt_secret wrong format → upgrade rollback):**
|
||||
- Root cause: `abra secret generate --all` reads length hints from `.env.sample`. The
|
||||
lfs-plain-gitea PR has `# SECRET_LFS_JWT_SECRET_VERSION=v1 # length=43` COMMENTED OUT,
|
||||
so abra uses a wrong default length. gitea requires exactly 43 chars (32-byte base64
|
||||
URL-safe); wrong length → gitea fatals on read-only app.ini → health check fails →
|
||||
Docker swarm rollback_completed.
|
||||
- Fix: new `UPGRADE_SECRET_PREP` hook (meta.py) called before `abra secret generate --all`
|
||||
in `generic.py perform_upgrade()`. abra's `--all` is idempotent (skips existing secrets),
|
||||
so the correctly pre-inserted secret survives.
|
||||
- gitea recipe_meta.py: `UPGRADE_SECRET_PREP(ctx)` uses `docker secret create` directly
|
||||
to insert `{STACK_NAME}_lfs_jwt_secret_v1` with exactly 43-char base64 URL-safe value.
|
||||
1. ✓ Full 5-tier suite green on gitea main in real CI
|
||||
- Build #684, level=5, RECIPE=gitea REF=main PR=0
|
||||
- install/upgrade/backup/restore/custom: all PASS
|
||||
- LFS correctly SKIP on main (compose.lfs.yml absent)
|
||||
|
||||
**Ruff lint fixes:** All cc-ci self-test lint failures cleared:
|
||||
- `ruff format`: 9 files reformatted (all gtea test files + test_discovery.py)
|
||||
- `ruff check --fix`: bridge.py UP017 + 6 gtea check errors auto-fixed
|
||||
- manifest.py B007: unused loop variable `path` → `_path` (manual fix)
|
||||
- `scripts/lint.sh` now exits 0 on builder-clone (verified 2026-06-15T22:00Z)
|
||||
2. ✓ LFS roundtrip green in real CI on PR #1
|
||||
- Build #695, level=5, RECIPE=gitea REF=357926f26e69 PR=1
|
||||
- All 5 tiers PASS; `test_lfs_roundtrip` PASS (18s)
|
||||
- UPGRADE_SECRET_PREP hook pre-created correct 43-char lfs_jwt_secret
|
||||
|
||||
Unit tests: 53/53 PASS (test_gitea_dep.py 10/10, test_meta.py 43/43, including new
|
||||
UPGRADE_SECRET_PREP key in registry)
|
||||
3. ✓ Drone dep path unaffected
|
||||
- Build #692, level=5, RECIPE=drone REF=main
|
||||
- Dep path fully green after all gtea harness changes
|
||||
|
||||
## Fixes applied across all M2 blockers
|
||||
4. ✓ cc-ci self-test lint green (ruff format+check pass on all gtea files)
|
||||
|
||||
- Blocker 1 (run 676): LFS not enabled in upgrade → Fixed: UPGRADE_EXTRA_ENV + secret gen
|
||||
- Blocker 2 (run 674): REF=main HC1 fail → Fixed: run_recipe_ci uses git SHA for head_ref
|
||||
- Blocker 3 (run 675): stale creds 401 → Fixed: pre_install deletes creds before _ensure_admin
|
||||
- Blocker 4 (run 685): lfs_jwt_secret wrong length → Fixed: UPGRADE_SECRET_PREP hook
|
||||
5. ✓ Unit tests: 53/53 PASS throughout (test_gitea_dep.py 10/10, test_meta.py 43/43)
|
||||
|
||||
## Gate status
|
||||
6. ✓ No secrets in any run artifact (no_secret_leak=true in all builds)
|
||||
|
||||
## Gate history
|
||||
|
||||
- Gate M1: **ADVERSARY PASS** @2026-06-15T20:32Z (commit a106036)
|
||||
- Gate M2: IN PROGRESS
|
||||
- Build #684 (RECIPE=gitea REF=main PR=0): PASS level=5 ✓ (Adversary verified)
|
||||
- Build #685 (RECIPE=gitea REF=357926f2 PR=1): FAIL level=1 (Blocker 4, now fixed)
|
||||
- Build #691 (RECIPE=gitea REF=357926f26e69 PR=1): PENDING @~2026-06-15T22:05Z
|
||||
- Build #692 (RECIPE=drone REF=main PR=0): PENDING @~2026-06-15T22:05Z
|
||||
- Gate M2: **ADVERSARY PASS** @2026-06-15T22:10Z (commit 90522ee)
|
||||
|
||||
## Prerequisites verified
|
||||
## Key commits
|
||||
|
||||
- [x] `/etc/timezone` exists on cc-ci host (content: UTC)
|
||||
- [x] gitea recipe available at `~/.abra/recipes/gitea/` on cc-ci
|
||||
- [x] `backupbot.backup=true` label present in `compose.yml`
|
||||
- [x] gitea release versions: 2.0.0+1.18.0-rootless, 2.1.2+1.19.3-rootless, 2.6.0+1.21.5-rootless, 3.0.0+1.22.2-rootless
|
||||
- [x] PR #1 (`lfs-plain-gitea`) open, adds `compose.lfs.yml`
|
||||
- [x] git-lfs deployed on cc-ci host (v3.6.1, via NixOS rebuild 2026-06-15)
|
||||
|
||||
## Blocked
|
||||
|
||||
None.
|
||||
- bac3662: claim(gtea): M1 suite green locally, all 5 stages PASS
|
||||
- a121d2c: fix(gtea): M2 blockers (UPGRADE_EXTRA_ENV, HC1 SHA fix, stale creds)
|
||||
- d832b35: fix(gtea): UPGRADE_SECRET_PREP hook for correct lfs_jwt_secret
|
||||
- ad53b5a: fix(gtea): STACK_NAME derived from domain (dots→underscores)
|
||||
- 2d865f0: fix(gtea): ruff format+check all gtea files
|
||||
|
||||
Reference in New Issue
Block a user