recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

bridge: polling primary + org-membership auth (orchestrator design change)
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone Build is passing
Details

Browse Source 
Polling is now the primary, read-only trigger (always-on thread); the /hook
webhook is an optional admin-registered push optimization deduped by comment id.
Authorize commenters via GET /orgs/{owner}/members/{user} (204, read-level) +
optional allowlist, replacing the admin-requiring /collaborators permission
endpoint. Bot never self-registers webhooks. Enroll = POLL_REPOS + tests/<recipe>/.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
2026-05-27 02:41:25 +01:00
parent 25b628e959
commit 7addb9686c
4 changed files with 179 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
docs/enroll-recipe.md
View File

@ -41,11 +41,27 @@ If the recipe's own repo contains `tests/test_*.py`, the runner snapshots them r
runs them against the **live deployment** as a `recipe-local` stage. Contract: those tests receive
env `CCCI_BASE_URL` (e.g. `https://<app>.ci.commoninternet.net/`) and `CCCI_APP_DOMAIN`.
## 4. Register the trigger webhook
## 4. Add the repo to the bridge poll list
The trigger is **polling** (primary): add the repo's full name to the comment-bridge `POLL_REPOS`
csv (`modules/bridge.nix`) and `nixos-rebuild switch`. The bridge then polls that repo's open PRs
every 30s and fires a run on a new `!testme` comment from an authorized org member. This needs only
**read + comment** access — no webhook, no repo-admin.
Add the per-repo Gitea webhook so `!testme` on a PR starts a run (see the bridge / runbook). Then
`!testme` on a PR runs install/upgrade/backup + any recipe-local tests, and reports back to the PR.
### Optional: lower-latency webhook (admin-registered)
Polling already satisfies D1 (<60s). For lower latency an **admin** may *optionally* register a
Gitea `issue_comment` webhook (the bot does **not** self-register one that needs repo-admin):
- URL `https://ci.commoninternet.net/hook`, content-type `application/json`, event `Issue Comment`,
secret = the shared webhook HMAC (`secrets/secrets.yaml` `webhook_hmac`).
- The Gitea instance must allow the host (admin: add `ci.commoninternet.net` to the
`[webhook] ALLOWED_HOST_LIST`).
The webhook and poller are deduped by comment id, so a comment seen by both fires only once.
## Run locally
```sh