journal(gtea): Blocker 4 fix + STACK_NAME discovery + ruff cleanup
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
autonomic-bot
@ -173,3 +173,51 @@ Unit tests: 53/53 pass (test_gitea_dep.py 10/10, test_meta.py 43/43)
|
||||
Build #684: RECIPE=gitea REF=main PR=0 (main branch, all tiers)
|
||||
Build #685: RECIPE=gitea REF=357926f2 PR=1 (LFS PR capstone)
|
||||
Both running as of 21:04Z.
|
||||
|
||||
---
|
||||
|
||||
## 2026-06-15 — Blocker 4 fix + ruff cleanup
|
||||
|
||||
### BUILDER-INBOX consumption (from Adversary @21:30Z)
|
||||
|
||||
Adversary confirmed:
|
||||
- Build #684 (RECIPE=gitea REF=main PR=0): PASS level=5 — M2 main-branch condition MET
|
||||
- Build #685 (RECIPE=gitea PR=1 REF=357926f2): FAIL level=1 — new Blocker 4
|
||||
|
||||
Blocker 4: lfs_jwt_secret rollback. The secret was created (rollback_completed, not pre-deploy
|
||||
fail), but gitea failed health check. Root cause: `.env.sample` in lfs-plain-gitea PR has
|
||||
`# SECRET_LFS_JWT_SECRET_VERSION=v1 # length=43` COMMENTED OUT. abra `generate --all` then
|
||||
uses wrong default length. gitea requires exactly 43 chars (32-byte base64 URL-safe); wrong
|
||||
length → gitea tries to auto-save JWT secret to app.ini → read-only Docker Config → FATAL
|
||||
"error saving JWT Secret: failed to save app.ini: read-only file system" → health check fails
|
||||
→ Docker swarm rollback_completed.
|
||||
|
||||
Confirmed via: journalctl -u docker on cc-ci from prior session showed the exact fatal error.
|
||||
|
||||
### Fix design
|
||||
|
||||
New `UPGRADE_SECRET_PREP(ctx)` hook in meta.py, called BEFORE `abra secret generate --all`
|
||||
in perform_upgrade(). abra's `--all` is idempotent (skips existing secrets), so our correctly
|
||||
pre-inserted Docker secret survives the subsequent --all pass.
|
||||
|
||||
gitea's UPGRADE_SECRET_PREP uses `docker secret create {STACK_NAME}_lfs_jwt_secret_v1 -`
|
||||
with a Python-generated 43-char value: `base64.urlsafe_b64encode(os.urandom(32)).rstrip(b"=")`.
|
||||
|
||||
Discovery: abra does NOT store STACK_NAME in the .env file. Docker stack name is derived from
|
||||
the domain by replacing dots with underscores. Verified from `docker stack ls`:
|
||||
- drone.ci.commoninternet.net → drone_ci_commoninternet_net
|
||||
|
||||
Build #691 failed with "STACK_NAME not found" (tried to read from .env, key absent).
|
||||
Fixed in ad53b5a: derive STACK_NAME from ctx.domain.replace(".", "_").
|
||||
|
||||
### Runs in this session
|
||||
|
||||
- Build #691 (PR=1): FAIL — STACK_NAME not found in .env (fixed in ad53b5a)
|
||||
- Build #692 (RECIPE=drone REF=main): PASS level=5 — dep path confirmed after a121d2c changes
|
||||
- Build #695 (PR=1, STACK_NAME fix): IN FLIGHT
|
||||
|
||||
### Ruff cleanup
|
||||
|
||||
All 9 gtea files + test_discovery.py + bridge/bridge.py reformatted/check-fixed.
|
||||
manifest.py B007 (unused loop variable `path` → `_path`) fixed manually.
|
||||
scripts/lint.sh: PASS (verified on builder-clone @22:00Z).
|
||||
|
||||
Reference in New Issue
Block a user