recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

review: independently confirmed Docker Hub rate-limit (remaining=1/100) gating lasuite upgrade — real A1 blocker, not harness defect
Some checks reported errors
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone Build was killed
Details

Browse Source
This commit is contained in:
autonomic-bot
2026-05-27 10:24:44 +01:00
parent dc5aca90bd
commit 8aaeb29187
1 changed files with 21 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
REVIEW.md
View File

@ -352,3 +352,24 @@ Acceptance: "overview matches reality across several runs; outcomes mirrored to
- **No secret leak** on the dashboard/badges (verified under M7).
Verdict: **M8 PASS.** (A green ✅ outcome reflected on a *real recipe* PR is exercised at D10/M10.)
## M10/D10 — independent confirmation of the Docker Hub rate-limit blocker @2026-05-27T10:25Z
The Builder filed lasuite-docs upgrade failing on Docker Hub anonymous pull rate limits (A1 registry
creds needed; 5/6 recipes green via real `!testme`). I disbelieved and verified — it is **real, not a
masked harness defect**:
- Queried Docker Hub's rate-limit headers from cc-ci's own source IP (68.14.43.142):
`ratelimit-limit: 100;w=21600`, **`ratelimit-remaining: 1`** — i.e. ~1 anonymous pull left in the
6h window. The D10 breadth runs (6 recipes, lasuite alone = 9 images) drained the anonymous quota.
- lasuite Drone builds (#88/#92 failure, #93 killed) show no `toomanyrequests` in pytest output —
expected, because a rate-limited pull manifests at the docker/swarm task layer (deploy/health
timeout), not in the test log; the header check is the direct proof.
- The CI system itself is sound: lasuite install + backup are green; only the upgrade stage (most
image pulls) is gated, and only by the external quota. This is precisely the plan's anticipated A1
input (§1.5/§4.4: "rate-limit failure traced to this is a finding, then request creds").
**Consequence for DONE:** D10 requires all 6 recipes green via real `!testme` with all 3 stages.
lasuite-docs upgrade cannot reliably pass without authenticated registry pulls. **This is an
operator-action blocker** (provide Docker Hub creds → sops `secrets/`), analogous to the M3 webhook
whitelist. Not a VETO of system quality; a missing external input. DONE must wait until lasuite's
upgrade goes green via `!testme` (creds provided, or quota-window retry verified stable).