style: repo-wide lint pass — make the lint gate green again
Push builds have been RED on the lint step since ~build 209 from accumulated formatting drift. This is the mechanical cleanup: ruff format + ruff --fix (UP038 isinstance unions, SIM105 contextlib.suppress, UP031 f-strings, SIM115 tempfile context manager), shfmt -i 2 -ci, nixpkgs-fmt/statix/deadnix (merged attrsets, dropped unused lib args), yamllint, and shell quoting fixes in tests/lasuite-docs/setup_custom_tests.sh. No behaviour changes intended; lint: PASS, unit tests: 138 passed.
This commit is contained in:
@ -43,11 +43,16 @@ def _traefik_setup(recipe: str, domain: str, version: str) -> None:
|
||||
ssl_cert/ssl_key swarm secrets; NO ACME). Uses the proven abra.env_set (newline-safe, unlike the
|
||||
bash set_env that bit keycloak)."""
|
||||
cert_dir = "/var/lib/ci-certs/live"
|
||||
if not (os.path.isfile(f"{cert_dir}/fullchain.pem") and os.path.isfile(f"{cert_dir}/privkey.pem")):
|
||||
if not (
|
||||
os.path.isfile(f"{cert_dir}/fullchain.pem") and os.path.isfile(f"{cert_dir}/privkey.pem")
|
||||
):
|
||||
raise RuntimeError(f"FATAL: wildcard cert missing at {cert_dir} (sops decrypt broken?)")
|
||||
if not os.path.isfile(env_file(domain)):
|
||||
_run(["abra", "app", "new", recipe, "-s", "default", "-D", domain, version, "-o", "-n"],
|
||||
timeout=120, check=True)
|
||||
_run(
|
||||
["abra", "app", "new", recipe, "-s", "default", "-D", domain, version, "-o", "-n"],
|
||||
timeout=120,
|
||||
check=True,
|
||||
)
|
||||
abra.env_set(domain, "DOMAIN", domain)
|
||||
abra.env_set(domain, "LETS_ENCRYPT_ENV", "")
|
||||
abra.env_set(domain, "WILDCARDS_ENABLED", "1")
|
||||
@ -61,11 +66,39 @@ def _traefik_setup(recipe: str, domain: str, version: str) -> None:
|
||||
return any(s.endswith(f"_{name}_v1") for s in have)
|
||||
|
||||
if not _has("ssl_cert"):
|
||||
_run(["abra", "app", "secret", "insert", domain, "ssl_cert", "v1",
|
||||
f"{cert_dir}/fullchain.pem", "-f", "-n"], timeout=120, check=True)
|
||||
_run(
|
||||
[
|
||||
"abra",
|
||||
"app",
|
||||
"secret",
|
||||
"insert",
|
||||
domain,
|
||||
"ssl_cert",
|
||||
"v1",
|
||||
f"{cert_dir}/fullchain.pem",
|
||||
"-f",
|
||||
"-n",
|
||||
],
|
||||
timeout=120,
|
||||
check=True,
|
||||
)
|
||||
if not _has("ssl_key"):
|
||||
_run(["abra", "app", "secret", "insert", domain, "ssl_key", "v1",
|
||||
f"{cert_dir}/privkey.pem", "-f", "-n"], timeout=120, check=True)
|
||||
_run(
|
||||
[
|
||||
"abra",
|
||||
"app",
|
||||
"secret",
|
||||
"insert",
|
||||
domain,
|
||||
"ssl_key",
|
||||
"v1",
|
||||
f"{cert_dir}/privkey.pem",
|
||||
"-f",
|
||||
"-n",
|
||||
],
|
||||
timeout=120,
|
||||
check=True,
|
||||
)
|
||||
|
||||
|
||||
SPECS: dict[str, dict] = {
|
||||
@ -218,8 +251,17 @@ def health_code(spec: dict) -> int:
|
||||
domain = spec.get("health_domain", spec["domain"])
|
||||
r = _run(
|
||||
[
|
||||
"curl", "-sk", "-o", "/dev/null", "-w", "%{http_code}", "--max-time", "10",
|
||||
"--resolve", f"{domain}:443:127.0.0.1", f"https://{domain}{spec['health_path']}",
|
||||
"curl",
|
||||
"-sk",
|
||||
"-o",
|
||||
"/dev/null",
|
||||
"-w",
|
||||
"%{http_code}",
|
||||
"--max-time",
|
||||
"10",
|
||||
"--resolve",
|
||||
f"{domain}:443:127.0.0.1",
|
||||
f"https://{domain}{spec['health_path']}",
|
||||
],
|
||||
timeout=20,
|
||||
)
|
||||
@ -230,7 +272,6 @@ def health_code(spec: dict) -> int:
|
||||
|
||||
|
||||
def wait_healthy(spec: dict, timeout: int | None = None) -> bool:
|
||||
domain = spec["domain"]
|
||||
deadline = time.time() + (timeout or spec["health_timeout"])
|
||||
while time.time() < deadline:
|
||||
if health_code(spec) in tuple(spec["health_ok"]):
|
||||
@ -325,15 +366,18 @@ def ensure_server() -> None:
|
||||
|
||||
def ensure_app_config(recipe: str, domain: str, version: str) -> None:
|
||||
if not os.path.isfile(env_file(domain)):
|
||||
_run(["abra", "app", "new", recipe, "-s", "default", "-D", domain, version, "-o", "-n"],
|
||||
timeout=120, check=True)
|
||||
_run(
|
||||
["abra", "app", "new", recipe, "-s", "default", "-D", domain, version, "-o", "-n"],
|
||||
timeout=120,
|
||||
check=True,
|
||||
)
|
||||
abra.env_set(domain, "DOMAIN", domain)
|
||||
abra.env_set(domain, "LETS_ENCRYPT_ENV", "")
|
||||
|
||||
|
||||
def ensure_secrets(domain: str) -> None:
|
||||
stack = lifecycle._stack_name(domain) # noqa: SLF001
|
||||
have = {n for n in lifecycle._docker_names("secret", stack)} # noqa: SLF001
|
||||
have = set(lifecycle._docker_names("secret", stack)) # noqa: SLF001
|
||||
if not any(n.endswith("_admin_password_v1") for n in have):
|
||||
abra.secret_generate(domain)
|
||||
|
||||
@ -393,8 +437,9 @@ def reconcile(app: str) -> str:
|
||||
write_alert(app, "held-major", current=current, latest=latest, release_notes=notes[:4000])
|
||||
return f"held-major:{current}->{latest}"
|
||||
if notes_flag_manual_migration(notes):
|
||||
write_alert(app, "held-manual-migration", current=current, latest=latest,
|
||||
release_notes=notes[:4000])
|
||||
write_alert(
|
||||
app, "held-manual-migration", current=current, latest=latest, release_notes=notes[:4000]
|
||||
)
|
||||
return f"held-manual-migration:{current}->{latest}"
|
||||
|
||||
# WC1.1 health-gated upgrade with rollback.
|
||||
@ -428,8 +473,14 @@ def reconcile(app: str) -> str:
|
||||
warmsnap.restore(recipe, domain)
|
||||
deploy_version(recipe, domain, last_good, dt)
|
||||
recovered = wait_healthy(spec)
|
||||
write_alert(app, "rollback", last_good=last_good, attempted=latest, recovered=recovered,
|
||||
release_notes=notes[:2000])
|
||||
write_alert(
|
||||
app,
|
||||
"rollback",
|
||||
last_good=last_good,
|
||||
attempted=latest,
|
||||
recovered=recovered,
|
||||
release_notes=notes[:2000],
|
||||
)
|
||||
if not recovered:
|
||||
raise RuntimeError(f"{app} rollback to {last_good} did not become healthy")
|
||||
return f"rolled-back:{latest}->{last_good}"
|
||||
|
||||
Reference in New Issue
Block a user