recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

claim(M2-settings): live server verified — no-canonical recipe (keycloak) -> release tag 10.7.1+26.6.2; flag true bypasses gitea canonical to release-tag path, restored false. Deployed /etc/cc-ci@99d6bbc; awaiting Adversary
Some checks failed
continuous-integration/drone/push Build is failing
Details

Browse Source 
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
2026-06-17 17:04:16 +00:00
parent 99d6bbc1a1
commit a9ff941dda
3 changed files with 88 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
machine-docs/JOURNAL-settings.md
View File

@ -82,3 +82,23 @@ M2 plan (after M1 PASS):
- Deploy: ensure `/etc/cc-ci` is at the phase commit (git pull); settings.py is pure-python loaded at
runtime from the checkout, so no nixos-rebuild needed for the harness to pick it up (the `cc-ci-run`
wrapper execs python on the checkout's runner/). Confirm on server.
## 2026-06-17 — M1 PASS + M2 verified live, claimed
M1 Adversary cold-PASS (REVIEW-settings.md @17:00Z, no VETO). Advanced to M2.
Deployed phase commit to `/etc/cc-ci` via `git pull --ff-only` (HEAD 99d6bbc); no nixos-rebuild needed
(pure runner python read at runtime; the nightly sweep runs from /etc/cc-ci and Drone reads the same
absolute settings path). Added `scripts/show-upgrade-base.py` — a faithful, lightweight live probe that
calls the DEPLOYED `resolve_upgrade_base` against live settings + canonical registry + recipe tags,
avoiding a heavy per-recipe deploy/test/teardown while still proving the real resolution decision on the
server. Chose this over full `cc-ci-run runner/run_recipe_ci.py` runs (samever's approach) because my
change is purely in base RESOLUTION, not tier execution — the BasePlan is the whole claim.
Evidence-(b) recipe choice: scanned all 16 canonical recipes; only `gitea` has canonical≠head
(3.5.3 vs 3.6.0), making it the cleanest bypass demo — flag false reads the canonical
("last-green (warm canonical, status=idle)"), flag true bypasses to the release-tag path
("no-canonical fallback: newest release tag older than head 3.6.0..."). The resolved version is 3.5.3
both ways (the canonical happens to equal the newest predecessor tag), so the REASON string is the proof
of bypass — honest and matches the plan wording "ALSO resolve to that release-tag base (canonical
bypassed)". All other recipes are in steady state (canon==head) where step-back and the fallback share
the same helper and so coincide. Server restored to steady state (settings.toml absent → false).