diff --git a/modules/bridge.nix b/modules/bridge.nix index e7dbaf9..5a94aba 100644 --- a/modules/bridge.nix +++ b/modules/bridge.nix @@ -40,7 +40,7 @@ let # admin-registered push optimization deduped against the poller (§4.1). Enrollment = add # the repo to POLL_REPOS (csv) + ensure tests// exists. - POLL_INTERVAL=30 - - POLL_REPOS=recipe-maintainers/cc-ci + - POLL_REPOS=recipe-maintainers/cc-ci,recipe-maintainers/custom-html,recipe-maintainers/keycloak,recipe-maintainers/cryptpad,recipe-maintainers/matrix-synapse,recipe-maintainers/lasuite-docs,recipe-maintainers/n8n - HMAC_FILE=/run/secrets/webhook_hmac - DRONE_TOKEN_FILE=/run/secrets/drone_token - GITEA_TOKEN_FILE=/run/secrets/gitea_token diff --git a/runner/run_recipe_ci.py b/runner/run_recipe_ci.py index 67c52dd..384e79b 100644 --- a/runner/run_recipe_ci.py +++ b/runner/run_recipe_ci.py @@ -90,6 +90,13 @@ def fetch_recipe(recipe: str, ref: str | None, src: str | None) -> None: subprocess.run(["rm", "-rf", dest], check=False) subprocess.run([*git, "clone", "--quiet", url, dest], check=True) subprocess.run([*git, "-C", dest, "checkout", "--quiet", ref], check=True) + # Bring in the published version TAGS from the public upstream so the upgrade stage can deploy + # a previous published version — mirror PR branches carry no release tags (D10: all 3 stages + # must run on a real !testme PR, not skip upgrade). Read-only + guardrail-safe: we only FETCH + # tags from the public upstream, never push to the recipe repo. Plain git (no bot token sent + # to a foreign host). Non-fatal: if upstream is unreachable, upgrade degrades to a skip. + upstream = f"https://git.coopcloud.tech/coop-cloud/{recipe}.git" + subprocess.run(["git", "-C", dest, "fetch", "--quiet", "--tags", upstream], check=False) else: # Clean re-fetch from the catalogue. rm first so a leftover dir from a prior SRC+REF run # (which points origin at the private mirror and may lack version tags) can't poison the