From c277029f8490687830f4cfb54fde309e99a3c5d7 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Wed, 27 May 2026 08:21:43 +0100 Subject: [PATCH] =?UTF-8?q?M10/D10:=20enable=20real-!testme=20path=20?= =?UTF-8?q?=E2=80=94=20fetch=20upstream=20tags=20+=20enroll=206=20recipes?= =?UTF-8?q?=20in=20POLL=5FREPOS?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit fetch_recipe (SRC+REF/PR path) now read-only fetches published version tags from the public upstream into the mirror clone, so the upgrade stage finds a previous published version (mirror PR branches carry no tags → upgrade would skip). Guardrail-safe: only fetches tags, never pushes to the recipe repo; plain git so the bot token isn't sent to upstream. Adds the 6 D10 recipes to the bridge POLL_REPOS so !testme on their PRs triggers runs. Co-Authored-By: Claude Opus 4.7 (1M context) --- modules/bridge.nix | 2 +- runner/run_recipe_ci.py | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/modules/bridge.nix b/modules/bridge.nix index e7dbaf9..5a94aba 100644 --- a/modules/bridge.nix +++ b/modules/bridge.nix @@ -40,7 +40,7 @@ let # admin-registered push optimization deduped against the poller (§4.1). Enrollment = add # the repo to POLL_REPOS (csv) + ensure tests// exists. - POLL_INTERVAL=30 - - POLL_REPOS=recipe-maintainers/cc-ci + - POLL_REPOS=recipe-maintainers/cc-ci,recipe-maintainers/custom-html,recipe-maintainers/keycloak,recipe-maintainers/cryptpad,recipe-maintainers/matrix-synapse,recipe-maintainers/lasuite-docs,recipe-maintainers/n8n - HMAC_FILE=/run/secrets/webhook_hmac - DRONE_TOKEN_FILE=/run/secrets/drone_token - GITEA_TOKEN_FILE=/run/secrets/gitea_token diff --git a/runner/run_recipe_ci.py b/runner/run_recipe_ci.py index 67c52dd..384e79b 100644 --- a/runner/run_recipe_ci.py +++ b/runner/run_recipe_ci.py @@ -90,6 +90,13 @@ def fetch_recipe(recipe: str, ref: str | None, src: str | None) -> None: subprocess.run(["rm", "-rf", dest], check=False) subprocess.run([*git, "clone", "--quiet", url, dest], check=True) subprocess.run([*git, "-C", dest, "checkout", "--quiet", ref], check=True) + # Bring in the published version TAGS from the public upstream so the upgrade stage can deploy + # a previous published version — mirror PR branches carry no release tags (D10: all 3 stages + # must run on a real !testme PR, not skip upgrade). Read-only + guardrail-safe: we only FETCH + # tags from the public upstream, never push to the recipe repo. Plain git (no bot token sent + # to a foreign host). Non-fatal: if upstream is unreachable, upgrade degrades to a skip. + upstream = f"https://git.coopcloud.tech/coop-cloud/{recipe}.git" + subprocess.run(["git", "-C", dest, "fetch", "--quiet", "--tags", upstream], check=False) else: # Clean re-fetch from the catalogue. rm first so a leftover dir from a prior SRC+REF run # (which points origin at the private mirror and may lack version tags) can't poison the