From ca89d44c057854484144dfc2133ef99978187a09 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Wed, 17 Jun 2026 10:51:01 +0000 Subject: [PATCH] fix(canon): promote clears stale warm-stack on a fresh seed (failed-promote secret residue) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A once-failed promote left swarm secrets (e.g. drone's gitea client_secret_v1) behind; the retry's install_steps 'abra app secret insert' then FATAd 'already exists', so a recipe could never recover its canonical. promote_canonical now teardown_app()s the warm domain when there is NO existing canonical (fresh seed) — clearing leftover secrets/.env/partial volumes — while a re-promote (canonical exists) still reattaches its retained known-good volume untouched. Co-Authored-By: Claude Opus 4.8 --- runner/run_recipe_ci.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/runner/run_recipe_ci.py b/runner/run_recipe_ci.py index ee719f3..dfa49c0 100644 --- a/runner/run_recipe_ci.py +++ b/runner/run_recipe_ci.py @@ -951,6 +951,13 @@ def promote_canonical( meta = meta_mod.load(recipe) # The cold run's deploy-count was already asserted + the countfile removed; don't perturb it. os.environ.pop("CCCI_DEPLOY_COUNT_FILE", None) + # FRESH SEED only (no existing canonical): clear any leftover warm- stack state from a + # PRIOR FAILED promote attempt (secrets/.env/partial volumes). Without this, a recipe whose + # install_steps inserts a non-generatable secret (e.g. drone's gitea client_secret) FATAs + # "secret … already exists" on the retry, so a once-failed promote can never recover. A + # re-promote (canonical EXISTS) must NOT teardown — it reattaches its retained known-good volume. + if not canonical.read_registry(recipe): + lifecycle.teardown_app(canonical.canonical_domain(recipe), verify=False) # Pristine tree at the tag: discard the cold run's tier mutations + untracked overlay so the # pinned `abra app new` clean-tree gate passes (deploy_app re-applies the overlay + auto-chaos). abra.recipe_checkout(recipe, version)