fix(gtea): UPGRADE_SECRET_PREP hook — pre-insert lfs_jwt_secret with correct 43-char format
Some checks failed
continuous-integration/drone/push Build is failing

Blocker 4 fix: abra `secret generate --all` uses .env.sample for length hints; the
lfs-plain-gitea PR has SECRET_LFS_JWT_SECRET_VERSION=v1 COMMENTED OUT, so abra produces
a wrong-length secret. gitea requires exactly 43 chars (32 bytes base64 URL-safe); wrong
length → gitea fatals trying to save the JWT secret to the read-only Docker Config
app.ini → health check fails → swarm rolls back.

Fix: new UPGRADE_SECRET_PREP hook (meta.py) called before `abra secret generate --all`
in the upgrade path. abra's `--all` is idempotent (skips existing secrets), so the
correctly pre-inserted secret survives. gitea's recipe_meta.py implements the hook using
`docker secret create` directly to guarantee correct format regardless of .env.sample.

Also consumes machine-docs/BUILDER-INBOX.md (Adversary Blocker 4 digest).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
2026-06-15 21:46:28 +00:00
parent 1efab2e1e6
commit d832b353e4
7 changed files with 72 additions and 111 deletions

View File

@ -167,6 +167,17 @@ def env_get(domain: str, key: str) -> str | None:
return val
def secret_insert(domain: str, name: str, version: str, data: str, timeout: int = 60) -> None:
"""Insert a secret with an explicit value. Use when abra `generate --all` would use wrong
length/format (e.g. .env.sample has the spec commented out). check=False: silently no-ops if
the secret already exists (Docker Swarm secrets are immutable; caller must remove first)."""
_run(
["app", "secret", "insert", domain, name, version, data, "-n"],
timeout=timeout,
check=False,
)
def secret_generate(domain: str, timeout: int = 300) -> None:
# -m avoids the TTY/table (ioctl) path; output (which contains the generated values) is
# captured by _run and never logged. -C -o keep the recipe at the PR checkout (without -o it