chore(5): update state files; consume BUILDER-INBOX (A5-1/A5-2 fixes applied, bridge redeployed)
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
This commit is contained in:
autonomic-bot
@ -7,7 +7,18 @@ Single-writer: `## Build backlog` = Builder-only; `## Adversary findings` = Adve
|
||||
|
||||
## Build backlog
|
||||
|
||||
(Builder-owned. Adversary reads but does not write this section.)
|
||||
- [x] Create phase 5 state files (STATUS-5.md, BACKLOG-5.md, JOURNAL-5.md)
|
||||
- [x] Fix A5-2: Add commit status posting to bridge.py (pending on trigger, success/failure on finish)
|
||||
- [x] Fix A5-1: Add custom-html-tiny to bridge POLL_REPOS; redeploy bridge (cc-ci-bridge:3761c4221042)
|
||||
- [ ] V3: /recipe-upgrade custom-html-tiny end-to-end GREEN (!testme PASS; PR #2 open)
|
||||
- [ ] V7: mirror reconciliation (PR #1 closed as superseded ✓; now verify V7 fully via V3 run)
|
||||
- [ ] V1/V2: !testme trigger + testme-on-pr.sh reads verdict (proven via V3 run)
|
||||
- [ ] V4: 3-iteration regression loop (seed bad tag → RED → fix → GREEN ≤3 runs)
|
||||
- [ ] V5: stale-test DEFAULT = comment, no test edit
|
||||
- [ ] V6: --with-tests opens + verifies cc-ci test PR (verify-pr.sh run)
|
||||
- [ ] V8: /upgrade-all DEFAULT run (--dry-run list + small live run)
|
||||
- [ ] V8a: cc-ci-upgrader agent (launch-upgrader.sh start/stop/status cycle)
|
||||
- [ ] V9: cleanup all verification PRs + deploys; install weekly cron (Phase 5 §4)
|
||||
|
||||
---
|
||||
|
||||
|
||||
@ -1,68 +0,0 @@
|
||||
# BUILDER-INBOX
|
||||
|
||||
**From Adversary, 2026-05-31T13:45Z — Phase 5 orientation findings**
|
||||
|
||||
Phase 5 Adversary loop initialized. Phase 5 state files created in my clone (REVIEW-5.md,
|
||||
BACKLOG-5.md). Phase 5 Builder hasn't started yet — write STATUS-5.md when you begin.
|
||||
|
||||
## Critical finding: testme-on-pr.sh CANNOT read verdicts (A5-2, BLOCKING for V2–V8)
|
||||
|
||||
`testme-on-pr.sh` reads Gitea commit statuses on the recipe PR's head SHA. But:
|
||||
- The bridge NEVER posts commit statuses on recipe repo commits
|
||||
- Drone posts statuses only on the `cc-ci` repo (its own pipeline builds)
|
||||
- Result: `POST=0 testme-on-pr.sh custom-html 2` → always `VERDICT=PENDING`, even on a known-green PR
|
||||
|
||||
Confirmed cold: `GET /repos/recipe-maintainers/custom-html/commits/db9a95024e9d.../status` →
|
||||
`state:'', statuses:0` (zero statuses on the recipe PR head SHA after Drone build #7).
|
||||
|
||||
This is the EXACT gap the Phase 5 plan anticipated (§2: "commit status vs comment — reconcile here").
|
||||
|
||||
**Recommended fix:** Modify the bridge to POST a Gitea commit status on the recipe PR's head SHA:
|
||||
- On build trigger: `POST /repos/{owner}/{recipe}/statuses/{sha}` with `state=pending`, `target_url=<drone-build-url>`
|
||||
- On build finish: POST `state=success` or `state=failure` with the same target_url
|
||||
|
||||
This makes `testme-on-pr.sh` work unmodified and adds the native Gitea PR status indicator.
|
||||
Record the decision in DECISIONS.md.
|
||||
|
||||
## Secondary finding: custom-html-tiny not in bridge poll list (A5-1)
|
||||
|
||||
The plan uses `custom-html-tiny` as the sandbox recipe. It's NOT in the bridge's POLL_REPOS.
|
||||
A `!testme` on a custom-html-tiny PR will silently do nothing. You'll need to either:
|
||||
1. Add `custom-html-tiny` to POLL_REPOS (enroll it), OR
|
||||
2. Use `custom-html` (already enrolled) as the sandbox recipe instead
|
||||
|
||||
Both are small fixes; document the decision.
|
||||
|
||||
## V1 break-it probes (no Builder action needed)
|
||||
|
||||
- `!testmexyz` on watched repo (custom-html PR#2): correctly rejected — 9 bridge log lines, no match ✓
|
||||
- Non-collaborator auth: `GET /orgs/recipe-maintainers/members/nonexistent-user-999` → 404 ✓
|
||||
- Bridge source: `parse_body("!testmexyz") → (False, False)` correctly ✓
|
||||
|
||||
I will verify V1 fully once you demonstrate a `!testme` → GREEN build on a recipe PR.
|
||||
|
||||
## URGENT: probe status on custom-html-tiny PR#2 — false-positive window (2026-05-31T14:00Z)
|
||||
|
||||
While testing commit-status-write permissions for A5-2, I accidentally posted a
|
||||
`cc-ci/testme-adv-probe: success` status on custom-html-tiny PR#2 head
|
||||
(`156a49acc1219414e1d288d0402f1c28593bc4ac`). This creates a FALSE-POSITIVE window:
|
||||
|
||||
**Before the bridge is deployed**: aggregate state = `success` (from my probe only, no real build).
|
||||
If you run `POST=0 testme-on-pr.sh custom-html-tiny 2` NOW it would return `VERDICT=GREEN
|
||||
BUILD=https://ci.commoninternet.net/` — a false positive!
|
||||
|
||||
**After the bridge is deployed** and picks up comment #13802 (`!testme`): bridge posts
|
||||
`cc-ci/testme: pending` → aggregate goes to `pending` (correct). When build finishes: bridge posts
|
||||
`cc-ci/testme: success` → aggregate = `success` again (correct; my probe context is also `success`
|
||||
and doesn't interfere with the aggregate calculation going forward).
|
||||
|
||||
**What you should do:** Don't run `testme-on-pr.sh POST=0` on custom-html-tiny PR#2 until AFTER
|
||||
the bridge is deployed and picks up the `!testme` comment. Once the bridge runs, the aggregate state
|
||||
will correctly reflect the real build. My probe context (`cc-ci/testme-adv-probe`) won't interfere
|
||||
with the verdict once the real `cc-ci/testme` status is set.
|
||||
|
||||
**Verified positively**: the bot CAN post commit statuses on recipe repos (HTTP 201) — so A5-2
|
||||
will work once the bridge is deployed.
|
||||
|
||||
**Good news:** A5-2 fix code is correct — `post_commit_status(owner, name, sha, ...)` in
|
||||
`process_testme()` + `watch_and_reflect()` uses the recipe repo owner/name (not cc-ci repo). ✓
|
||||
@ -25,3 +25,31 @@ install_steps.sh hook; generic harness; ideal for upgrade-flow testing with mini
|
||||
Following SKILL.md procedure for /recipe-upgrade custom-html-tiny:
|
||||
Step 1 (Plan): fetched recipe, found upgrades available — see above.
|
||||
Step 2 (Implement): upgrading image tags on cc-ci; bumping version label; committing.
|
||||
Step 3: open-recipe-pr.sh:
|
||||
- First attempt: FAILED — script uses python3 which is not installed on cc-ci. Fixed by rewriting
|
||||
to use `jq` (available on cc-ci) in commit `0df57c6` to cc-ci-orchestrator repo.
|
||||
- Second attempt: SUCCESS. Closed PR #1 (`serve-hidden-files`) as superseded, pushed branch
|
||||
`upgrade-1.1.0+2.42.0`, opened PR #2 at https://git.autonomic.zone/recipe-maintainers/custom-html-tiny/pulls/2
|
||||
Step 4: testme-on-pr.sh:
|
||||
- Initial post: posted !testme, but VERDICT=PENDING (bridge didn't see it — custom-html-tiny not in poll list).
|
||||
- Adversary BUILDER-INBOX message received: two critical findings (A5-1, A5-2).
|
||||
|
||||
## 2026-05-31 — Adversary findings A5-1, A5-2 — both FIXED
|
||||
|
||||
A5-2 (CRITICAL): testme-on-pr.sh cannot read verdicts — bridge never posts commit statuses.
|
||||
- Root cause: bridge only posts PR comments; testme-on-pr.sh reads Gitea commit statuses.
|
||||
- Fix: Added `post_commit_status()` to bridge.py. Called from `process_testme()` (state=pending)
|
||||
and `watch_and_reflect()` (state=success/failure). Commit `5d48436`.
|
||||
- Decision: use commit status approach (option 1) — cleaner, adds native Gitea PR status indicator.
|
||||
Recorded in DECISIONS.md.
|
||||
|
||||
A5-1: custom-html-tiny not in bridge poll list.
|
||||
- Fix: Added `recipe-maintainers/custom-html-tiny` to POLL_REPOS in nix/modules/bridge.nix.
|
||||
Commit `5d48436`.
|
||||
- Bridge rebuilt via `nixos-rebuild build --flake path:/root/builder-clone#cc-ci` on cc-ci.
|
||||
- Note: secrets submodule needed manual checkout (`git clone cc-ci-secrets /root/builder-clone/secrets`)
|
||||
because `git submodule update --init` silently fails when submodule URL lacks credentials.
|
||||
- Bridge redeployed via `/nix/store/asn4.../cc-ci-reconcile-bridge`, new image `cc-ci-bridge:3761c4221042`.
|
||||
- Verified: `docker service logs ccci-bridge_app --since 30s` shows custom-html-tiny in poll list.
|
||||
|
||||
Next: re-post !testme on custom-html-tiny PR #2 with the fixed bridge; poll for VERDICT=GREEN.
|
||||
|
||||
@ -6,19 +6,53 @@
|
||||
|
||||
## Current focus
|
||||
|
||||
Running V3 — `/recipe-upgrade custom-html-tiny` end-to-end (V1/V2/V7 evidence collected alongside).
|
||||
Waiting for !testme Drone build on custom-html-tiny PR #2 (V3/V1/V2 evidence).
|
||||
|
||||
## Fixes applied (A5-1, A5-2)
|
||||
|
||||
**A5-2 FIX (commit status posting):** Commit `5d48436` added `post_commit_status()` to
|
||||
`bridge/bridge.py`. Bridge now POSTs Gitea commit status on the recipe PR's head SHA:
|
||||
- `state=pending` when a Drone build is triggered (from `process_testme()`)
|
||||
- `state=success` or `state=failure` when build finishes (from `watch_and_reflect()`)
|
||||
|
||||
Using `POST /repos/{owner}/{repo}/statuses/{sha}` with context `cc-ci/testme`.
|
||||
`testme-on-pr.sh` reads `GET .../commits/{sha}/status` → state field → VERDICT=GREEN/RED/PENDING.
|
||||
|
||||
**A5-1 FIX (custom-html-tiny in poll list):** Commit `5d48436` added
|
||||
`recipe-maintainers/custom-html-tiny` to `POLL_REPOS` in `nix/modules/bridge.nix`.
|
||||
Bridge rebuilt and redeployed via `cc-ci-reconcile-bridge` → new image `cc-ci-bridge:3761c4221042`.
|
||||
Verified: new bridge logs show `custom-html-tiny` in poll list.
|
||||
|
||||
**Bridge redeploy procedure:**
|
||||
```
|
||||
# On cc-ci-orchestrator:
|
||||
git push # push bridge.py + bridge.nix changes to cc-ci repo
|
||||
# On cc-ci:
|
||||
git -C /root/builder-clone pull
|
||||
nixos-rebuild build --flake path:/root/builder-clone#cc-ci
|
||||
/nix/store/asn4lkaz25zmg66ig6kavbnb9cgr0jmq-cc-ci-reconcile-bridge/bin/cc-ci-reconcile-bridge
|
||||
```
|
||||
|
||||
## V3 — /recipe-upgrade custom-html-tiny in progress
|
||||
|
||||
Upgrade PR: `https://git.autonomic.zone/recipe-maintainers/custom-html-tiny/pulls/2`
|
||||
- Branch: `upgrade-1.1.0+2.42.0`
|
||||
- Head SHA: `156a49ac` (compose.yml: sws 2.38.0→2.42.0; compose.git-pull.yml: git v2.36.3→v2.52.0; version 1.0.1→1.1.0)
|
||||
- Previous PR #1 (`serve-hidden-files`): CLOSED as superseded ✓ (V7 reconciliation evidence)
|
||||
- !testme: posted (PRE-FIX — bridge didn't see it; will re-trigger after fix)
|
||||
- Status: polling in progress (POST=0 after fresh !testme)
|
||||
|
||||
## Verification item status
|
||||
|
||||
| Item | Status | Evidence |
|
||||
|---|---|---|
|
||||
| V1 — !testme trigger + result-back | IN PROGRESS | D1 PASS from Phase 3 (REVIEW.md); fresh run pending via V3 |
|
||||
| V2 — testme-on-pr.sh reads verdict | IN PROGRESS | Running via V3 flow |
|
||||
| V3 — /recipe-upgrade sandbox GREEN | IN PROGRESS | custom-html-tiny upgrade underway |
|
||||
| V1 — !testme trigger + result-back | IN PROGRESS | fresh !testme on custom-html-tiny PR#2 pending |
|
||||
| V2 — testme-on-pr.sh reads verdict | IN PROGRESS | bridge now posts commit status; test pending |
|
||||
| V3 — /recipe-upgrade sandbox GREEN | IN PROGRESS | PR#2 open; awaiting !testme GREEN |
|
||||
| V4 — 3-iter regression loop | TODO | |
|
||||
| V5 — stale-test DEFAULT = comment | TODO | |
|
||||
| V6 — --with-tests opens+verifies cc-ci test PR | TODO | |
|
||||
| V7 — mirror reconciliation | IN PROGRESS | open-recipe-pr.sh reconciler running |
|
||||
| V7 — mirror reconciliation | PARTIAL | PR#1 closed as superseded ✓; more evidence via V3 |
|
||||
| V8 — /upgrade-all DEFAULT run | TODO | |
|
||||
| V8a — cc-ci-upgrader agent | TODO | |
|
||||
| V9 — cleanup | TODO | |
|
||||
|
||||
Reference in New Issue
Block a user