recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues 1 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

journal(2): drone+gitea integration fully scoped (gitea dep config + admin/token/OAuth-app + install_steps wiring; §4.3 build-creation deferred)

Browse Source 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
2026-05-29 21:59:07 +01:00
parent 25ae2935b9
commit f86a58addf
1 changed files with 41 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
machine-docs/JOURNAL-2.md
View File

@ -1120,3 +1120,44 @@ OAuth-at-install wiring so drone BOOTS (install+upgrade green + a health/version
= maximal subset), and DEFER the build-creation §4.3 with a DEFERRED.md entry + Adversary §7.1
sign-off** (the create-build pipeline is a dedicated unit). Decide next iteration; gitea-dep wiring is
the main effort. Do NOT deploy concurrently with the Adversary's mailu cold-verify.
## 2026-05-29 — drone+gitea integration FULLY SCOPED (execute next iteration)
Confirmed mechanics:
- `deps.py::deploy_deps` is GENERIC (deploys any dep recipe by name + waits health; reads
tests/<dep>/recipe_meta.py EXTRA_ENV/HEALTH via meta_for). So DEPS=["gitea"] works, BUT gitea needs
config: gitea ships `COMPOSE_FILE=compose.yml:compose.mariadb.yml` (app + mariadb, 2 services) and
uses GITEA_DOMAIN for ROOT_URL/OAuth redirects — defaults to gitea.example.com, so a dep deploy
needs GITEA_DOMAIN pinned to the per-run dep domain.
- gitea: `INSTALL_LOCK=true` (no web installer), NO auto-admin user via env. Admin must be created via
the gitea CLI in the app container: `gitea admin user create --admin --username ccci --password <pw>
--email ccci@ci.local --must-change-password=false`, then a token: `gitea admin user
generate-access-token -u ccci --scopes 'write:application,write:user' --raw` (gitea ≥1.19 syntax).
- drone OAuth: drone needs DRONE_GITEA_SERVER=https://<gitea-dep-domain> + DRONE_GITEA_CLIENT_ID + a
`client_secret` swarm secret (compose.gitea.yml). Create the gitea OAuth2 app via API:
`POST https://<gitea>/api/v1/user/applications/oauth2` (header Authorization: token <admintoken>)
body {name, redirect_uris:["https://<drone-domain>/login"], confidential_client:true} → returns
{client_id, client_secret}.
INTEGRATION PLAN (execute fresh):
1. tests/gitea/recipe_meta.py: EXTRA_ENV(domain)→{GITEA_DOMAIN:domain, GITEA_DISABLE_REGISTRATION:"true"}
(+ any required), HEALTH_PATH="/" HEALTH_OK=(200,302), DEPLOY_TIMEOUT~900. (gitea as a dep app.)
2. tests/drone/recipe_meta.py: DEPS=["gitea"]; EXTRA_ENV(domain)→ COMPOSE_FILE="compose.yml:compose.gitea.yml",
DRONE_USER_CREATE="username:ccci,admin:true" (match the gitea admin username so drone admin maps),
GITEA_DOMAIN=<dep domain> (from deps file at install_steps time — so EXTRA_ENV may need the dep
domain, which isn't known until deps deploy → use install_steps for the dep-dependent env, like the
keycloak OIDC-at-install pattern). HEALTH_PATH="/healthz" HEALTH_OK=(200,). Likely OIDC_AT_INSTALL-style.
3. tests/drone/install_steps.sh: read $CCCI_DEPS_FILE for gitea dep domain; exec into the gitea dep
container to create admin+token (or via API); create the OAuth2 app → client_id/secret; `abra app
secret insert drone client_secret v1 <secret>`; env_set DRONE_GITEA_CLIENT_ID + GITEA_DOMAIN into
drone .env; then the single drone deploy boots with gitea SCM. (Mirror lasuite OIDC-at-install: the
orchestrator deploys the dep BEFORE drone when OIDC_AT_INSTALL+DEPS; install_steps wires it.)
NOTE: install_steps runs in the drone deploy_app; the gitea dep must be deployed FIRST — verify the
orchestrator's OIDC_AT_INSTALL path deploys deps before the parent (it does: _provision_deps before
deploy when oidc_at_install). May need to generalize that flag (e.g. DEPS_AT_INSTALL) for non-OIDC.
4. §4.3 build-creation (create/list builds): DEFER — needs drone user OAuth token (drone issues tokens
only post-OAuth-login against gitea; headless OAuth consent is complex) + a synced repo + .drone.yml
+ a push/webhook trigger. DISPROPORTIONATE pipeline. Ship MAXIMAL SUBSET: drone boots with gitea SCM
(install+upgrade+health/healthz + a functional test asserting drone serves /healthz 200 and the
login page advertises gitea SSO, proving SCM configured). DEFERRED.md entry + Adversary §7.1 sign-off
for the build-trigger pipeline. SMOKE-FIRST: manually deploy gitea→create OAuth app→deploy drone wired
→confirm /healthz, before writing test code (nail the gitea CLI/API calls).
This is the heaviest Phase-2 integration; budget multiple iterations. Hold deploys if Adversary active.