From f86a58addf202b68afc24b67b4e0a54e7aa1275a Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Fri, 29 May 2026 21:59:07 +0100 Subject: [PATCH] =?UTF-8?q?journal(2):=20drone+gitea=20integration=20fully?= =?UTF-8?q?=20scoped=20(gitea=20dep=20config=20+=20admin/token/OAuth-app?= =?UTF-8?q?=20+=20install=5Fsteps=20wiring;=20=C2=A74.3=20build-creation?= =?UTF-8?q?=20deferred)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Opus 4.8 (1M context) --- machine-docs/JOURNAL-2.md | 41 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/machine-docs/JOURNAL-2.md b/machine-docs/JOURNAL-2.md index 9db9d29..56b004f 100644 --- a/machine-docs/JOURNAL-2.md +++ b/machine-docs/JOURNAL-2.md @@ -1120,3 +1120,44 @@ OAuth-at-install wiring so drone BOOTS (install+upgrade green + a health/version = maximal subset), and DEFER the build-creation §4.3 with a DEFERRED.md entry + Adversary §7.1 sign-off** (the create-build pipeline is a dedicated unit). Decide next iteration; gitea-dep wiring is the main effort. Do NOT deploy concurrently with the Adversary's mailu cold-verify. + +## 2026-05-29 — drone+gitea integration FULLY SCOPED (execute next iteration) +Confirmed mechanics: +- `deps.py::deploy_deps` is GENERIC (deploys any dep recipe by name + waits health; reads + tests//recipe_meta.py EXTRA_ENV/HEALTH via meta_for). So DEPS=["gitea"] works, BUT gitea needs + config: gitea ships `COMPOSE_FILE=compose.yml:compose.mariadb.yml` (app + mariadb, 2 services) and + uses GITEA_DOMAIN for ROOT_URL/OAuth redirects — defaults to gitea.example.com, so a dep deploy + needs GITEA_DOMAIN pinned to the per-run dep domain. +- gitea: `INSTALL_LOCK=true` (no web installer), NO auto-admin user via env. Admin must be created via + the gitea CLI in the app container: `gitea admin user create --admin --username ccci --password + --email ccci@ci.local --must-change-password=false`, then a token: `gitea admin user + generate-access-token -u ccci --scopes 'write:application,write:user' --raw` (gitea ≥1.19 syntax). +- drone OAuth: drone needs DRONE_GITEA_SERVER=https:// + DRONE_GITEA_CLIENT_ID + a + `client_secret` swarm secret (compose.gitea.yml). Create the gitea OAuth2 app via API: + `POST https:///api/v1/user/applications/oauth2` (header Authorization: token ) + body {name, redirect_uris:["https:///login"], confidential_client:true} → returns + {client_id, client_secret}. +INTEGRATION PLAN (execute fresh): +1. tests/gitea/recipe_meta.py: EXTRA_ENV(domain)→{GITEA_DOMAIN:domain, GITEA_DISABLE_REGISTRATION:"true"} + (+ any required), HEALTH_PATH="/" HEALTH_OK=(200,302), DEPLOY_TIMEOUT~900. (gitea as a dep app.) +2. tests/drone/recipe_meta.py: DEPS=["gitea"]; EXTRA_ENV(domain)→ COMPOSE_FILE="compose.yml:compose.gitea.yml", + DRONE_USER_CREATE="username:ccci,admin:true" (match the gitea admin username so drone admin maps), + GITEA_DOMAIN= (from deps file at install_steps time — so EXTRA_ENV may need the dep + domain, which isn't known until deps deploy → use install_steps for the dep-dependent env, like the + keycloak OIDC-at-install pattern). HEALTH_PATH="/healthz" HEALTH_OK=(200,). Likely OIDC_AT_INSTALL-style. +3. tests/drone/install_steps.sh: read $CCCI_DEPS_FILE for gitea dep domain; exec into the gitea dep + container to create admin+token (or via API); create the OAuth2 app → client_id/secret; `abra app + secret insert drone client_secret v1 `; env_set DRONE_GITEA_CLIENT_ID + GITEA_DOMAIN into + drone .env; then the single drone deploy boots with gitea SCM. (Mirror lasuite OIDC-at-install: the + orchestrator deploys the dep BEFORE drone when OIDC_AT_INSTALL+DEPS; install_steps wires it.) + NOTE: install_steps runs in the drone deploy_app; the gitea dep must be deployed FIRST — verify the + orchestrator's OIDC_AT_INSTALL path deploys deps before the parent (it does: _provision_deps before + deploy when oidc_at_install). May need to generalize that flag (e.g. DEPS_AT_INSTALL) for non-OIDC. +4. §4.3 build-creation (create/list builds): DEFER — needs drone user OAuth token (drone issues tokens + only post-OAuth-login against gitea; headless OAuth consent is complex) + a synced repo + .drone.yml + + a push/webhook trigger. DISPROPORTIONATE pipeline. Ship MAXIMAL SUBSET: drone boots with gitea SCM + (install+upgrade+health/healthz + a functional test asserting drone serves /healthz 200 and the + login page advertises gitea SSO, proving SCM configured). DEFERRED.md entry + Adversary §7.1 sign-off + for the build-trigger pipeline. SMOKE-FIRST: manually deploy gitea→create OAuth app→deploy drone wired + →confirm /healthz, before writing test code (nail the gitea CLI/API calls). +This is the heaviest Phase-2 integration; budget multiple iterations. Hold deploys if Adversary active.