status(bsky): bootstrap phase — root cause proven (:0.4 moving tag now ships 0.5.1/node24/index.ts; recipe entrypoint execs index.js), fix = exact-pin 0.4.219; decisions + upstream registry
This commit is contained in:
18
BACKLOG-bsky.md
Normal file
18
BACKLOG-bsky.md
Normal file
@ -0,0 +1,18 @@
|
||||
# BACKLOG — phase bsky
|
||||
|
||||
## Build backlog
|
||||
|
||||
- [x] B1: Root-cause diagnosis — inspect recipe compose/entrypoint + actual `:0.4` image vs exact tags on cc-ci (2026-06-11)
|
||||
- [x] B2: Upstream research persisted to cc-ci-plan/upstream/bluesky-pds.md (plan repo f395247)
|
||||
- [ ] B3: DECISIONS.md entry — pin choice (exact 0.4.219 over 0.5.1-main / digest pin), version label bump
|
||||
- [ ] B4: Mirror PR branch `upgrade-0.3.0+v0.4.219` — compose.yml re-pin + label bump; open PR on recipe-maintainers/bluesky-pds
|
||||
- [ ] B5: `!testme` on the PR → full lifecycle green (install/health, upgrade-path status justified, backup/restore, functional, L5 lint); record level under de-capped semantics + reconcile expected baseline
|
||||
- [ ] B6: Screenshot on the green PR run — verify PNG real/representative/credential-free (Read it); SCREENSHOT hook only if needed
|
||||
- [ ] B7: Claim M1 (root cause + green fix PR + screenshot verified)
|
||||
- [ ] B8: Close DEFERRED bluesky entries with pointers; JOURNAL note updating shot-phase N/A disposition
|
||||
- [ ] B9: Operator handoff summary in STATUS-bsky.md (what was wrong, what the PR changes, post-merge expectations incl. canonical/warm reseed)
|
||||
- [ ] B10: Claim M2
|
||||
|
||||
## Adversary findings
|
||||
|
||||
(Adversary-owned)
|
||||
49
JOURNAL-bsky.md
Normal file
49
JOURNAL-bsky.md
Normal file
@ -0,0 +1,49 @@
|
||||
# JOURNAL — phase bsky
|
||||
|
||||
## 2026-06-11T11:31Z–11:55Z — bootstrap + root-cause diagnosis (B1, B2)
|
||||
|
||||
Phase start. Read plan-phase-bsky-fix.md + plan.md §6.1/§7/§9. Adversary seeded
|
||||
REVIEW-bsky.md (8d5bf30) with cold baseline recon — same suspects I confirmed below.
|
||||
|
||||
**Diagnosis chain (commands + outputs):**
|
||||
|
||||
1. Mirror clone (b2d86ef): `compose.yml` pins `image: ghcr.io/bluesky-social/pds:0.4`,
|
||||
overrides entrypoint (`dumb-init --` + config-mounted `/entrypoint.sh`);
|
||||
`entrypoint.sh.tmpl` ends `exec node --enable-source-maps index.js` — relative path,
|
||||
resolved against image WORKDIR.
|
||||
|
||||
2. Live image inspection on cc-ci:
|
||||
`docker image inspect ghcr.io/bluesky-social/pds:0.4 --format "{{.Id}} created={{.Created}} workdir={{.Config.WorkingDir}} ... cmd={{.Config.Cmd}}"`
|
||||
→ `sha256:007500681bbf… created=2026-05-30T05:05:11Z workdir=/app entrypoint=[dumb-init --] cmd=[node --enable-source-maps index.ts]`
|
||||
`docker run --rm --entrypoint sh ghcr.io/bluesky-social/pds:0.4 -c 'node --version; ls /app'`
|
||||
→ `v24.15.0` / `index.ts node_modules package.json pnpm-lock.yaml` — **no index.js**.
|
||||
`grep @atproto/pds /app/package.json` → `"@atproto/pds": "0.5.1"`; /usr/local/bin/goat present.
|
||||
So `:0.4` is now a main-branch 0.5.1 build → recipe's `index.js` exec = MODULE_NOT_FOUND.
|
||||
This precisely explains the rcust-era crash-loop evidence (Node v24.15.0 in traceback).
|
||||
|
||||
3. Upstream research:
|
||||
- ghcr tags/list (paginated): exact tags …0.4.158, 0.4.169, 0.4.182, 0.4.188, 0.4.193,
|
||||
0.4.204, 0.4.208, 0.4.219, plus anomalous 0.4.5001. `:0.4` digest `871194d2…` ==
|
||||
`latest`, ≠ `0.4.219` (`e0b756701c92…`) → :0.4 republished past the release line.
|
||||
- Dockerfile@v0.4.219: node:20.20-alpine3.23, WORKDIR /app, CMD index.js, dumb-init.
|
||||
- Dockerfile@main: node:24.15-alpine3.23, CMD index.ts, + goat binary — matches what
|
||||
`:0.4` now contains. GitHub `releases/latest` 404s (they only push git tags).
|
||||
- service/package.json@v0.4.219: `"@atproto/pds": "0.4.219"`.
|
||||
|
||||
4. Candidate-fix image verified on cc-ci:
|
||||
`docker run --rm --entrypoint sh ghcr.io/bluesky-social/pds:0.4.219 -c 'node --version; ls /app; grep @atproto/pds /app/package.json; which dumb-init'`
|
||||
→ `v20.20.2` / index.js present / `"@atproto/pds": "0.4.219"` / `/usr/bin/dumb-init`.
|
||||
Image CMD `[node --enable-source-maps index.js]` — identical to what the recipe's
|
||||
entrypoint execs, so the override stays valid.
|
||||
|
||||
**Why pin 0.4.219 and not chase 0.5.1 (rationale, summarized in DECISIONS.md):** 0.5.1
|
||||
exists only as the moving `:0.4`/`latest`/sha- tags — no exact release tag, built from
|
||||
main, and Co-op Cloud upgrade tooling works on tags. Re-pinning to the newest *released*
|
||||
exact tag is the minimal, justified fix; when upstream cuts real 0.5.x release tags the
|
||||
recipe can upgrade properly (entrypoint will then need `index.ts` + Node 24 — noted in
|
||||
upstream registry).
|
||||
|
||||
Bridge enrollment confirmed: bluesky-pds in POLL_REPOS (nix/modules/bridge.nix:43) →
|
||||
`!testme` works. Mirror has only closed PR#1 (skill smoke test); my fix → PR#2.
|
||||
|
||||
Next: DECISIONS entry (B3), mirror branch + PR (B4), !testme (B5).
|
||||
46
STATUS-bsky.md
Normal file
46
STATUS-bsky.md
Normal file
@ -0,0 +1,46 @@
|
||||
# STATUS — phase bsky (fix bluesky-pds recipe + screenshot)
|
||||
|
||||
Phase SSOT: /srv/cc-ci/cc-ci-plan/plan-phase-bsky-fix.md
|
||||
Gate: none claimed yet — working M1 (root cause + green fix PR).
|
||||
|
||||
## Root cause (established 2026-06-11, evidence below)
|
||||
|
||||
bluesky-pds pins the MOVING image tag `ghcr.io/bluesky-social/pds:0.4` and overrides the
|
||||
image entrypoint with a config script that ends `exec node --enable-source-maps index.js`
|
||||
(relative to image WORKDIR `/app`). Upstream now publishes main-branch builds to `:0.4`
|
||||
(== `latest`): the current manifest (digest `sha256:871194d2…`, created 2026-05-30) is
|
||||
`@atproto/pds` 0.5.1 on Node v24.15.0 with the service restructured to `/app/index.ts`
|
||||
(no `index.js`) and CMD `node --enable-source-maps index.ts`. The recipe's hardcoded
|
||||
`index.js` therefore crash-loops `Cannot find module '/app/index.js'` (MODULE_NOT_FOUND).
|
||||
|
||||
Newest EXACT tag `0.4.219` keeps the layout the recipe assumes: Node v20.20.2,
|
||||
`/app/index.js` present, dumb-init present, CMD `node --enable-source-maps index.js`,
|
||||
`@atproto/pds: 0.4.219` (verified by running the image on cc-ci).
|
||||
|
||||
## How to verify the root cause (from any host with docker + ssh cc-ci)
|
||||
|
||||
- `ssh cc-ci 'docker image inspect ghcr.io/bluesky-social/pds:0.4 --format "{{.Created}} {{.Config.Cmd}}"'`
|
||||
→ EXPECTED: created 2026-05-30…, cmd `[node --enable-source-maps index.ts]`
|
||||
- `ssh cc-ci 'docker run --rm --entrypoint sh ghcr.io/bluesky-social/pds:0.4 -c "node --version; ls /app; grep @atproto/pds /app/package.json"'`
|
||||
→ EXPECTED: v24.15.0; index.ts (NO index.js); `"@atproto/pds": "0.5.1"`
|
||||
- `ssh cc-ci 'docker run --rm --entrypoint sh ghcr.io/bluesky-social/pds:0.4.219 -c "node --version; ls /app; grep @atproto/pds /app/package.json"'`
|
||||
→ EXPECTED: v20.20.2; index.js present; `"@atproto/pds": "0.4.219"`
|
||||
- Recipe entrypoint: mirror `recipe-maintainers/bluesky-pds` @ b2d86ef,
|
||||
`entrypoint.sh.tmpl` last line `exec node --enable-source-maps index.js`;
|
||||
compose.yml `image: ghcr.io/bluesky-social/pds:0.4`.
|
||||
- Upstream refs: Dockerfile@main (node:24.15-alpine3.23, CMD index.ts) vs
|
||||
Dockerfile@v0.4.219 (node:20.20-alpine3.23, CMD index.js);
|
||||
ghcr tags list (exact tags end at 0.4.219; `:0.4` digest == `latest` digest
|
||||
`sha256:871194d2…` ≠ `0.4.219` digest `sha256:e0b756701c92…`).
|
||||
Research persisted: cc-ci-plan/upstream/bluesky-pds.md (plan repo f395247).
|
||||
|
||||
## Fix in flight (M1)
|
||||
|
||||
Re-pin to exact tag `0.4.219` + version label bump `0.2.0+v0.4` → `0.3.0+v0.4.219` on a
|
||||
mirror PR branch `upgrade-0.3.0+v0.4.219` (precedent: immich PR#2 naming). Entrypoint
|
||||
script unchanged — it matches 0.4.219's layout exactly. Then `!testme` to green, then
|
||||
screenshot verification.
|
||||
|
||||
## Operator summary
|
||||
|
||||
(to be completed at M2)
|
||||
@ -1353,3 +1353,17 @@ recipe"); pass iff the table rendered clean; anything else unver + loud log. Har
|
||||
(observed ~0.7s); executor runs before the tiers (tree at tested ref), double-wrapped, R7
|
||||
verdict-neutral. Full output → run artifact `lint.txt` (dashboard-served); status + failing
|
||||
rule ids → results.json `lint`.
|
||||
|
||||
**bluesky-pds re-pin decision (phase bsky, 2026-06-11).** The recipe pinned the moving tag
|
||||
`ghcr.io/bluesky-social/pds:0.4`, which upstream now republishes with main-branch builds
|
||||
(currently @atproto/pds 0.5.1, Node 24, `/app/index.ts` — no `index.js`), breaking the
|
||||
recipe's entrypoint override (`exec node --enable-source-maps index.js`). Fix: pin the
|
||||
newest RELEASED exact tag `0.4.219` (Node 20.20, `/app/index.js`, CMD identical to the
|
||||
recipe's exec line — entrypoint stays valid unchanged) and bump the version label
|
||||
`0.2.0+v0.4` → `0.3.0+v0.4.219` (minor bump for an upstream pin change, immich-PR#2
|
||||
precedent). REJECTED: tracking 0.5.1 (only exists as moving/sha- tags built from main —
|
||||
no release tag; would also require entrypoint `index.ts` migration against an unreleased
|
||||
version); digest-suffix pinning (abra survey/upgrade tooling chokes on tag@digest — see
|
||||
immich standing note). When upstream cuts real 0.5.x release tags, upgrade properly
|
||||
(entrypoint will then need the index.ts/Node-24 migration — recorded in
|
||||
cc-ci-plan/upstream/bluesky-pds.md). Never re-pin to `:0.4`/`latest`/minor tags.
|
||||
|
||||
Reference in New Issue
Block a user