cc-ci

recipe-maintainers/cc-ci

Fork 0

Commit Graph

Author	SHA1	Message	Date
autonomic-bot	a044abb298	feat(2w): W0.6 unpinned warm reconciler + WC1.2 safety gate + WC1.1 scaffold runner/warm_reconcile.py (python, packaged into nix store, replaces bash reconcile): UNPIN keycloak (deploy latest published version TAG; recipe fetched at runtime -> D8 closure byte-identical). WC1.2 pre-deploy safety gate (runs FIRST): major recipe/app-version bump OR releaseNotes manual-migration marker -> hold-on-current + alert sentinel (no deploy churn). WC1.1 health-gated upgrade-with-rollback: record last-good -> [keycloak: undeploy->warmsnap.snapshot ->deploy latest] -> health-gate -> commit-or-(restore+redeploy-prior+alert). Alerts = /var/lib/ci-warm/alerts/*.json (Builder loop relays). current version read from abra TYPE=<recipe>:<version>. CCCI_SKIP_FETCH test hook. +8 unit tests for the version gate (56 unit pass). Proven on cc-ci: nixos-rebuild switch -> warm-keycloak.service runs the python reconciler -> noop-healthy (system 0-failed, /realms/master=200). WC1.2 holds proven live: MAJOR bump -> held-major (keycloak untouched); minor+manual- migration notes -> held-manual-migration (alert carries notes); no deploy churn. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-29 00:42:02 +01:00
autonomic-bot	88c11142de	fix(2w): W0.3 warm-keycloak reconciler — newline bite + skip-if-healthy - set_env: ensure trailing newline before append (keycloak .env.sample ends with a newline-less #COMPOSE_FILE comment, so a bare append glued DOMAIN onto it -> DOMAIN unset -> KC_HOSTNAME=https:// -> crash-loop). Same bite fixed in backupbot.nix. - converge skips the (forced) redeploy when keycloak already serves 200, so an activation/boot is a true no-op (no JVM-restart blip) and only redeploys when down/crash-looping. Health-wait extended to 15min. Verified on cc-ci: nixos-rebuild switch -> warm-keycloak.service active, 'no-op converge', system running (0 failed), /realms/master=200. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-28 23:52:01 +01:00
autonomic-bot	c8e9ddb681	feat(2w): W0.3 declarative warm-keycloak reconciler (WC1) nix/modules/warm-keycloak.nix: idempotent systemd oneshot (like deploy-proxy) that converges a live-warm shared keycloak at warm-keycloak.ci.commoninternet.net pinned to 10.7.1+26.6.2, secrets generated only-if-missing (never rotate a live provider), waits /realms/master=200. Re-warmable from scratch (D8/WC8). Wired into hosts/cc-ci/configuration.nix. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-28 23:28:44 +01:00

Author

SHA1

Message

Date

autonomic-bot

a044abb298

feat(2w): W0.6 unpinned warm reconciler + WC1.2 safety gate + WC1.1 scaffold

runner/warm_reconcile.py (python, packaged into nix store, replaces bash
reconcile): UNPIN keycloak (deploy latest published version TAG; recipe fetched
at runtime -> D8 closure byte-identical). WC1.2 pre-deploy safety gate (runs
FIRST): major recipe/app-version bump OR releaseNotes manual-migration marker
-> hold-on-current + alert sentinel (no deploy churn). WC1.1 health-gated
upgrade-with-rollback: record last-good -> [keycloak: undeploy->warmsnap.snapshot
->deploy latest] -> health-gate -> commit-or-(restore+redeploy-prior+alert).
Alerts = /var/lib/ci-warm/alerts/*.json (Builder loop relays). current version
read from abra TYPE=<recipe>:<version>. CCCI_SKIP_FETCH test hook.
+8 unit tests for the version gate (56 unit pass).

Proven on cc-ci: nixos-rebuild switch -> warm-keycloak.service runs the python
reconciler -> noop-healthy (system 0-failed, /realms/master=200). WC1.2 holds
proven live: MAJOR bump -> held-major (keycloak untouched); minor+manual-
migration notes -> held-manual-migration (alert carries notes); no deploy churn.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-05-29 00:42:02 +01:00

autonomic-bot

88c11142de

fix(2w): W0.3 warm-keycloak reconciler — newline bite + skip-if-healthy

- set_env: ensure trailing newline before append (keycloak .env.sample ends
  with a newline-less #COMPOSE_FILE comment, so a bare append glued DOMAIN onto
  it -> DOMAIN unset -> KC_HOSTNAME=https:// -> crash-loop). Same bite fixed in
  backupbot.nix.
- converge skips the (forced) redeploy when keycloak already serves 200, so an
  activation/boot is a true no-op (no JVM-restart blip) and only redeploys when
  down/crash-looping. Health-wait extended to 15min.

Verified on cc-ci: nixos-rebuild switch -> warm-keycloak.service active,
'no-op converge', system running (0 failed), /realms/master=200.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-05-28 23:52:01 +01:00

autonomic-bot

c8e9ddb681

feat(2w): W0.3 declarative warm-keycloak reconciler (WC1)

nix/modules/warm-keycloak.nix: idempotent systemd oneshot (like deploy-proxy)
that converges a live-warm shared keycloak at warm-keycloak.ci.commoninternet.net
pinned to  10.7.1+26.6.2, secrets generated only-if-missing (never
rotate a live provider), waits /realms/master=200. Re-warmable from scratch
(D8/WC8). Wired into hosts/cc-ci/configuration.nix.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-05-28 23:28:44 +01:00

3 Commits