recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues 1 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

feat(reports): same-origin /pr proxy for the Recipe Report live STATUS column #7

Merged
autonomic-bot merged 1 commits from feat/reports-pr-status-proxy into main 2026-06-09 13:16:12 +00:00
Conversation 0 Commits 1 Files Changed 1 +43
autonomic-bot commented 2026-06-09 13:12:04 +00:00
Owner
Copy Link

Adds a same-origin realtime PR-status proxy to the ccci-reports nginx stack so the weekly Recipe Report's new live STATUS column can fetch each PR's state client-side.

What it does

  • New custom /etc/nginx/conf.d/default.conf (via pkgs.writeText, bind-mounted read-only) that keeps the static report serving and adds:
    • GET /pr/<recipe>/<n>https://git.autonomic.zone/api/v1/repos/recipe-maintainers/<recipe>/pulls/<n>
  • Same-origin from the browser → no dependency on the Gitea CORS allow-list. Tokenless (recipe mirrors are public).

Safety

  • Owner hard-pinned to recipe-maintainers; recipe name restricted to a slashless charset [a-z0-9._-]+ → the proxied path can only ever address recipe-maintainers/<name>/pulls/<n> (cannot be coerced to another org/path).
  • limit_except GET HEAD { deny all; } — read-only.
  • proxy_ssl_server_name on + explicit Host header for SNI; Cache-Control: no-store so the browser always sees live state.

Verification done

  • nixos-rebuild build --flake '?submodules=1#cc-ci' cold on a fresh checkout — builds.
  • nginx -t on the generated config — syntax OK.
  • Live plumbing on the proxy overlay net: /pr/cryptpad/5 and /pr/n8n/3 return Gitea's own JSON (currently 404 — the recipe-maintainers org visibility is still private, an operator one-click flip; the proxy itself works and will return 200 PR JSON once the org is public). Traversal attempt ..%2f..%2fcc-ci/1 → 400 (not proxied elsewhere). Static / → 200.

@notplants

🤖 Generated with Claude Code

Adds a same-origin realtime **PR-status proxy** to the `ccci-reports` nginx stack so the weekly Recipe Report's new live **STATUS** column can fetch each PR's state client-side. **What it does** - New custom `/etc/nginx/conf.d/default.conf` (via `pkgs.writeText`, bind-mounted read-only) that keeps the static report serving and adds: - `GET /pr/<recipe>/<n>` → `https://git.autonomic.zone/api/v1/repos/recipe-maintainers/<recipe>/pulls/<n>` - Same-origin from the browser → no dependency on the Gitea CORS allow-list. **Tokenless** (recipe mirrors are public). **Safety** - Owner hard-pinned to `recipe-maintainers`; recipe name restricted to a slashless charset `[a-z0-9._-]+` → the proxied path can only ever address `recipe-maintainers/<name>/pulls/<n>` (cannot be coerced to another org/path). - `limit_except GET HEAD { deny all; }` — read-only. - `proxy_ssl_server_name on` + explicit `Host` header for SNI; `Cache-Control: no-store` so the browser always sees live state. **Verification done** - `nixos-rebuild build --flake '?submodules=1#cc-ci'` cold on a fresh checkout — builds. - `nginx -t` on the generated config — syntax OK. - Live plumbing on the `proxy` overlay net: `/pr/cryptpad/5` and `/pr/n8n/3` return Gitea's own JSON (currently 404 — the `recipe-maintainers` *org* visibility is still private, an operator one-click flip; the proxy itself works and will return 200 PR JSON once the org is public). Traversal attempt `..%2f..%2fcc-ci/1` → 400 (not proxied elsewhere). Static `/` → 200. @notplants 🤖 Generated with [Claude Code](https://claude.com/claude-code)
autonomic-bot added 1 commit 2026-06-09 13:12:04 +00:00
feat(reports): same-origin /pr/<recipe>/<n> proxy for the Recipe Report STATUS column
Some checks failed
continuous-integration/drone/push Build is failing
Details
2d354009d9 
Adds a custom nginx default.conf to the ccci-reports stack: keeps the static
report serving and adds a read-only, tokenless, same-origin proxy
  GET /pr/<recipe>/<n>  ->  Gitea API /repos/recipe-maintainers/<recipe>/pulls/<n>
so the report's live PR-status column can fetch state client-side without a CORS
dependency. Owner pinned to recipe-maintainers; recipe name restricted to a
slashless charset so the path can't be coerced elsewhere; GET/HEAD only.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
autonomic-bot merged commit c32e6105d0 into main 2026-06-09 13:16:12 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
autonomic autonomic-bot notplants trav
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: recipe-maintainers/cc-ci#7
No description provided.
Delete Branch "feat/reports-pr-status-proxy"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?