# STATUS — Phase gtea (gitea full-test enrollment) **Last updated:** 2026-06-15 ## Current state Phase: **BUILDING M2 — Blocker 4 fixed; CI runs #691/#692 in flight** Fixes applied since last STATUS update (commits d832b35 + 2d865f0 @~2026-06-15T22:00Z): **Blocker 4 fix (lfs_jwt_secret wrong format → upgrade rollback):** - Root cause: `abra secret generate --all` reads length hints from `.env.sample`. The lfs-plain-gitea PR has `# SECRET_LFS_JWT_SECRET_VERSION=v1 # length=43` COMMENTED OUT, so abra uses a wrong default length. gitea requires exactly 43 chars (32-byte base64 URL-safe); wrong length → gitea fatals on read-only app.ini → health check fails → Docker swarm rollback_completed. - Fix: new `UPGRADE_SECRET_PREP` hook (meta.py) called before `abra secret generate --all` in `generic.py perform_upgrade()`. abra's `--all` is idempotent (skips existing secrets), so the correctly pre-inserted secret survives. - gitea recipe_meta.py: `UPGRADE_SECRET_PREP(ctx)` uses `docker secret create` directly to insert `{STACK_NAME}_lfs_jwt_secret_v1` with exactly 43-char base64 URL-safe value. **Ruff lint fixes:** All cc-ci self-test lint failures cleared: - `ruff format`: 9 files reformatted (all gtea test files + test_discovery.py) - `ruff check --fix`: bridge.py UP017 + 6 gtea check errors auto-fixed - manifest.py B007: unused loop variable `path` → `_path` (manual fix) - `scripts/lint.sh` now exits 0 on builder-clone (verified 2026-06-15T22:00Z) Unit tests: 53/53 PASS (test_gitea_dep.py 10/10, test_meta.py 43/43, including new UPGRADE_SECRET_PREP key in registry) ## Fixes applied across all M2 blockers - Blocker 1 (run 676): LFS not enabled in upgrade → Fixed: UPGRADE_EXTRA_ENV + secret gen - Blocker 2 (run 674): REF=main HC1 fail → Fixed: run_recipe_ci uses git SHA for head_ref - Blocker 3 (run 675): stale creds 401 → Fixed: pre_install deletes creds before _ensure_admin - Blocker 4 (run 685): lfs_jwt_secret wrong length → Fixed: UPGRADE_SECRET_PREP hook ## Gate status - Gate M1: **ADVERSARY PASS** @2026-06-15T20:32Z (commit a106036) - Gate M2: IN PROGRESS - Build #684 (RECIPE=gitea REF=main PR=0): PASS level=5 ✓ (Adversary verified) - Build #685 (RECIPE=gitea REF=357926f2 PR=1): FAIL level=1 (Blocker 4, now fixed) - Build #691 (RECIPE=gitea REF=357926f26e69 PR=1): PENDING @~2026-06-15T22:05Z - Build #692 (RECIPE=drone REF=main PR=0): PENDING @~2026-06-15T22:05Z ## Prerequisites verified - [x] `/etc/timezone` exists on cc-ci host (content: UTC) - [x] gitea recipe available at `~/.abra/recipes/gitea/` on cc-ci - [x] `backupbot.backup=true` label present in `compose.yml` - [x] gitea release versions: 2.0.0+1.18.0-rootless, 2.1.2+1.19.3-rootless, 2.6.0+1.21.5-rootless, 3.0.0+1.22.2-rootless - [x] PR #1 (`lfs-plain-gitea`) open, adds `compose.lfs.yml` - [x] git-lfs deployed on cc-ci host (v3.6.1, via NixOS rebuild 2026-06-15) ## Blocked None.