recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
304b2f5cbda4a671e57b27d6cde366d3574a98b6
cc-ci/machine-docs/REVIEW-gtea.md
autonomic-bot f85e54b155
Some checks failed
continuous-integration/drone/push Build is failing
Details
review(gtea): M2 pre-verify — two critical blockers filed @2026-06-15T20:50Z 
Run 674 (main): upgrade FAIL ("not intended PR-head"); run 676 (PR#1 LFS): test_lfs_roundtrip
fails at git-push batch endpoint (LFS not enabled in deployed container). Builder must fix before M2.
2026-06-15 20:52:56 +00:00

9.5 KiB
Raw Blame History

REVIEW — phase gtea (gitea full-test enrollment)

Adversary verdict log. Append-only. Only the Adversary writes here. Commit prefix: review(gtea): ...

Init @2026-06-15T19:33Z

Phase gtea started. No gates claimed yet by Builder. Baseline orientation run:

  • Builder hasn't started (no STATUS-gtea.md, no gtea commits on origin/main as of 3f6d7dc).
  • Existing tests/gitea/recipe_meta.py is the dep-provider stub (header: "NOT a standalone recipe-under-test").
  • Plan SSOT loaded: plan-phase-gtea-gitea-fulltests.md — M1 = suite green locally; M2 = green in real CI + LFS PR verified.
  • Exemplars to check: tests/cryptpad/, tests/keycloak/.
  • Will maintain independent break-it probes while Builder builds.

Pre-M1 code review @2026-06-15T19:58Z

Builder commit 33561c8 (all files) + 6ac9989 (Playwright fix) read.

PASS items

  • recipe_meta.py: READY_PROBE(ctx) and SCREENSHOT(page, ctx) signatures match registry hook_params ✓
  • BACKUP_CAPABLE=True explicit (compose.yml backupbot.backup=true confirmed) ✓
  • EXTRA_ENV dep path unchanged: sqlite3 + relaxed auth; LFS guard requires RECIPE=gitea AND overlay file ✓
  • PARITY.md honest about absent upstream tests (source note says recipe-info corpus, not upstream) ✓
  • ops.py pre_restore deletes marker + asserts absence — divergence is real ✓
  • test_restore.py asserts marker returned — a no-op restore would fail ✓
  • harness.http.retry_http_get, lifecycle.http_fetch, lifecycle.exec_in_app all exist in the harness ✓
  • PARITY.md: beyond-parity test rationale non-vacuous ✓
  • Playwright fix: wait_for_selector("input#user_name") is visible — correct ✓

ISSUES filed (in BUILDER-INBOX.md @4a4b756)

[critical — M2 blocker] git-lfs not installed on cc-ci: git lfs is not a git subcommand. The LFS test uses git lfs install/track/ls-files — all fail without git-lfs. Fix: add git-lfs to nix/hosts/cc-ci/configuration.nix systemPackages, rebuild, deploy.

[bug in test_lfs_roundtrip.py] Double /api/v1 path: _api(live_app, "/api/v1/version", ...) constructs https://domain/api/v1/api/v1/version → 404. The restart health-poll will spin 120s then fail. Fix: change path argument to "/version".

Both issues affect only the LFS capstone (which skips on main). Do NOT block M1 verdict. M2 verdict will FAIL unless both are fixed before the lfs-plain-gitea run.

Additional pre-M1 cold checks @2026-06-15T20:10Z

Builder addressed inbox findings in commits 893a7b0, 3cc8338, 74bc5f0, 3ec24b0:

  • Double /api/v1 path bug: FIXED ("/version" path used correctly) ✓
  • git-lfs: added to nix/hosts/cc-ci-hetzner/configuration.nix (correct host config) ✓
  • test_git_push: auto_init=True repo, credential URL approach ✓
  • test_admin_api: scopes added for gitea 1.22+ ✓

Cold checks run from cc-ci /root/builder-clone (HEAD 3ec24b0):

  • recipe_meta.py: all keys load — BACKUP_CAPABLE=True, READY_PROBE callable, SCREENSHOT callable, EXTRA_ENV callable ✓
  • unit tests: 53/53 PASS (test_gitea_dep.py 10/10, test_meta.py 43/43) ✓
  • LFS conditional (RECIPE=gitea, compose.lfs.yml absent): COMPOSE_FILE=sqlite3 only, LFS=False ✓
  • LFS skip mechanism: _lfs_enabled() returns False when compose.lfs.yml absent (main branch) ✓

M1 cold verification @2026-06-15T20:32Z

Builder claim: commit bac3662, all 5 stages PASS locally (RECIPE=gitea), run_id=manual.

Evidence reviewed (independent, from adv-clone at HEAD b2663dc)

results.json (/var/lib/cc-ci-runs/manual/results.json, mtime 20:08 today):

  • level: 5/5 ✓
  • install/upgrade/backup/restore/custom: all "pass" ✓
  • lint: "pass" ✓
  • LFS (test_lfs_roundtrip): status="skip", message="compose.lfs.yml absent in gitea recipe checkout — LFS is not enabled on this branch. This test runs on lfs-plain-gitea (PR #1) and is EXPECTED_NA on main." ✓
  • flags: clean_teardown=true, no_secret_leak=true ✓
  • customization: 4 custom tests, ops.py hooks for all 4 pre-op stages, meta non-default keys all correct ✓
  • unintentional skips: [] (no unexpected skips) ✓

Unit tests (Adversary cold run from adv-clone):

  • 53/53 PASS (test_gitea_dep.py 10/10, test_meta.py 43/43) ✓
  • test_gitea_recipe_meta_extra_env PASS — dep env correct (no LFS when RECIPE≠gitea) ✓
  • test_enrich_deps_routes_gitea PASS — dep routing intact ✓
  • test_drone_recipe_meta_deps PASS — DEPS=["gitea"] correct ✓

Code review of test hooks:

  • test_restore: pre_restore DELETES marker + asserts absence; test asserts marker RETURNED — no-op restore fails ✓
  • test_upgrade: marker_repo_exists() hits API with admin creds — data continuity is real ✓
  • test_git_push: auto_init=True repo, credential URL embedded, push via git; verifies non-empty response ✓
  • test_admin_api: creates user, org, token via API with 1.22+ scopes; teardown cleans up ✓
  • test_health: HTTP 200 on root endpoint ✓
  • LFS conditional: 2-guard (_lfs_enabled requires RECIPE=gitea AND compose.lfs.yml exists) prevents dep leak ✓

Dep path verification:

  • No RECIPE=drone CI run post-Builder changes (last drone run was #506, June 13)
  • EXTRA_ENV dep path verified code-level: RECIPE=drone → no LFS flags, standard sqlite3+auth only ✓
  • Unit tests cover this path explicitly ✓

Findings

[non-blocking, pre-existing harness bug] Stale screenshot: /var/lib/cc-ci-runs/manual/screenshot.png has mtime June 13 — not from today's M1 run. Root cause: screenshot.capture() checks if not os.path.exists(out_path) after running the SCREENSHOT hook; since the file exists from a prior manual run (run_id="manual" reuses the same dir), _snap_with_blank_retry is never called and the old file persists. results.json reports "screenshot": "screenshot.png" (file exists and is non-empty), but it's a stale image. Non-blocking per R7 (cosmetics never change verdict). M2 will use DRONE_BUILD_NUMBER as run_id → fresh directory → no issue. NOT a Builder error; pre-existing harness limitation of manual runs. Filed in BACKLOG-gtea.md under Adversary findings.

[constraint] Independent harness run blocked by lifetime.py orphan guard: lifetime.install_lifetime_guards() calls prctl(PR_SET_PDEATHSIG) then checks ppid==1; when running via systemd-run or nohup (detached), the harness correctly refuses to run orphaned. No bypass env var exists. Running the full harness in foreground would require ~30-min SSH hold. Code review + unit test verification substitutes for M1 (M2 !testme provides the live run).

M1 VERDICT: PASS @2026-06-15T20:32Z

All M1 DoD satisfied:

  • Suite built: install/upgrade/backup/restore/custom/lint all exist and ran ✓
  • Suite green locally: level=5/5, all stages PASS on main ✓
  • LFS test correctly SKIP on main (compose.lfs.yml absent → _lfs_enabled()=False) ✓
  • Tests have teeth: restore divergence is real, upgrade verifies data continuity ✓
  • Dep path unbroken: EXTRA_ENV dep route correct, unit tests pass ✓
  • No secrets in run artifacts: no_secret_leak=true ✓

Gate M1: ADVERSARY PASS (commit bac3662, run_id=manual, all stages pass)

M2 pre-verification @2026-06-15T20:50Z

Builder triggered !testme on PR #1 (gitea recipe mirror, git.autonomic.zone) and on main branch. Bridge is live with recipe-maintainers/gitea in POLL_REPOS. 3 CI runs completed:

Run 674 — main branch (RECIPE=gitea, PR=0, REF=main)

level=1. install: PASS. upgrade: FAIL. Error: "upgrade deployed chaos commit 'e6a1cc79', not the intended PR-head 'main' — the re-checkout to the code under test failed." backup/restore/custom: PASS (ran on the existing install despite upgrade failure). LFS test: correctly SKIP (REF=main, compose.lfs.yml absent from main branch). ✓

M2 main-branch DoD NOT met. Upgrade tier must PASS for level=5.

Run 675 — main branch concurrent (PR=0, REF=main)

level=0. All stages FAIL. Root cause: concurrent collision with run 674 (same domain from same recipe+pr+ref hash). ci_admin creds cached at /tmp/ccci-gitea-admin-.json from run 674 → 401 on API calls because gitea was in a stale state. Non-blocking bug (triggered by multiple !testme comments).

Run 676 — PR #1 (RECIPE=gitea, PR=1, REF=357926f2)

level=3. install/upgrade/backup/restore: PASS ✓. custom: FAIL. LFS test failure: git push batch endpoint returns "Repository or object not found". _lfs_available() returned True (compose.lfs.yml present in recipe dir at test time — confirmed via recipe reflog: checkout to 357926f2 at 20:35:58, test ran at 20:36:36). But gitea LFS server was not accepting LFS batch requests → LFS_START_SERVER = false in app.ini.

PR #1 code verified correct:

  • compose.lfs.yml: GITEA_LFS_START_SERVER=true + lfs_jwt_secret external secret ✓
  • app.ini.tmpl: LFS_START_SERVER rendered from env, LFS_JWT_SECRET conditional ✓
  • abra.sh: APP_INI_VERSION v22 (triggers re-render on deploy) ✓

Likely harness-level bug: either (a) lfs_jwt_secret not generated (SECRET_LFS_JWT_SECRET_VERSION=v1 only in EXTRA_ENV dict, not in disk .env file read by abra secret generate), or (b) compose.lfs.yml not included in COMPOSE_FILE at actual docker deploy time due to abra base-deploy checkout timing (abra checked out 3.5.2+1.24.2-rootless tag at 20:35:37 removing compose.lfs.yml, harness re-checked 357926f2 at 20:35:58 restoring it, but EXTRA_ENV may have been evaluated before that).

Filed as critical M2 blockers in BACKLOG-gtea.md. Builder must fix before M2 can be claimed.

M2 VERDICT: PENDING — two critical blockers

  1. LFS test fails in run 676 (PR #1 custom tier fail, level=3 not level=5)
  2. Upgrade fails on main branch run 674 (level=1, not level=5)

Gate M2: NOT CLAIMED — Builder must fix and re-trigger CI