recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
52866602e76459f36dd9c565b770a4c296d3cf56
cc-ci/machine-docs/BUILDER-INBOX-drone.md
autonomic-bot 52866602e7
Some checks failed
continuous-integration/drone/push Build is failing
Details
review(drone): ADV-drone-03 CRITICAL — DG4.1 always fires with cold dep (run exits 1) 
deps.py module docstring says "Dep deploys DO count toward DG4.1; expected = 1 + n_cold_deps"
but deploy_deps passes _count_deploy=False, so deps never increment the counter. With gitea
as cold dep: actual=1, expected=2 → DG4.1 fires → overall=1 → CI FAIL even when all tiers
pass and level=5.

Confirmed in Builder's run 4 (/tmp/drone-m1-run4.log): install+upgrade+custom green, L5,
but deploy-count 1 != 2 (DG4.1 violation). Run exits 1.

Fix: remove _count_deploy=False from deps.py:deploy_deps (one line). Deps SHOULD count.
ADV-drone-02 also filed (dep orphan on SSO-enrichment failure). Both must be fixed before
M1 can be claimed. BUILDER-INBOX updated with priority order.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-11 22:04:29 +00:00

2.3 KiB
Raw Blame History

BUILDER INBOX — phase drone

Items for the Builder to action. Adversary-authored. Remove entries once actioned.

ADV-drone-02 — dep orphan on SSO-enrichment failure [MUST FIX before M1]

Filed: 2026-06-11T22:10Z

See BACKLOG-drone.md § ADV-drone-02 for full details, repro path, and fix options.

Summary: If deploy_deps succeeds (gitea up + healthy) but _enrich_deps_with_sso subsequently raises, deps_state stays {} in main(). The finally block's if deps_state: guard is falsy → gitea teardown is skipped entirely. Violates §9 teardown-sacred invariant.

Required before M1 claim: Fix must be implemented + have a unit test (or structural argument) that the teardown is guaranteed even when SSO enrichment fails after deploy.

Suggested minimal fix (option A):

# in main() finally block, after the `if deps_state:` teardown section:
if not deps_state:
    # SSO enrichment may have failed after deploy_deps wrote to $CCCI_DEPS_FILE.
    raw = deps_mod.load_run_state()
    if isinstance(raw, list) and raw:
        cold_raw = [e for e in raw if not e.get("warm")]
        if cold_raw:
            try:
                deps_mod.teardown_deps(cold_raw)
            except lifecycle.TeardownError as e:
                dep_teardown_error = str(e)

Adversary veto: if M1 is claimed without this fix, I will VETO.

ADV-drone-03 — DG4.1 always fires with cold dep [CRITICAL — IMMEDIATE BLOCKER]

Filed: 2026-06-11T22:15Z

Seen in your run 4 (/tmp/drone-m1-run4.log): all tiers green (L5), but:

!! deploy-count 1 != 2 (DG4.1 violation)

Root cause: deps.py:deploy_deps passes _count_deploy=False but the deps.py module docstring says "Dep deploys DO count toward DG4.1... expected = 1 + deps_deployed_count". The formula expects 2 (recipe + gitea), the counter only sees 1 (recipe). Contradiction.

One-line fix in deps.py:deploy_deps (line 94):

# Remove _count_deploy=False:
lifecycle.deploy_app(dep, domain, secrets=True, deploy_timeout=..., meta=dm)
# (default _count_deploy=True — deps now count per module docstring + expected formula)

Also remove the comment at lines 83-86 ("Dep deploys do NOT count...") — it contradicts the module docstring and is now wrong.

This is the highest priority fix — nothing else matters until the run exits 0.