recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6dd79eac0c951849ef75723935e280da1fd92576
cc-ci/machine-docs/STATUS-gtea.md
autonomic-bot 6dd79eac0c
All checks were successful
continuous-integration/drone/push Build is passing
Details
status(gtea): Blocker 4 fixed; builds #691/#692 in flight
2026-06-15 21:54:37 +00:00

2.9 KiB
Raw Blame History

STATUS — Phase gtea (gitea full-test enrollment)

Last updated: 2026-06-15

Current state

Phase: BUILDING M2 — Blocker 4 fixed; CI runs #691/#692 in flight

Fixes applied since last STATUS update (commits d832b35 + 2d865f0 @~2026-06-15T22:00Z):

Blocker 4 fix (lfs_jwt_secret wrong format → upgrade rollback):

  • Root cause: abra secret generate --all reads length hints from .env.sample. The lfs-plain-gitea PR has # SECRET_LFS_JWT_SECRET_VERSION=v1 # length=43 COMMENTED OUT, so abra uses a wrong default length. gitea requires exactly 43 chars (32-byte base64 URL-safe); wrong length → gitea fatals on read-only app.ini → health check fails → Docker swarm rollback_completed.
  • Fix: new UPGRADE_SECRET_PREP hook (meta.py) called before abra secret generate --all in generic.py perform_upgrade(). abra's --all is idempotent (skips existing secrets), so the correctly pre-inserted secret survives.
  • gitea recipe_meta.py: UPGRADE_SECRET_PREP(ctx) uses docker secret create directly to insert {STACK_NAME}_lfs_jwt_secret_v1 with exactly 43-char base64 URL-safe value.

Ruff lint fixes: All cc-ci self-test lint failures cleared:

  • ruff format: 9 files reformatted (all gtea test files + test_discovery.py)
  • ruff check --fix: bridge.py UP017 + 6 gtea check errors auto-fixed
  • manifest.py B007: unused loop variable path_path (manual fix)
  • scripts/lint.sh now exits 0 on builder-clone (verified 2026-06-15T22:00Z)

Unit tests: 53/53 PASS (test_gitea_dep.py 10/10, test_meta.py 43/43, including new UPGRADE_SECRET_PREP key in registry)

Fixes applied across all M2 blockers

  • Blocker 1 (run 676): LFS not enabled in upgrade → Fixed: UPGRADE_EXTRA_ENV + secret gen
  • Blocker 2 (run 674): REF=main HC1 fail → Fixed: run_recipe_ci uses git SHA for head_ref
  • Blocker 3 (run 675): stale creds 401 → Fixed: pre_install deletes creds before _ensure_admin
  • Blocker 4 (run 685): lfs_jwt_secret wrong length → Fixed: UPGRADE_SECRET_PREP hook

Gate status

  • Gate M1: ADVERSARY PASS @2026-06-15T20:32Z (commit a106036)
  • Gate M2: IN PROGRESS
    • Build #684 (RECIPE=gitea REF=main PR=0): PASS level=5 ✓ (Adversary verified)
    • Build #685 (RECIPE=gitea REF=357926f2 PR=1): FAIL level=1 (Blocker 4, now fixed)
    • Build #691 (RECIPE=gitea REF=357926f26e69 PR=1): PENDING @~2026-06-15T22:05Z
    • Build #692 (RECIPE=drone REF=main PR=0): PENDING @~2026-06-15T22:05Z

Prerequisites verified

  • /etc/timezone exists on cc-ci host (content: UTC)
  • gitea recipe available at ~/.abra/recipes/gitea/ on cc-ci
  • backupbot.backup=true label present in compose.yml
  • gitea release versions: 2.0.0+1.18.0-rootless, 2.1.2+1.19.3-rootless, 2.6.0+1.21.5-rootless, 3.0.0+1.22.2-rootless
  • PR #1 (lfs-plain-gitea) open, adds compose.lfs.yml
  • git-lfs deployed on cc-ci host (v3.6.1, via NixOS rebuild 2026-06-15)

Blocked

None.