d832b353e4
Some checks failed
continuous-integration/drone/push Build is failing
Blocker 4 fix: abra `secret generate --all` uses .env.sample for length hints; the lfs-plain-gitea PR has SECRET_LFS_JWT_SECRET_VERSION=v1 COMMENTED OUT, so abra produces a wrong-length secret. gitea requires exactly 43 chars (32 bytes base64 URL-safe); wrong length → gitea fatals trying to save the JWT secret to the read-only Docker Config app.ini → health check fails → swarm rolls back. Fix: new UPGRADE_SECRET_PREP hook (meta.py) called before `abra secret generate --all` in the upgrade path. abra's `--all` is idempotent (skips existing secrets), so the correctly pre-inserted secret survives. gitea's recipe_meta.py implements the hook using `docker secret create` directly to guarantee correct format regardless of .env.sample. Also consumes machine-docs/BUILDER-INBOX.md (Adversary Blocker 4 digest). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>