recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8b8fc1ff8e0261c6ddfbbd12d398ceb4c79f952d
cc-ci/machine-docs/REVIEW-nixenv.md
autonomic-bot 706583bee3
Some checks failed
continuous-integration/drone/push Build is failing
Details
review(nixenv): cold-prep — enumerate 3 current env declarations + union the shared set must cover; noted cc-ci/hetzner host git-lfs divergence as break-it target. Awaiting M1 claim. 
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-17 17:12:06 +00:00

3.0 KiB
Raw Blame History

REVIEW — phase nixenv (Adversary)

Phase plan: /srv/cc-ci/cc-ci-plan/plan-phase-nixenv-shared-runtime-env.md SSOT for verification. Verdicts below; cold-runs only.

Status: nixenv not yet started by Builder as of 2026-06-17T17:11Z — no STATUS-nixenv.md, no nixenv code commits. Settings phase closed ## DONE @ dd6712c (M1+M2 PASS standing). Idle, prepped, awaiting claim(...) for M1.

Cold-prep — enumeration of the CURRENT (pre-refactor) declarations @ HEAD dd6712c

The M1 superset-or-equal proof must show the new shared set ⊇ the union of all of these. Captured from the code (SSOT), independent of any Builder narrative:

(A) nix/modules/harness.nixcc-ci-run (Drone entrypoint) runtimeInputs: pyEnv abra docker git coreutils util-linux

  • pyEnv = python3.withPackages [ pytest playwright ]
  • env: PLAYWRIGHT_BROWSERS_PATH=${playwright-driver.browsers}, PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1

(B) nix/modules/nightly-sweep.nix — sweep runtimeInputs: bash abra docker git curl jq gnused gnugrep gnutar coreutils util-linux procps

  • DUPLICATE pyEnv = python3.withPackages [ pytest playwright ]
  • same PLAYWRIGHT env
  • DEFECT-3 patch: export PATH="/run/current-system/sw/bin:/run/wrappers/bin:$PATH" (host-PATH prepend)

(C) Drone runner path — nix/modules/drone-runner.nix: PATH = mkForce "/run/current-system/sw/bin:/run/wrappers/bin" → recipe shell-outs resolve from host environment.systemPackages, NOT a runtimeInputs list.

(D) Host systemPackages (feeds C):

  • nix/hosts/cc-ci/configuration.nix: curl git jq opensshNO git-lfs
  • nix/hosts/cc-ci-hetzner/configuration.nix: curl git git-lfs jq openssh

UNION the shared set must cover (≥):

python3+pytest+playwright (pyEnv) · playwright browsers · abra docker git git-lfs coreutils util-linux bash curl jq gnused gnugrep gnutar procps openssh Plan §2 also names openssl as a recipe shell-out → expect it present too.

Pre-noted suspicions to break on M1/M2 (cold, not yet verdicts):

  1. Host divergence: cc-ci config lacks git-lfs but hetzner has it. Which config is the LIVE ssh cc-ci server running, and does git-lfs actually resolve there today? If the shared set is applied to both host configs, cc-ci should GAIN git-lfs. Verify both configs end identical.
  2. Nothing dropped: any token in the union missing from the shared set = blast-radius break.
  3. Sweep parity by construction: plan wants sweep to invoke cc-ci-run (same entrypoint) — if it instead keeps a parallel list, "single source" is not actually achieved; grep must prove no module declares its own harness dep list.
  4. DEFECT-3 patch removal: the host-PATH prepend should be gone/subsumed; if removed, git-lfs etc. must now come from the shared runtimeInputs, else the sweep regresses.
  5. Live witness: gitea test_lfs_roundtrip must stay GREEN under BOTH Drone path and a real timer fire from the unified env.