autonomic-bot
6115d2eccf
- tests/bluesky-pds/recipe_meta.py: HEALTH_PATH=/xrpc/_health, 600s timeouts.
- tests/bluesky-pds/install_steps.sh: recipe needs pds_plc_rotation_key (32-byte secp256k1
hex, marked generate=false). Hook generates via cc-ci-run python (secrets.token_bytes(32);
random 32-byte value is almost-always a valid secp256k1 private key, ~2^-128 fail rate).
Inserted via 'abra app secret insert' under TTY-wrap. Per-run class-B; destroyed at teardown.
- tests/bluesky-pds/PARITY.md: no health_check.py in the recipe-maintainer corpus -> Phase-2
health_check aligned with parity convention. goat_account.py parity deferred (needs goat CLI
in container; operational complexity).
- 3 functional tests:
- test_health_check.py: GET /xrpc/_health -> 200, {version: ...}.
- test_describe_server.py: GET /xrpc/com.atproto.server.describeServer -> 200, JSON with
atproto config keys (availableUserDomains/inviteCodeRequired/links/did).
- test_session_auth.py: GET /xrpc/com.atproto.server.getSession (no auth) -> 401 + JSON
XRPC error envelope. (Replaced test_well_known_did — /.well-known/atproto-did isn't
auto-published by the recipe.)
Cold-verifiable: ssh cc-ci 'RECIPE=bluesky-pds STAGES=install,custom cc-ci-run runner/run_recipe_ci.py'
install + 3 custom tests all PASS, deploy-count=1.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
34 lines
1.8 KiB
Bash
Executable File
34 lines
1.8 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# bluesky-pds — install-steps hook (Phase 1d DG5).
|
|
#
|
|
# bluesky-pds's `pds_plc_rotation_key` secret is marked `generate=false` in the recipe (the PLC
|
|
# rotation key is a secp256k1 private key that the deploy WILL reject if not pre-inserted). Run
|
|
# this hook AFTER `abra app secret generate` (which handles the recipe's auto-gen secrets) and
|
|
# BEFORE `abra app deploy` — generate a fresh secp256k1 key + insert it.
|
|
#
|
|
# The key is per-run class-B (each per-run domain gets its own); destroyed with the app at run end.
|
|
#
|
|
# Environment supplied by the orchestrator:
|
|
# CCCI_APP_DOMAIN — the per-run domain
|
|
# CCCI_RECIPE — "bluesky-pds"
|
|
# CCCI_APP_ENV — path to the app's .env file
|
|
set -euo pipefail
|
|
: "${CCCI_APP_DOMAIN:?CCCI_APP_DOMAIN must be set by the harness}"
|
|
|
|
echo " bluesky-pds install_steps: generating secp256k1 PLC rotation key..."
|
|
# The recipe README's recipe uses openssl+xxd; cc-ci's PATH only has python3 (the nix
|
|
# cc-ci-run env). A random 32-byte value is overwhelmingly always a valid secp256k1 private key
|
|
# (P(invalid) ~= 2^-128); Python's secrets.token_bytes(32) is cryptographically random + the
|
|
# same shape the PDS expects (32-byte hex). Equivalent for atproto PDS bootstrap.
|
|
KEY_HEX=$(cc-ci-run -c 'import secrets; print(secrets.token_bytes(32).hex())')
|
|
if [ -z "${KEY_HEX}" ] || [ "${#KEY_HEX}" != "64" ]; then
|
|
echo " install_steps: failed to generate PLC rotation key (KEY_HEX length=${#KEY_HEX})" >&2
|
|
exit 1
|
|
fi
|
|
|
|
# Insert via abra under TTY-wrap (`abra app secret insert` requires a TTY on this version).
|
|
# We DON'T log the key value — abra also doesn't print it.
|
|
script -qec "abra app secret insert ${CCCI_APP_DOMAIN} pds_plc_rotation_key v1 ${KEY_HEX} --no-input" /dev/null \
|
|
>/dev/null 2>&1
|
|
echo " bluesky-pds install_steps: PLC rotation key inserted (v1)."
|