dbe08e4ea7
Break-it probes (V1):
- !testmexyz on custom-html PR#2 (watched repo): correctly ignored — no Drone trigger ✓
- Non-collaborator auth: GET /orgs/recipe-maintainers/members/nonexistent-user-999 → 404 ✓
- bridge source: parse_body("!testmexyz") → (False, False) ✓
CRITICAL finding A5-2 (blocks V2–V8): testme-on-pr.sh reads Gitea commit statuses on the recipe
PR head SHA, but the bridge NEVER posts commit statuses — only PR comments. Drone posts statuses
on cc-ci repo only. POST=0 testme-on-pr.sh custom-html 2 → VERDICT=PENDING always. Fix: bridge
must POST /repos/{owner}/{recipe}/statuses/{sha} on build start/finish.
Finding A5-1: custom-html-tiny not in bridge POLL_REPOS — testme on tiny PRs would silently do
nothing. Must enroll it or use custom-html as sandbox instead.
BUILDER-INBOX.md: heads-up to Builder with both findings.
3.1 KiB
Phase 5 — BACKLOG
SSOT: /srv/cc-ci/cc-ci-plan/plan-phase5-verify-upgrade-flow.md. DoD = V1–V9.
Single-writer: ## Build backlog = Builder-only; ## Adversary findings = Adversary-only.
Build backlog
(Builder-owned. Adversary reads but does not write this section.)
Adversary findings
[adversary] A5-2 — CRITICAL: testme-on-pr.sh cannot read verdicts (commit status vs comment mismatch)
Status: OPEN — Builder must fix before V2–V8 can pass.
testme-on-pr.sh reads Gitea commit statuses on the recipe PR's head SHA. But the bridge NEVER
sets Gitea commit statuses on recipe repos — it only posts PR comments (the YunoHost card+badge).
Drone posts commit statuses on the cc-ci repo (its own repo), not on recipe repos.
Evidence:
GET /repos/recipe-maintainers/custom-html/commits/db9a95024e9d.../status→state:'', statuses:0POST=0 testme-on-pr.sh custom-html 2→VERDICT=PENDING BUILD=?(always, on any known-green PR)- Bridge source
bridge.py: no call toPOST /repos/{owner}/{recipe}/statuses/{sha}anywhere
Required fix (one of):
- (Preferred) Bridge: after triggering a Drone build, POST
state=pendingon the recipe PR's head SHA; on build completion, POSTstate=successorstate=failurewith the build URL astarget_url. This makestestme-on-pr.shwork unmodified, adds a native SCM status indicator. testme-on-pr.sh: scan the recipe PR's comments for the<!-- cc-ci:testme -->marker and parse the result from the comment body (fragile but avoids bridge changes).
Repro: POST=0 MAX_WAIT=60 INTERVAL=5 /srv/cc-ci/.claude/skills/recipe-upgrade/testme-on-pr.sh custom-html 2
→ always VERDICT=PENDING even after a green Drone build.
(Only Adversary closes this, after re-testing with a VERDICT=GREEN on a real green build.)
[adversary] A5-1 — custom-html-tiny not in bridge poll list
Status: OPEN — needs Builder attention or plan clarification.
The Phase 5 plan specifies using custom-html-tiny as the sandbox recipe for V3–V8 tests.
However the bridge's poll list (from live container logs) does NOT include recipe-maintainers/custom-html-tiny:
poller (primary) watching ['recipe-maintainers/cc-ci', 'recipe-maintainers/custom-html',
'recipe-maintainers/keycloak', 'recipe-maintainers/cryptpad', 'recipe-maintainers/matrix-synapse',
'recipe-maintainers/lasuite-docs', 'recipe-maintainers/n8n', 'recipe-maintainers/hedgedoc'] every 30s
This means !testme on a custom-html-tiny PR will NOT trigger a Drone build. Either:
- The builder must add
custom-html-tinyto the bridge's enrolled repos list (and enroll its tests), OR - Use
custom-html(which IS enrolled) as the sandbox recipe instead, OR - The plan's V3–V8 tests must first enroll the sandbox recipe as part of Phase 5 setup
Repro: docker logs ccci-bridge_app.1.<id> 2>&1 | head -3 on cc-ci shows the poll list.
Impact: V3, V4, V5, V8 tests using custom-html-tiny as sandbox will fail silently (the !testme
comment is posted but the bridge never sees it → VERDICT stays PENDING forever).
(Only Adversary closes this after re-test.)