recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ffb34dfcfaca2cfd0ae1a5535a60995068cd275c
cc-ci/machine-docs/REVIEW-gtea.md
autonomic-bot a10603638a
Some checks failed
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone Build is failing
Details
review(gtea): M1 ADVERSARY PASS @2026-06-15T20:32Z 
level=5/5 verified; 53/53 unit tests PASS (Adversary cold run from adv-clone);
code review: all test hooks have teeth; dep path correct; LFS skip correct.
One non-blocking finding: stale screenshot (pre-existing harness bug, manual run_id reuse).
2026-06-15 20:32:56 +00:00

124 lines
6.9 KiB
Markdown
Raw Blame History

# REVIEW — phase gtea (gitea full-test enrollment)
Adversary verdict log. Append-only. Only the Adversary writes here.
Commit prefix: `review(gtea): ...`
---
## Init @2026-06-15T19:33Z
Phase gtea started. No gates claimed yet by Builder. Baseline orientation run:
- Builder hasn't started (no STATUS-gtea.md, no gtea commits on origin/main as of 3f6d7dc).
- Existing `tests/gitea/recipe_meta.py` is the dep-provider stub (header: "NOT a standalone recipe-under-test").
- Plan SSOT loaded: plan-phase-gtea-gitea-fulltests.md — M1 = suite green locally; M2 = green in real CI + LFS PR verified.
- Exemplars to check: tests/cryptpad/, tests/keycloak/.
- Will maintain independent break-it probes while Builder builds.
---
## Pre-M1 code review @2026-06-15T19:58Z
Builder commit 33561c8 (all files) + 6ac9989 (Playwright fix) read.
### PASS items
- recipe_meta.py: READY_PROBE(ctx) and SCREENSHOT(page, ctx) signatures match registry hook_params ✓
- BACKUP_CAPABLE=True explicit (compose.yml backupbot.backup=true confirmed) ✓
- EXTRA_ENV dep path unchanged: sqlite3 + relaxed auth; LFS guard requires RECIPE=gitea AND overlay file ✓
- PARITY.md honest about absent upstream tests (source note says recipe-info corpus, not upstream) ✓
- ops.py pre_restore deletes marker + asserts absence — divergence is real ✓
- test_restore.py asserts marker returned — a no-op restore would fail ✓
- harness.http.retry_http_get, lifecycle.http_fetch, lifecycle.exec_in_app all exist in the harness ✓
- PARITY.md: beyond-parity test rationale non-vacuous ✓
- Playwright fix: wait_for_selector("input#user_name") is visible — correct ✓
### ISSUES filed (in BUILDER-INBOX.md @4a4b756)
**[critical — M2 blocker]** `git-lfs` not installed on cc-ci: `git lfs` is not a git subcommand.
The LFS test uses `git lfs install/track/ls-files` — all fail without git-lfs. Fix: add
`git-lfs` to `nix/hosts/cc-ci/configuration.nix` systemPackages, rebuild, deploy.
**[bug in test_lfs_roundtrip.py]** Double `/api/v1` path: `_api(live_app, "/api/v1/version", ...)`
constructs `https://domain/api/v1/api/v1/version` → 404. The restart health-poll will spin 120s
then fail. Fix: change path argument to `"/version"`.
Both issues affect only the LFS capstone (which skips on main). Do NOT block M1 verdict.
M2 verdict will FAIL unless both are fixed before the lfs-plain-gitea run.
## Additional pre-M1 cold checks @2026-06-15T20:10Z
Builder addressed inbox findings in commits 893a7b0, 3cc8338, 74bc5f0, 3ec24b0:
- Double /api/v1 path bug: FIXED ("/version" path used correctly) ✓
- git-lfs: added to nix/hosts/cc-ci-hetzner/configuration.nix (correct host config) ✓
- test_git_push: auto_init=True repo, credential URL approach ✓
- test_admin_api: scopes added for gitea 1.22+ ✓
Cold checks run from cc-ci /root/builder-clone (HEAD 3ec24b0):
- recipe_meta.py: all keys load — BACKUP_CAPABLE=True, READY_PROBE callable, SCREENSHOT callable, EXTRA_ENV callable ✓
- unit tests: 53/53 PASS (test_gitea_dep.py 10/10, test_meta.py 43/43) ✓
- LFS conditional (RECIPE=gitea, compose.lfs.yml absent): COMPOSE_FILE=sqlite3 only, LFS=False ✓
- LFS skip mechanism: _lfs_enabled() returns False when compose.lfs.yml absent (main branch) ✓
## M1 cold verification @2026-06-15T20:32Z
Builder claim: commit bac3662, all 5 stages PASS locally (RECIPE=gitea), run_id=manual.
### Evidence reviewed (independent, from adv-clone at HEAD b2663dc)
**results.json** (`/var/lib/cc-ci-runs/manual/results.json`, mtime 20:08 today):
- level: 5/5 ✓
- install/upgrade/backup/restore/custom: all "pass" ✓
- lint: "pass" ✓
- LFS (test_lfs_roundtrip): status="skip", message="compose.lfs.yml absent in gitea recipe checkout — LFS is not enabled on this branch. This test runs on lfs-plain-gitea (PR #1) and is EXPECTED_NA on main." ✓
- flags: clean_teardown=true, no_secret_leak=true ✓
- customization: 4 custom tests, ops.py hooks for all 4 pre-op stages, meta non-default keys all correct ✓
- unintentional skips: [] (no unexpected skips) ✓
**Unit tests (Adversary cold run from adv-clone)**:
- 53/53 PASS (test_gitea_dep.py 10/10, test_meta.py 43/43) ✓
- test_gitea_recipe_meta_extra_env PASS — dep env correct (no LFS when RECIPE≠gitea) ✓
- test_enrich_deps_routes_gitea PASS — dep routing intact ✓
- test_drone_recipe_meta_deps PASS — DEPS=["gitea"] correct ✓
**Code review of test hooks:**
- test_restore: pre_restore DELETES marker + asserts absence; test asserts marker RETURNED — no-op restore fails ✓
- test_upgrade: marker_repo_exists() hits API with admin creds — data continuity is real ✓
- test_git_push: auto_init=True repo, credential URL embedded, push via git; verifies non-empty response ✓
- test_admin_api: creates user, org, token via API with 1.22+ scopes; teardown cleans up ✓
- test_health: HTTP 200 on root endpoint ✓
- LFS conditional: 2-guard (_lfs_enabled requires RECIPE=gitea AND compose.lfs.yml exists) prevents dep leak ✓
**Dep path verification:**
- No RECIPE=drone CI run post-Builder changes (last drone run was #506, June 13)
- EXTRA_ENV dep path verified code-level: RECIPE=drone → no LFS flags, standard sqlite3+auth only ✓
- Unit tests cover this path explicitly ✓
### Findings
**[non-blocking, pre-existing harness bug] Stale screenshot:**
`/var/lib/cc-ci-runs/manual/screenshot.png` has mtime June 13 — not from today's M1 run.
Root cause: `screenshot.capture()` checks `if not os.path.exists(out_path)` after running the
SCREENSHOT hook; since the file exists from a prior manual run (run_id="manual" reuses the same dir),
`_snap_with_blank_retry` is never called and the old file persists. results.json reports
`"screenshot": "screenshot.png"` (file exists and is non-empty), but it's a stale image.
Non-blocking per R7 (cosmetics never change verdict). M2 will use DRONE_BUILD_NUMBER as run_id
→ fresh directory → no issue. NOT a Builder error; pre-existing harness limitation of manual runs.
Filed in BACKLOG-gtea.md under Adversary findings.
**[constraint] Independent harness run blocked by lifetime.py orphan guard:**
`lifetime.install_lifetime_guards()` calls `prctl(PR_SET_PDEATHSIG)` then checks `ppid==1`; when
running via systemd-run or nohup (detached), the harness correctly refuses to run orphaned.
No bypass env var exists. Running the full harness in foreground would require ~30-min SSH hold.
Code review + unit test verification substitutes for M1 (M2 !testme provides the live run).
## M1 VERDICT: PASS @2026-06-15T20:32Z
All M1 DoD satisfied:
- Suite built: install/upgrade/backup/restore/custom/lint all exist and ran ✓
- Suite green locally: level=5/5, all stages PASS on main ✓
- LFS test correctly SKIP on main (compose.lfs.yml absent → _lfs_enabled()=False) ✓
- Tests have teeth: restore divergence is real, upgrade verifies data continuity ✓
- Dep path unbroken: EXTRA_ENV dep route correct, unit tests pass ✓
- No secrets in run artifacts: no_secret_leak=true ✓
Gate M1: **ADVERSARY PASS** (commit bac3662, run_id=manual, all stages pass)
Reference in New Issue View Git Blame Copy Permalink