diff --git a/.gitea/scripts/sop-tier-check.sh b/.gitea/scripts/sop-tier-check.sh index 12ea4988..b009969c 100755 --- a/.gitea/scripts/sop-tier-check.sh +++ b/.gitea/scripts/sop-tier-check.sh @@ -50,17 +50,19 @@ set -euo pipefail # when jq is already on PATH. if ! command -v jq >/dev/null 2>&1; then echo "::notice::jq not found on PATH — attempting install..." - # Download jq binary; fall back to apt-get. Use subshell to isolate - # from set -e so a failed install doesn't exit the script. + # apt-get first: GitHub releases are unreachable from Gitea runners + # (curl to github.com times out after ~3s). GitHub binary remains as + # secondary fallback for environments where apt-get jq is also unavailable. + # Use subshell to isolate from set -e so a failed install doesn't exit. ( + apt-get update -qq && apt-get install -y -qq jq \ + && echo "::notice::jq apt-installed: $(jq --version)" + ) || { timeout 60 curl -sSL \ "https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64" \ -o /usr/local/bin/jq \ && chmod +x /usr/local/bin/jq \ - && echo "::notice::jq binary installed: $(/usr/local/bin/jq --version)" \ - ) || { - apt-get update -qq && apt-get install -y -qq jq \ - && echo "::notice::jq apt-installed: $(jq --version)" + && echo "::notice::jq binary installed: $(/usr/local/bin/jq --version)" } # Verify jq is now available; if not, exit with clear error if ! command -v jq >/dev/null 2>&1; then diff --git a/.gitea/workflows/sop-tier-check.yml b/.gitea/workflows/sop-tier-check.yml index c64385ee..17fb34a2 100644 --- a/.gitea/workflows/sop-tier-check.yml +++ b/.gitea/workflows/sop-tier-check.yml @@ -82,22 +82,29 @@ jobs: # The sop-tier-check script uses jq for all JSON API parsing. # Install jq before the script runs so sop-tier-check can pass. # - # Method: download binary directly from GitHub releases (faster and - # more reliable than apt-get in containerized environments). Falls - # back to apt-get if the download fails. The smoke test confirms - # jq is on PATH before the main script runs. + # Method: apt-get first (Gitea runner containers have apt-cache; + # GitHub binary downloads are unreachable — curl to github.com times + # out after ~3s and never reaches apt-get fallback). GitHub binary + # remains as secondary fallback for environments where apt-get jq is + # also unavailable. The smoke test confirms jq is on PATH. # # continue-on-error: true ensures this step failing does not fail the # job. The sop-tier-check script has its own jq fallback as a second # line of defense — this step failing gracefully is acceptable. continue-on-error: true run: | - timeout 60 curl -sSL \ - "https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64" \ - -o /usr/local/bin/jq && chmod +x /usr/local/bin/jq \ - || apt-get update -qq && apt-get install -y -qq jq \ - || echo "::warning::jq install methods failed — script fallback will retry" - jq --version 2>/dev/null || echo "::notice::jq not yet available — script will install" + # apt-get first (GitHub unreachable from Gitea runners; infra#241). + apt-get update -qq && apt-get install -y -qq jq \ + || echo "::warning::jq apt-get failed — trying GitHub binary..." + # GitHub binary as secondary fallback for environments where apt-get + # jq is unavailable (e.g. offline containers). + if ! command -v jq >/dev/null 2>&1; then + timeout 60 curl -sSL \ + "https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64" \ + -o /usr/local/bin/jq && chmod +x /usr/local/bin/jq \ + || echo "::warning::jq GitHub binary also failed — script fallback will retry" + fi + jq --version 2>/dev/null || echo "::notice::jq not yet on PATH — script will retry" - name: Verify tier label + reviewer team membership # continue-on-error: true at step level — job-level is ignored by Gitea