devops-engineer
aa6458b42d
Some checks failed
Check merge_group trigger on required workflows / Required workflows have merge_group trigger (pull_request) Successful in 9s
CodeQL / Analyze (${{ matrix.language }}) (go) (pull_request) Successful in 8s
CodeQL / Analyze (${{ matrix.language }}) (javascript-typescript) (pull_request) Successful in 10s
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 19s
CodeQL / Analyze (${{ matrix.language }}) (python) (pull_request) Successful in 10s
E2E API Smoke Test / detect-changes (pull_request) Successful in 21s
CI / Detect changes (pull_request) Successful in 31s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 20s
Retarget main PRs to staging / Retarget to staging (pull_request) Has been skipped
Lint curl status-code capture / Scan workflows for curl status-capture pollution (pull_request) Successful in 16s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 19s
Harness Replays / detect-changes (pull_request) Successful in 21s
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 23s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 24s
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 26s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 30s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 24s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 37s
Harness Replays / Harness Replays (pull_request) Successful in 23s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 15s
CI / Python Lint & Test (pull_request) Successful in 8m27s
CI / Canvas (Next.js) (pull_request) Failing after 9m59s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
CI / Platform (Go) (pull_request) Successful in 12m57s
Part of the post-#66 sweep to remove `gh` CLI dependencies that fail
silently against Gitea (which exposes /api/v1 only — no GraphQL → 405,
no /api/v3 → 404). Class D covers `gh api` REST passthroughs that
either have a Gitea v1 equivalent at a different path/shape or no
equivalent at all.
Three files in this class, each with a different fix shape because
each underlying Gitea capability is different:
`auto-promote-on-e2e.yml` (compute SHA ancestry):
Old: `gh api repos/.../compare/A...B` returning `.status`
(ahead|behind|identical|diverged).
Gitea: `/api/v1/repos/.../compare/A...B` accepts only branch / tag
refs — full commit SHAs return `BaseNotExist`. So even a
"translate the URL" rewrite would fail. Verified empirically
2026-05-07: branches/tags work, SHAs don't.
Fix: Add `actions/checkout@v6 fetch-depth=200` + use `git merge-
base --is-ancestor` locally. Exact same four-bucket semantics
(ahead | behind | diverged | error), zero cross-host API
dependency. Same pattern PR #66 used for auto-sync. The 200-
commit depth comfortably covers any realistic divergence
between :latest and a candidate retag (promotes are minutes
apart, not hundreds of commits).
`ci.yml` (canvas-deploy-reminder commit comment):
Old: `gh api -X POST repos/.../commits/{sha}/comments` posting a
deploy-reminder body for the operator.
Gitea: NO commit-comments endpoint exists — `/repos/.../commits/
{sha}/comments` returns 404 (verified 2026-05-07). Gitea only
exposes `/commits/{sha}/statuses` for commit-level surface,
which is the wrong shape for a free-form reminder.
Fix: Drop the API call. Write the reminder body to
`$GITHUB_STEP_SUMMARY` instead. The reminder is entirely
operator-facing and is just as discoverable on the run summary
page (which an operator naturally lands on when they need to
action a deploy). Commit comments were a stale UI artefact of
the GitHub era, not a load-bearing automation surface.
Permission: drop `contents: write` (no longer needed) → `read`,
smallest scope per least-privilege.
`check-merge-group-trigger.yml` (merge_group: trigger linter):
Old: `gh api .../branches/staging/protection/required_status_checks`
reading the contexts list, then walking workflow files.
Gitea: branch-protection API is at /api/v1/repos/.../branch_
protections/{name} (different path) with `status_check_
contexts` (different field name) — but the entire workflow
only existed to lint that workflows producing a required
check declare a `merge_group:` trigger, which is needed
because GitHub's merge queue dead-locks at AWAITING_CHECKS
when the trigger is missing. Gitea has NO merge queue, NO
gh-readonly-queue/... ref shape, NO merge_group event
semantics. The dead-lock pattern this linter catches cannot
occur on Gitea by construction.
Fix: Convert to no-op stub (same pattern as the CodeQL stub
landed in PR #51). Workflow name + trigger surface preserved
so any external referrer (none confirmed via the 2026-05-07
branch-protection audit) keeps resolving. Re-enable path
documented in the file header for if/when Gitea grows a
merge queue.
curl invocation pattern: `curl --fail-with-body -sS` (NOT `-fsS` —
the two short-fail flags are mutually exclusive in modern curl).
Token model: workflows continue to use act_runner's GITHUB_TOKEN
where they still need API access (`auto-promote-on-e2e.yml`'s
checkout uses the runner's default token; `ci.yml` no longer needs
any API auth for the deploy-reminder step; `check-merge-group-
trigger.yml` no longer makes any API calls).
Verification:
- YAML syntax validates for all three files.
- Live curl against Gitea confirms `/compare/A...B` accepts branch
refs (200, total_commits=N) and refuses full SHAs (404,
BaseNotExist) — justifying the local-git approach.
- `/repos/.../commits/{sha}/comments` confirmed 404 on Gitea.
- `git merge-base --is-ancestor` exit-code semantics match the
GitHub compare API status semantics exactly: ahead = current is
ancestor of target; behind = target is ancestor of current;
diverged = neither.
Closes part of #75. Class A landed in #80; class F (gh run list →
no Gitea workflow-runs API at all) lands in a separate PR.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| auto-promote-on-e2e.yml | ||
| auto-promote-staging.yml | ||
| auto-promote-stale-alarm.yml | ||
| auto-sync-main-to-staging.yml | ||
| auto-tag-runtime.yml | ||
| block-internal-paths.yml | ||
| branch-protection-drift.yml | ||
| canary-staging.yml | ||
| canary-verify.yml | ||
| cascade-list-drift-gate.yml | ||
| check-merge-group-trigger.yml | ||
| check-migration-collisions.yml | ||
| ci.yml | ||
| codeql.yml | ||
| continuous-synth-e2e.yml | ||
| e2e-api.yml | ||
| e2e-staging-canvas.yml | ||
| e2e-staging-external.yml | ||
| e2e-staging-saas.yml | ||
| e2e-staging-sanity.yml | ||
| handlers-postgres-integration.yml | ||
| harness-replays.yml | ||
| lint-curl-status-capture.yml | ||
| pr-guards.yml | ||
| promote-latest.yml | ||
| publish-canvas-image.yml | ||
| publish-runtime.yml | ||
| publish-workspace-server-image.yml | ||
| railway-pin-audit.yml | ||
| redeploy-tenants-on-main.yml | ||
| redeploy-tenants-on-staging.yml | ||
| retarget-main-to-staging.yml | ||
| runtime-pin-compat.yml | ||
| runtime-prbuild-compat.yml | ||
| secret-pattern-drift.yml | ||
| secret-scan.yml | ||
| sweep-aws-secrets.yml | ||
| sweep-cf-orphans.yml | ||
| sweep-cf-tunnels.yml | ||
| sweep-stale-e2e-orgs.yml | ||
| test-ops-scripts.yml | ||