diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml index 3f4166aa..46cec185 100644 --- a/.gitea/workflows/cd.yaml +++ b/.gitea/workflows/cd.yaml @@ -2031,11 +2031,12 @@ jobs: runtime_short == expected_short and desired_short == expected_short and desired_status == "ok" - and matches_main ): print( - "✅ Production deploy readback matches Gitea main desired " - f"image tag ({expected_short}) on attempt {attempt}/{attempts}" + "✅ Production deploy readback matches this build and " + "GitOps desired image tag " + f"({expected_short}) on attempt {attempt}/{attempts};" + f"matches_main={matches_main}" ) raise SystemExit(0) last_error = ( diff --git a/docs/LOGBOOK.md b/docs/LOGBOOK.md index ace54e4b..75006f39 100644 --- a/docs/LOGBOOK.md +++ b/docs/LOGBOOK.md @@ -51656,6 +51656,29 @@ production browser smoke: **下一步**: - commit / push 後讀回 Gitea Actions 新 run;若 tests 過但 build / deploy 仍失敗,繼續沿同一條 CD readback 修復,不切支線。 +## 2026-07-01 — 16:50 Gitea CD deploy marker readback gate 修正 + +**完成內容**: +- Gitea CD `#4267` 已證明前一輪 tests 紅點修復:`tests` job succeeded,`build-and-deploy` 已 build / push image,ArgoCD 讀回 `sync=Synced`、`health=Healthy`,`awoooi-api` / `awoooi-web` / `awoooi-worker` rollout 都成功。 +- 剩餘卡點是 CD 內 deploy readback gate:`expected=7f0e4c53a2`、`runtime=7f0e4c53a2`、`desired=7f0e4c53a2`、`desired_status=ok`,但 build-and-deploy 同步推了 deploy marker `0913bf52a chore(cd): deploy 7f0e4c5 [skip ci]`,使 `production_deploy_image_tag_matches_main=false`。 +- 已修正 `.gitea/workflows/cd.yaml`:deploy readback 通過條件改為 runtime image tag 與 GitOps desired image tag 都等於本次 build commit;`matches_main` 保留為 evidence,不再把 `[skip ci]` deploy marker commit SHA 誤當成 image tag。 +- `ops/runner/test_cd_controlled_runtime_profile.py` 增加 guard,確保 success condition 包含 `runtime_short == expected_short`、`desired_short == expected_short`、`desired_status == "ok"`,且不再要求 `and matches_main`。 + +**本地驗證結果**: +- `python3.11 -m pytest ops/runner/test_cd_controlled_runtime_profile.py -q`:`36 passed`。 +- `python3 ops/runner/guard-gitea-runner-pressure.py --root .`:通過。 +- `node scripts/ci/check-gitea-step-env-secrets.js`:通過。 +- `python3.11 -m py_compile ops/runner/test_cd_controlled_runtime_profile.py`:通過。 +- `git diff --check`:通過。 + +**仍維持**: +- 沒有讀 secret / token / `.env` / raw sessions / SQLite / auth;沒有讀 `.runner` 內容。 +- 沒有使用 GitHub / gh / GitHub API / GitHub Actions。 +- 沒有重啟主機,沒有 Docker / Nginx / K3s / DB restart,沒有 workflow_dispatch,沒有 DROP / TRUNCATE / restore / prune。 + +**下一步**: +- commit / push 後讀回新的 Gitea CD run;確認 tests、build、deploy readback 都通過,再讀 production health / ArgoCD / image tag 證據。 + ## 2026-07-01 — 08:55 Truth-chain hot lookup helper test 對齊 **完成內容**: diff --git a/ops/runner/test_cd_controlled_runtime_profile.py b/ops/runner/test_cd_controlled_runtime_profile.py index 2de8e1ec..47335b88 100644 --- a/ops/runner/test_cd_controlled_runtime_profile.py +++ b/ops/runner/test_cd_controlled_runtime_profile.py @@ -67,6 +67,15 @@ def test_cd_requires_production_deploy_readback_after_rollout() -> None: assert "production_deploy_runtime_build_commit_short_sha" in text assert "production_deploy_desired_main_api_image_tag_short_sha" in text assert "production_deploy_desired_main_api_image_tag_readback_status" in text + assert "Production deploy readback matches this build and " in text + assert "GitOps desired image tag " in text + success_block = text.split( + '"✅ Production deploy readback matches this build and "', 1 + )[0].rsplit("if (", 1)[-1] + assert "runtime_short == expected_short" in success_block + assert "desired_short == expected_short" in success_block + assert 'desired_status == "ok"' in success_block + assert "and matches_main" not in success_block assert "DEPLOY_READBACK_EXIT=0" in text assert "production_deploy_readback_matched=true" in text assert "treating as rollout risk, not deploy failure" in text