fix(runner): align controlled cd lane drain guardrails
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 44s
CD Pipeline / build-and-deploy (push) Successful in 4m2s
AWOOOI Harbor 110 Local Repair / workflow-shape (push) Successful in 0s
AWOOOI Harbor 110 Local Repair / harbor-110-local-repair (push) Successful in 46s
CD Pipeline / post-deploy-checks (push) Has been cancelled
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 44s
CD Pipeline / build-and-deploy (push) Successful in 4m2s
AWOOOI Harbor 110 Local Repair / workflow-shape (push) Successful in 0s
AWOOOI Harbor 110 Local Repair / harbor-110-local-repair (push) Successful in 46s
CD Pipeline / post-deploy-checks (push) Has been cancelled
This commit is contained in:
@@ -52071,6 +52071,24 @@ production browser smoke:
|
||||
- 沒有讀 secret / token / `.env` / raw sessions / SQLite / auth;沒有使用 GitHub / gh / GitHub API / GitHub Actions。
|
||||
- 沒有重啟主機,沒有 Docker / Nginx / K3s / DB / firewall 操作,沒有 workflow_dispatch,沒有 force push。
|
||||
|
||||
## 2026-07-02 — P0 controlled CD lane drain service source guardrail 對齊
|
||||
|
||||
**完成內容**:
|
||||
- Production 已讀回 deployed `8cc96973f7`,舊 `remote_ssh_publickey_offer_timeout` 不再是 active control-path blocker;目前 active AI loop item 改為 `controlled_cd_lane_guardrails_blocked`。
|
||||
- 110 read-only verifier 完整讀回:legacy fail-closed、root restore-source、host pressure 均 OK;blocker 為 controlled lane config missing、binary 非 ELF、registration missing、service masked/inactive 且 unit guardrails 不符合。
|
||||
- 修正 source-of-truth `ops/runner/awoooi-cd-lane-drain.service`:對齊 startup/verifier 要求的 `.runner` condition、data working dir、controlled env、host pressure env、CPU / memory / tasks / IO accounting、`NoNewPrivileges=true` 與 bounded limits。
|
||||
- 新增測試防止 service source 回退到缺 guardrails 或泛用重型 label。
|
||||
|
||||
**本地驗證結果**:
|
||||
- `python3.11 -m pytest ops/runner/test_cd_controlled_runtime_profile.py ops/runner/test_check_awoooi_110_controlled_cd_lane_readiness.py -q`:`48 passed`。
|
||||
- `python3.11 -m py_compile ops/runner/test_cd_controlled_runtime_profile.py`:通過。
|
||||
- `git diff --check`:通過。
|
||||
|
||||
**仍維持**:
|
||||
- 沒有讀 secret / token / `.env` / raw sessions / SQLite / auth;沒有讀 `.runner` 內容;沒有使用 GitHub / gh / GitHub API。
|
||||
- 沒有重啟主機,沒有 Docker / Nginx / K3s / DB / firewall 操作,沒有 workflow_dispatch,沒有 force push。
|
||||
- 仍未代輸 runner registration token;registration missing 需要由不暴露 token 的受控流程補齊後才能讓 verifier 全綠。
|
||||
|
||||
## 2026-07-01 — 23:28 P0 110 sustained CPU pressure alert / controlled quota / alert-chain readback
|
||||
|
||||
**完成內容**:
|
||||
|
||||
Reference in New Issue
Block a user