fix(runner): align controlled cd lane drain guardrails
Some checks failed
CD Pipeline / workflow-shape (push) Successful in 0s
CD Pipeline / cancel-stale-cd (push) Has been skipped
CD Pipeline / tests (push) Successful in 44s
CD Pipeline / build-and-deploy (push) Successful in 4m2s
AWOOOI Harbor 110 Local Repair / workflow-shape (push) Successful in 0s
AWOOOI Harbor 110 Local Repair / harbor-110-local-repair (push) Successful in 46s
CD Pipeline / post-deploy-checks (push) Has been cancelled

This commit is contained in:
ogt
2026-07-02 01:03:47 +08:00
parent f7aba589f5
commit aa675253ac
3 changed files with 67 additions and 6 deletions

View File

@@ -52071,6 +52071,24 @@ production browser smoke:
- 沒有讀 secret / token / `.env` / raw sessions / SQLite / auth沒有使用 GitHub / gh / GitHub API / GitHub Actions。
- 沒有重啟主機,沒有 Docker / Nginx / K3s / DB / firewall 操作,沒有 workflow_dispatch沒有 force push。
## 2026-07-02 — P0 controlled CD lane drain service source guardrail 對齊
**完成內容**
- Production 已讀回 deployed `8cc96973f7`,舊 `remote_ssh_publickey_offer_timeout` 不再是 active control-path blocker目前 active AI loop item 改為 `controlled_cd_lane_guardrails_blocked`
- 110 read-only verifier 完整讀回legacy fail-closed、root restore-source、host pressure 均 OKblocker 為 controlled lane config missing、binary 非 ELF、registration missing、service masked/inactive 且 unit guardrails 不符合。
- 修正 source-of-truth `ops/runner/awoooi-cd-lane-drain.service`:對齊 startup/verifier 要求的 `.runner` condition、data working dir、controlled env、host pressure env、CPU / memory / tasks / IO accounting、`NoNewPrivileges=true` 與 bounded limits。
- 新增測試防止 service source 回退到缺 guardrails 或泛用重型 label。
**本地驗證結果**
- `python3.11 -m pytest ops/runner/test_cd_controlled_runtime_profile.py ops/runner/test_check_awoooi_110_controlled_cd_lane_readiness.py -q``48 passed`
- `python3.11 -m py_compile ops/runner/test_cd_controlled_runtime_profile.py`:通過。
- `git diff --check`:通過。
**仍維持**
- 沒有讀 secret / token / `.env` / raw sessions / SQLite / auth沒有讀 `.runner` 內容;沒有使用 GitHub / gh / GitHub API。
- 沒有重啟主機,沒有 Docker / Nginx / K3s / DB / firewall 操作,沒有 workflow_dispatch沒有 force push。
- 仍未代輸 runner registration tokenregistration missing 需要由不暴露 token 的受控流程補齊後才能讓 verifier 全綠。
## 2026-07-01 — 23:28 P0 110 sustained CPU pressure alert / controlled quota / alert-chain readback
**完成內容**