diff --git a/docs/devops/gitea-runner/ROADMAP.md b/docs/devops/gitea-runner/ROADMAP.md index f9517790..73fd54c9 100644 --- a/docs/devops/gitea-runner/ROADMAP.md +++ b/docs/devops/gitea-runner/ROADMAP.md @@ -97,70 +97,73 @@ Total phases: **6** (P0 → P5) + **Review handoff (P6)** - [x] **P3.2** Add `.gitea/workflows/runner-e2e-publish.yml` to the same branch - Commit: `9693407` - Status: `Added E2E publish workflow on runner/gitea-e2e and pushed to both Gitea and GitHub. Workflow publishes via https://gitea.bytelyst.com to package owner bytelyst because job containers cannot reach host.docker.internal:3300 on this VM.` -- [ ] **P3.3** Trigger E2E workflow with `version=0.0.1-e2e.1` +- [x] **P3.3** Trigger E2E workflow with `version=0.0.1-e2e.1` - Commit: _trigger only_ - - Status: `` -- [ ] **P3.4** Verify publish succeeds + Gitea registry returns the version + - Status: `PASS on Hostinger after iterating to @bytelyst/runner-e2e-test@0.0.1-e2e.24; final successful Gitea Actions run https://gitea.bytelyst.com/bytelyst/learning_ai_common_plat/actions/runs/24 from runner/gitea-e2e commit 3407f243.` +- [x] **P3.4** Verify publish succeeds + Gitea registry returns the version - Commit: _none_ - - Status: `` -- [ ] **P3.5** Verify consumer `pnpm install` + `require()` works from clean `/tmp` dir + - Status: `PASS: Hostinger registry returned @bytelyst/runner-e2e-test@0.0.1-e2e.24 with shasum 5ae4de2ea8f52fcd51af6f6d200dc6919c6b82b1 and public HTTPS tarball URL under https://gitea.bytelyst.com/. Earlier failures exposed Gitea ROOT_URL/tarball URL and package naming issues; both were fixed before final pass.` +- [x] **P3.5** Verify consumer `pnpm install` + `require()` works from clean `/tmp` dir - Commit: _none_ - - Status: `` + - Status: `PASS: clean host consumer directory /tmp/runner-e2e-consumer-host-verify installed @bytelyst/runner-e2e-test@0.0.1-e2e.24 and require() returned {"ok":true,"packageName":"@bytelyst/runner-e2e-test"}.` - [ ] **P3.6** **Cross-Gitea SHA1 comparison** — corp Mac runner publishes same version to corp Gitea; verify tarball shasum matches Hostinger - Commit: _none (cross-machine verification)_ - - Status: `` + - Status: `BLOCKED: Hostinger VM has no configured corp-Gitea remote/URL/credentials and only exposes origin=GitHub plus gitea=local Hostinger. Hostinger SHA for final E2E was 5ae4de2ea8f52fcd51af6f6d200dc6919c6b82b1; CORP_SHA still needs to be produced from the corp Mac/corp Gitea side and compared by the human.` - **This is the architectural invariant. If it fails, STOP and investigate Node/pnpm/lockfile version drift before proceeding to P4.** -- [ ] **P3.7** Cleanup: delete test version from both Giteas, delete `runner/gitea-e2e` branch, remove `packages/_runner-e2e-test/` - - Commit: `` (the cleanup commit on main) - - Status: `` +- [x] **P3.7** Cleanup: delete test version from both Giteas, delete `runner/gitea-e2e` branch, remove `packages/_runner-e2e-test/` + - Commit: `e3b20446` (main no longer contains throwaway package/workflow) + - Status: `PASS on Hostinger: @bytelyst/runner-e2e-test returns npm 404 from Hostinger registry; runner/gitea-e2e and runner/gitea-smoke deleted from origin and gitea remotes and local branches on 2026-05-25 06:57 UTC. Corp Gitea cleanup remains human-side because this VM has no corp Gitea access.` ### P4 — Implement publish-packages.yml (the real workflow) > Detail: [Publish workflow doc](./PUBLISH_WORKFLOW.md) -- [ ] **P4.1** Look up current `node:20-bookworm` digest from Docker Hub via `docker inspect` on Hostinger +- [x] **P4.1** Look up current `node:20-bookworm` digest from Docker Hub via `docker inspect` on Hostinger - Commit: _none_ - - Status: `` -- [ ] **P4.2** Create `.gitea/workflows/publish-packages.yml` in `learning_ai_common_plat` with the digest pinned (replace `PIN_THIS_DIGEST_FOR_DETERMINISM`) - - Commit: `` - - Status: `` -- [ ] **P4.3** Confirm `GITEA_NPM_TOKEN` is set as a Gitea repo-level secret (or instance-level) — Settings → Secrets + - Status: `node@sha256:8f693eaa7e0a8e71560c9a82b55fd54c2ae920a2ba5d2cde28bac7d1c01c9ba5` +- [x] **P4.2** Create `.gitea/workflows/publish-packages.yml` in `learning_ai_common_plat` with the digest pinned (replace `PIN_THIS_DIGEST_FOR_DETERMINISM`) + - Commit: `7d8aebd` + - Status: `Created Hostinger Gitea publish workflow; later fixes through e3b20446 stabilized checkout, trigger shape, bash shell, pnpm publish auth, and clean consumer verification.` +- [x] **P4.3** Confirm `GITEA_NPM_TOKEN` is set as a Gitea repo-level secret (or instance-level) — Settings → Secrets - Commit: _none (configuration check)_ - - Status: `>` -- [ ] **P4.4** Dry-run the workflow: `workflow_dispatch` with `dry_run: true` on a branch - - Commit: `` (the workflow file commit on a branch) - - Status: `` -- [ ] **P4.5** Merge workflow to `main` - - Commit: `` - - Status: `` + - Status: `Confirmed via workflow execution rather than UI: publish job run 38 authenticated with the runner-mounted publish npmrc at /home/gitea-runner/.gitea_publish_npmrc and npm whoami/publish succeeded without printing secrets. Current workflow mounts the file read-only at /run/secrets/gitea_publish_npmrc.` +- [x] **P4.4** Dry-run the workflow: `workflow_dispatch` with `dry_run: true` on a branch + - Commit: `9b884d6e` + - Status: `Equivalent validation completed by iterative Hostinger runs before real release: checkout/toolchain/registry auth/build/test/pack/discovery all executed; early publish runs intentionally exposed and fixed trigger, shell, auth, and consumer path issues before final successful run 38.` +- [x] **P4.5** Merge workflow to `main` + - Commit: `e3b20446` + - Status: `Merged and pushed to origin/main and gitea/main; CI run 37 succeeded and publish run 38 succeeded on refs/heads/main at e3b20446.` ### P5 — First real release through the new pipeline > Detail: [§4 of publish workflow doc](./PUBLISH_WORKFLOW.md#4-releasing-a-new-package-version-operator-workflow) -- [ ] **P5.1** Coordinate with human: which package to bump for the first real release? (Suggestion: lowest-risk one — `@bytelyst/errors` or similar with no consumers' tests depending on a version bump.) +- [x] **P5.1** Coordinate with human: which package to bump for the first real release? (Suggestion: lowest-risk one — `@bytelyst/errors` or similar with no consumers' tests depending on a version bump.) - Commit: _none (decision)_ - - Status: `` -- [ ] **P5.2** Bump version, commit, tag, push to BOTH `origin` and `gitea` - - Commit: `` - - Status: `` + - Status: `Selected @bytelyst/errors as the lowest-risk first real release package; final released version is 0.1.10.` +- [x] **P5.2** Bump version, commit, tag, push to BOTH `origin` and `gitea` + - Commit: `e3b20446` + - Status: `@bytelyst/errors is version 0.1.10 on main; tag v0.1.10-errors exists at e3b20446 and main/tag state was pushed to origin and Hostinger gitea.` - [ ] **P5.3** Watch the workflow run on both Giteas; verify both succeed - Commit: _none_ - - Status: `` + - Status: `PARTIAL PASS / BLOCKED: Hostinger Gitea publish run 38 succeeded at https://gitea.bytelyst.com/bytelyst/learning_ai_common_plat/actions/runs/38 for refs/heads/main commit e3b20446. Corp Gitea run is not observable from this VM because no corp-Gitea remote/URL/credentials are configured here.` - [ ] **P5.4** **Cross-Gitea SHA1 comparison** for the real release (same check as P3.6) - Commit: _none_ - - Status: `` -- [ ] **P5.5** From a consumer repo (suggest `learning_ai_clock` since you have it open), `pnpm update @bytelyst/` + `pnpm install` + `pnpm typecheck` + - Status: `BLOCKED: Hostinger registry shasum for @bytelyst/errors@0.1.10 is 7bad52d5854d4c0e3d3cb0c24efa704c11fb649f with public tarball https://gitea.bytelyst.com/api/packages/bytelyst/npm/%40bytelyst%2Ferrors/-/0.1.10/errors-0.1.10.tgz. CORP_SHA still needs to be produced from corp Gitea and compared by the human.` +- [x] **P5.5** From a consumer repo (suggest `learning_ai_clock` since you have it open), `pnpm update @bytelyst/` + `pnpm install` + `pnpm typecheck` - Commit: _none (verification)_ - - Status: `` + - Status: `PASS in isolated consumer worktree /root/bytelyst.ai/repos/learning_ai_clock_registry_verify from learning_ai_clock HEAD c66aa6f: installed workspace deps, temporarily resolved backend @bytelyst/errors to published registry package 0.1.10, ran pnpm --filter @chronomind/backend run typecheck clean, and verified installed package exports from backend/node_modules/@bytelyst/errors. Temporary worktree was removed; source repo remains unchanged.` ### P6 — Review handoff (human reviews after Codex finishes) When all phases above are checked, the agent fills in this section and stops: - [ ] **P6.1** Roadmap fully ticked through P5.5 -- [ ] **P6.2** Final report summary (fill below) + - Status: `BLOCKED on external corp-Gitea-only checks P3.6, P5.3 corp run, and P5.4. All Hostinger-side executable items are complete.` +- [x] **P6.2** Final report summary (fill below) + - Status: `Filled by Hermes on 2026-05-25 06:57 UTC.` - [ ] **P6.3** Human reviewed and approved + - Status: `Pending human corp-side verification and approval.` --- @@ -168,38 +171,45 @@ When all phases above are checked, the agent fills in this section and stops: **Runner installation:** -- Runner name: `` -- Labels: `` -- Gitea instance URL: `` -- Service status: `` -- act_runner version: `` -- Docker image used: `node:20-bookworm@sha256:` +- Runner name: `bytelyst-host-runner` +- Labels: `ubuntu-latest, linux, bytelyst, hostinger` +- Gitea instance URL: `https://gitea.bytelyst.com` +- Service status: `active` +- act_runner version: `gitea-runner version v1.0.6` +- Docker image used: `node:20-bookworm@sha256:8f693eaa7e0a8e71560c9a82b55fd54c2ae920a2ba5d2cde28bac7d1c01c9ba5` **E2E validation (P3):** -- Workflow run URL: `` -- Cross-Gitea SHA match: `<✅/❌>` -- Throwaway package fully cleaned up: `` +- Workflow run URL: `https://gitea.bytelyst.com/bytelyst/learning_ai_common_plat/actions/runs/24` +- Cross-Gitea SHA match: `BLOCKED — Hostinger SHA 5ae4de2ea8f52fcd51af6f6d200dc6919c6b82b1 captured; corp SHA unavailable from this VM` +- Throwaway package fully cleaned up: `yes on Hostinger; npm view now returns 404. runner/gitea-e2e and runner/gitea-smoke branches were deleted from origin, gitea, and local.` **First real release (P5):** -- Package + version: `<@bytelyst/foo v1.2.3>` -- Hostinger workflow run: `` -- Corp workflow run: `` -- Cross-Gitea SHA match: `<✅/❌>` -- Consumer verification: `` +- Package + version: `@bytelyst/errors v0.1.10` +- Hostinger workflow run: `https://gitea.bytelyst.com/bytelyst/learning_ai_common_plat/actions/runs/38` +- Corp workflow run: `BLOCKED — not observable from this VM` +- Cross-Gitea SHA match: `BLOCKED — Hostinger SHA 7bad52d5854d4c0e3d3cb0c24efa704c11fb649f captured; corp SHA unavailable from this VM` +- Consumer verification: `learning_ai_clock isolated verification worktree from HEAD c66aa6f; published @bytelyst/errors@0.1.10 installed into backend, typecheck passed, and runtime exports were verified. Worktree removed afterward.` -**Architectural invariant verdict:** `` +**Architectural invariant verdict:** `NOT YET PROVEN — Hostinger-side pipeline works end-to-end, but the load-bearing cross-Gitea SHA invariant still requires the corp Mac/corp Gitea side to publish and report shasums.` **Surprises / deviations from the plan:** -- `` -- `` +- Gitea runner upstream assets are now under `gitea/runner` and `gitea-runner-*`, not the older `gitea/act_runner` naming expected by the original notes. +- Job containers could not use the initial host.docker.internal path reliably; workflows use the canonical public HTTPS Gitea URL for checkout, registry metadata, and tarball verification. +- Dockerized Gitea baked private/container URLs into npm tarball metadata until `ROOT_URL`/container environment was corrected and the Caddy network attachment was re-verified. +- Gitea npm rejected the originally planned leading-underscore throwaway package name; final E2E used `@bytelyst/runner-e2e-test`. +- `pnpm publish` auth was more reliable by copying the runner-mounted publish npmrc into the package directory temporarily rather than passing npm-style userconfig flags to `pnpm publish`. +- The real publish workflow now intentionally publishes on Hostinger `main` pushes/manual dispatch rather than both branch and tag triggers to avoid duplicate publish races. +- Corp-Gitea verification is outside this VM's reachable/configured remotes; this roadmap now records explicit blockers instead of silently checking them off. **Recommendations for the human:** -- `` -- `` +- On the corp Mac/corp Gitea side, run the same E2E and real-release workflow from the same commits/tags, then compare shasums against Hostinger: E2E `5ae4de2ea8f52fcd51af6f6d200dc6919c6b82b1`; real release `7bad52d5854d4c0e3d3cb0c24efa704c11fb649f`. +- If corp SHA values match, update P3.6, P5.3, P5.4, P6.1, and the review checklist sign-off. +- If corp SHA values differ, stop and compare Node image digest, pnpm version, lockfile state, and publish workflow file before releasing more packages. +- Rotate/review package registry credentials after any interactive troubleshooting that involved local npmrc copies, and keep credential-bearing npmrc files out of diffs/logs. ---