From e5c41dd502aca27163639a0ff0911ebc7d0821f2 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Thu, 16 Apr 2026 07:59:28 +0000
Subject: [PATCH] fix: tolerate vault operator diagnose exit 2 (advisory
 warnings) in CI (#825)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pipeline #911 on PR #833 failed because `vault operator diagnose -config=
nomad/vault.hcl -skip=storage -skip=listener` returns exit code 2 — not
on a hard failure, but because our factory dev-box vault.hcl deliberately
runs TLS-disabled on a localhost-only listener (documented in the file
header), which triggers an advisory "Check Listener TLS" warning.

The -skip flag disables runtime sub-checks (storage access, listener
bind) but does NOT suppress the advisory checks on the parsed config, so
a valid dev-box config with documented-and-intentional warnings still
exits non-zero under strict CI.

Fix: wrap the command in a case on exit code. Treat rc=0 (all green)
and rc=2 (advisory warnings only — config still parses) as success, and
fail hard on rc=1 (real HCL/schema/storage failure) or any other rc.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .woodpecker/nomad-validate.yml | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/.woodpecker/nomad-validate.yml b/.woodpecker/nomad-validate.yml
index 706e9ea..6cd616f 100644
--- a/.woodpecker/nomad-validate.yml
+++ b/.woodpecker/nomad-validate.yml
@@ -58,14 +58,28 @@ steps:
 
   # ── 2. Vault HCL syntax check ────────────────────────────────────────────
   # `vault operator diagnose` loads the config and runs a suite of checks.
-  # -skip=storage and -skip=listener disable the runtime-only checks (the
-  # /var/lib/vault/data dir and 127.0.0.1:8200 bind aren't available inside
-  # a vanilla CI container); the parse + mlock/seal-shape checks still run,
-  # so any syntax or schema error in vault.hcl surfaces here.
+  # Exit codes:
+  #   0 — all checks green
+  #   1 — at least one hard failure (bad HCL, bad schema, unreachable storage)
+  #   2 — advisory warnings only (no hard failure)
+  # Our factory dev-box vault.hcl deliberately runs TLS-disabled on a
+  # localhost-only listener (documented in nomad/vault.hcl), which triggers
+  # an advisory "Check Listener TLS" warning → exit 2. The config still
+  # parses, so we tolerate exit 2 and fail only on exit 1 or crashes.
+  # -skip=storage/-skip=listener disables the runtime-only checks (vault's
+  # container has /vault/file so storage is fine, but explicit skip is cheap
+  # insurance against future container-image drift).
   - name: vault-operator-diagnose
     image: hashicorp/vault:1.18.5
     commands:
-      - vault operator diagnose -config=nomad/vault.hcl -skip=storage -skip=listener
+      - |
+        rc=0
+        vault operator diagnose -config=nomad/vault.hcl -skip=storage -skip=listener || rc=$?
+        case "$rc" in
+          0) echo "vault config: all checks green" ;;
+          2) echo "vault config: parse OK (rc=2 — advisory warnings only; TLS-disabled on localhost listener is by design)" ;;
+          *) echo "vault config: hard failure (rc=$rc)" >&2; exit "$rc" ;;
+        esac
 
   # ── 3. Shellcheck ────────────────────────────────────────────────────────
   # Covers the new lib/init/nomad/*.sh scripts plus bin/disinto (which owns