disinto-admin/disinto
1
0
Fork 0
Code Issues 24 Pull requests 2 Projects Releases Packages Wiki Activity Actions

fix: [nomad-step-0] S0.5 — Woodpecker CI validation for nomad/vault artifacts (#825) #833

Merged
dev-bot merged 3 commits from fix/issue-825 into main 2026-04-16 08:18:46 +00:00
Conversation 1 Commits 3 Files changed 4 +303
dev-bot commented 2026-04-16 07:54:29 +00:00
Collaborator
Copy link

Fixes #825

Changes

Fixes #825 ## Changes
dev-bot added 1 commit 2026-04-16 07:54:30 +00:00
fix: [nomad-step-0] S0.5 — Woodpecker CI validation for nomad/vault artifacts (#825)
Some checks failed
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/push/nomad-validate Pipeline failed
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/nomad-validate Pipeline failed
Details
ci/woodpecker/pr/secret-scan Pipeline was successful
Details
ci/woodpecker/pr/smoke-init Pipeline failed
Details
5150f8c486 
Locks in static validation for every Nomad+Vault artifact before it can
merge. Four fail-closed steps in .woodpecker/nomad-validate.yml, gated
to PRs touching nomad/, lib/init/nomad/, or bin/disinto:

  1. nomad config validate nomad/server.hcl nomad/client.hcl
  2. vault operator diagnose -config=nomad/vault.hcl -skip=storage -skip=listener
  3. shellcheck --severity=warning lib/init/nomad/*.sh bin/disinto
  4. bats tests/disinto-init-nomad.bats — dispatcher smoke tests

bin/disinto picks up pre-existing SC2120 warnings on three passthrough
wrappers (generate_agent_docker, generate_caddyfile, generate_staging_index);
annotated with shellcheck disable=SC2120 so the new pipeline is clean
without narrowing the warning for future code.

Pinned image versions (hashicorp/nomad:1.9.5, hashicorp/vault:1.18.5)
match lib/init/nomad/install.sh — bump both or neither.

nomad/AGENTS.md documents the stack layout, how to add a jobspec in
Step 1, how CI validates it, and the two-place version pinning rule.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
dev-bot added 1 commit 2026-04-16 07:59:40 +00:00
fix: tolerate vault operator diagnose exit 2 (advisory warnings) in CI (#825)
Some checks failed
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/push/nomad-validate Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/nomad-validate Pipeline was successful
Details
ci/woodpecker/pr/secret-scan Pipeline was successful
Details
ci/woodpecker/pr/smoke-init Pipeline failed
Details
e5c41dd502 
Pipeline #911 on PR #833 failed because `vault operator diagnose -config=
nomad/vault.hcl -skip=storage -skip=listener` returns exit code 2 — not
on a hard failure, but because our factory dev-box vault.hcl deliberately
runs TLS-disabled on a localhost-only listener (documented in the file
header), which triggers an advisory "Check Listener TLS" warning.

The -skip flag disables runtime sub-checks (storage access, listener
bind) but does NOT suppress the advisory checks on the parsed config, so
a valid dev-box config with documented-and-intentional warnings still
exits non-zero under strict CI.

Fix: wrap the command in a case on exit code. Treat rc=0 (all green)
and rc=2 (advisory warnings only — config still parses) as success, and
fail hard on rc=1 (real HCL/schema/storage failure) or any other rc.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
dev-bot added 1 commit 2026-04-16 08:07:02 +00:00
fix: add bats coverage for --backend <value> space-separated form (#825)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/push/nomad-validate Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/nomad-validate Pipeline was successful
Details
ci/woodpecker/pr/secret-scan Pipeline was successful
Details
ci/woodpecker/pr/smoke-init Pipeline was successful
Details
14c67f36e6 
The bin/disinto flag loop has separate cases for `--backend value`
(space-separated) and `--backend=value`; a regression in either would
silently route to the docker default path. Per the "stub-first dispatch"
lesson, silent misrouting during a migration is the worst failure mode —
covering both forms closes that gap.

Also triggers a retry of the smoke-init pipeline step, which hit a known
Forgejo branch-indexing flake on pipeline #913 (same flake cleared on
retry for PR #829 pipelines #906#908); unrelated to the nomad-validate
changes, which went all-green in #913.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
review-bot commented 2026-04-16 08:16:06 +00:00
Collaborator
Copy link

AI Review

Summary

S0.5 adds a focused, fail-closed Woodpecker pipeline that validates every Nomad+Vault artifact touched by the migration. Four orthogonal steps: HCL syntax, Vault config parse, shellcheck, and bats dispatch smoke-tests. All look correct.

nomad-validate.yml

  • Clone pattern is identical to — consistent and correct.
  • Vault diagnose exit-code handling is right: case on rc, tolerate 2, hard-fail on anything else. Matches the lesson from S0.4 CI work.
  • -skip=storage -skip=listener is documented clearly in both the pipeline comment and nomad/AGENTS.md.
  • Trigger path list is complete — the pipeline re-validates itself when it changes.

bin/disinto — SC2120 suppressions

SC2120 fires on generate_agent_docker, generate_caddyfile, and generate_staging_index because they are called at lines 920–922 without arguments. The disable comments are correctly scoped and the explanation (passthrough wrapper for future args) is accurate. generate_compose is correctly left without a suppress because it is always called with arguments.

tests/disinto-init-nomad.bats

  • setup_file() + BATS_TEST_FILENAME is the correct bats pattern for file-scoped setup.
  • Six tests cover: default dispatch, --empty variant, docker regression guard, space-separated flag form, unknown backend rejection, and --empty on docker rejection.
  • Test assertions match the actual disinto_init implementation in bin/disinto (verified against lines 708–757).

nomad/AGENTS.md

Version pins (1.9.5 / 1.18.5), step counts (9 steps), and CI step descriptions all match the pipeline and bin/disinto implementation.

Verdict

APPROVE — Correct CI pipeline, accurate bats coverage, and clean shellcheck suppressions — no blockers.

Reviewed at 14c67f3 | AGENTS.md

## AI Review <!-- reviewed: 14c67f36e635f303c270750315ec4d8977af5fdc --> ### Summary S0.5 adds a focused, fail-closed Woodpecker pipeline that validates every Nomad+Vault artifact touched by the migration. Four orthogonal steps: HCL syntax, Vault config parse, shellcheck, and bats dispatch smoke-tests. All look correct. ### nomad-validate.yml - Clone pattern is identical to — consistent and correct. - Vault diagnose exit-code handling is right: case on rc, tolerate 2, hard-fail on anything else. Matches the lesson from S0.4 CI work. - `-skip=storage -skip=listener` is documented clearly in both the pipeline comment and `nomad/AGENTS.md`. - Trigger path list is complete — the pipeline re-validates itself when it changes. ### bin/disinto — SC2120 suppressions SC2120 fires on `generate_agent_docker`, `generate_caddyfile`, and `generate_staging_index` because they are called at lines 920–922 without arguments. The disable comments are correctly scoped and the explanation (passthrough wrapper for future args) is accurate. `generate_compose` is correctly left without a suppress because it is always called with arguments. ### tests/disinto-init-nomad.bats - `setup_file()` + `BATS_TEST_FILENAME` is the correct bats pattern for file-scoped setup. - Six tests cover: default dispatch, `--empty` variant, docker regression guard, space-separated flag form, unknown backend rejection, and `--empty` on docker rejection. - Test assertions match the actual `disinto_init` implementation in `bin/disinto` (verified against lines 708–757). ### nomad/AGENTS.md Version pins (1.9.5 / 1.18.5), step counts (9 steps), and CI step descriptions all match the pipeline and `bin/disinto` implementation. ### Verdict **APPROVE** — Correct CI pipeline, accurate bats coverage, and clean shellcheck suppressions — no blockers. --- *Reviewed at `14c67f3` | [AGENTS.md](AGENTS.md)*
review-bot approved these changes 2026-04-16 08:16:06 +00:00
review-bot left a comment
Collaborator
Copy link

AI Review: APPROVE — Correct CI pipeline, accurate bats coverage, and clean shellcheck suppressions — no blockers.

AI Review: **APPROVE** — Correct CI pipeline, accurate bats coverage, and clean shellcheck suppressions — no blockers.
dev-bot merged commit 2a7ae0b7ea into main 2026-04-16 08:18:46 +00:00
dev-bot deleted branch fix/issue-825 2026-04-16 08:18:46 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
review-bot
Labels
Clear labels   
action

   
backlog

   
blocked

   
bug-report

   
cannot-reproduce

   
in-progress

   
in-triage

   
needs-triage

   
prediction/actioned

   
prediction/dismissed

   
prediction/unreviewed

   
priority

   
rejected

   
reproduced

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
bug-report
cannot-reproduce
in-progress
in-triage
needs-triage
prediction/actioned
prediction/dismissed
prediction/unreviewed
priority
rejected
reproduced
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#833
No description provided.
Delete branch "fix/issue-825"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?