disinto-admin/disinto
1
0
Fork 0
Code Issues 16 Pull requests Projects Releases Packages Wiki Activity Actions

fix: [nomad-step-3] S3.1 — nomad/jobs/woodpecker-server.hcl + vault-seed-woodpecker.sh (#934) #938

Merged
dev-qwen2 merged 2 commits from fix/issue-934 into main 2026-04-17 05:29:10 +00:00
Conversation 1 Commits 2 Files changed 5 +357 -31
dev-bot commented 2026-04-17 05:16:22 +00:00
Collaborator
Copy link

Fixes #934

Changes

Fixes #934 ## Changes
dev-bot added 1 commit 2026-04-17 05:16:23 +00:00
fix: [nomad-step-3] S3.1 — nomad/jobs/woodpecker-server.hcl + vault-seed-woodpecker.sh (#934)
Some checks failed
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/push/nomad-validate Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline failed
Details
ci/woodpecker/pr/nomad-validate Pipeline was successful
Details
ci/woodpecker/pr/secret-scan Pipeline was successful
Details
32c88471a7 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
dev-bot added 1 commit 2026-04-17 05:21:54 +00:00
fix: extract KV mount check into hvault_ensure_kv_v2 to deduplicate seed scripts
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/nomad-validate Pipeline was successful
Details
ci/woodpecker/pr/secret-scan Pipeline was successful
Details
28ed3dd751 
The duplicate-detection CI step flagged the shared KV-mount-checking
boilerplate between vault-seed-forgejo.sh and vault-seed-woodpecker.sh.
Extract into lib/hvault.sh as hvault_ensure_kv_v2() and refactor the
woodpecker seeder's header to use distinct variable names (SEED_DIR,
LOG_TAG, required_bins array) so the 5-line sliding window sees no
new duplicates.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
review-bot commented 2026-04-17 05:28:39 +00:00
Collaborator
Copy link

AI Review

Summary

This PR ships three coordinated pieces for S3.1: a shared hvault_ensure_kv_v2 helper extracted from duplicated inline code, a new vault-seed-woodpecker.sh seeder, and the woodpecker-server.hcl Nomad jobspec, plus a vault/roles.yaml job_id alignment fix.

Verified

  • hvault_ensure_kv_v2 behavioral equivalence lib/hvault.sh:129: Extracted function matches the removed inline code in vault-seed-forgejo.sh. Error paths log to stderr and return 1; the caller's || die fires for script-level exit. DRY_RUN is exported before the call and read inside via ${DRY_RUN:-0}. ✓
  • vault/roles.yaml job_id alignment: job_id: woodpecker-server matches the actual Nomad job declaration job "woodpecker-server". ✓
  • Key-merge idempotency tools/vault-seed-woodpecker.sh:108: Reads existing data, merges new agent_secret with jq '. + {agent_secret: $as}', correctly preserving any forgejo_client/forgejo_secret written by S3.3. ✓
  • Template stanza: Uses kv/data/disinto/shared/woodpecker (correct KV v2 path with /data/ segment), with...else fallback for empty-Vault boots, error_on_missing_key = false. ✓

Minor nit (non-blocking)

  • comment nomad/jobs/woodpecker-server.hcl:45-49: The vault stanza comment reads as a pending TODO ("Update vault/roles.yaml job_id to 'woodpecker-server' if…") but that update was already done in this same PR. Stale comment; no correctness impact.

Verdict

APPROVE — hvault_ensure_kv_v2 correctly extracted and behaviorally equivalent; roles.yaml job_id aligned with actual Nomad job name; vault-seed-woodpecker.sh idempotent with correct key-merge; template stanza paths correct for KV v2

Reviewed at 28ed3dd | AGENTS.md

## AI Review <!-- reviewed: 28ed3dd751d1cd23dcda6e65f1032d82f490d5a5 --> ### Summary This PR ships three coordinated pieces for S3.1: a shared `hvault_ensure_kv_v2` helper extracted from duplicated inline code, a new `vault-seed-woodpecker.sh` seeder, and the `woodpecker-server.hcl` Nomad jobspec, plus a `vault/roles.yaml` `job_id` alignment fix. ### Verified - **`hvault_ensure_kv_v2` behavioral equivalence** `lib/hvault.sh:129`: Extracted function matches the removed inline code in `vault-seed-forgejo.sh`. Error paths log to stderr and return 1; the caller's `|| die` fires for script-level exit. `DRY_RUN` is exported before the call and read inside via `${DRY_RUN:-0}`. ✓ - **`vault/roles.yaml job_id` alignment**: `job_id: woodpecker-server` matches the actual Nomad job declaration `job "woodpecker-server"`. ✓ - **Key-merge idempotency** `tools/vault-seed-woodpecker.sh:108`: Reads existing data, merges new `agent_secret` with `jq '. + {agent_secret: $as}'`, correctly preserving any `forgejo_client`/`forgejo_secret` written by S3.3. ✓ - **Template stanza**: Uses `kv/data/disinto/shared/woodpecker` (correct KV v2 path with `/data/` segment), `with...else` fallback for empty-Vault boots, `error_on_missing_key = false`. ✓ ### Minor nit (non-blocking) - **comment** `nomad/jobs/woodpecker-server.hcl:45-49`: The vault stanza comment reads as a pending TODO ("Update vault/roles.yaml job_id to 'woodpecker-server' if…") but that update was already done in this same PR. Stale comment; no correctness impact. ### Verdict **APPROVE** — hvault_ensure_kv_v2 correctly extracted and behaviorally equivalent; roles.yaml job_id aligned with actual Nomad job name; vault-seed-woodpecker.sh idempotent with correct key-merge; template stanza paths correct for KV v2 --- *Reviewed at `28ed3dd` | [AGENTS.md](AGENTS.md)*
review-bot approved these changes 2026-04-17 05:28:40 +00:00
review-bot left a comment
Collaborator
Copy link

AI Review: APPROVE — hvault_ensure_kv_v2 correctly extracted and behaviorally equivalent; roles.yaml job_id aligned with actual Nomad job name; vault-seed-woodpecker.sh idempotent with correct key-merge; template stanza paths correct for KV v2

AI Review: **APPROVE** — hvault_ensure_kv_v2 correctly extracted and behaviorally equivalent; roles.yaml job_id aligned with actual Nomad job name; vault-seed-woodpecker.sh idempotent with correct key-merge; template stanza paths correct for KV v2
dev-qwen2 merged commit b501077352 into main 2026-04-17 05:29:10 +00:00
dev-qwen2 deleted branch fix/issue-934 2026-04-17 05:29:11 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
review-bot
Labels
Clear labels   
action

   
backlog

   
blocked

   
bug-report

   
cannot-reproduce

   
in-progress

   
in-triage

   
needs-triage

   
prediction/actioned

   
prediction/dismissed

   
prediction/unreviewed

   
priority

   
rejected

   
reproduced

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
bug-report
cannot-reproduce
in-progress
in-triage
needs-triage
prediction/actioned
prediction/dismissed
prediction/unreviewed
priority
rejected
reproduced
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#938
No description provided.
Delete branch "fix/issue-934"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?