REUSE-WP-0019: record production deploy of T01/T02 work
Some checks failed
ci / validate-registry (push) Has been cancelled

Deployed gitea.coulomb.social/coulomb/reuse-surface:e3ae22e to
reuse.coulomb.social (railiance-apps commits a2c0da1/bcb05f5). Live-
verified all API endpoints. Webhook secret write to the K8s Secret was
blocked by the auto-mode classifier as a distinct credential-establishment
action from the general deploy authorization -- correctly left for
separate explicit sign-off, not worked around. Found and flagged (to
railiance-apps, not fixed here) a pre-existing ingress routing bug on the
exact-path /health rule.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
This commit is contained in:
2026-07-07 20:15:42 +02:00
parent e3ae22e35b
commit 9602b431ba

View File

@@ -149,12 +149,33 @@ Implemented in `reuse_surface/hub/`:
HTTP — confirmed `composed_at`/`stale` transitions, signature rejection,
irrelevant-path no-op, and the full webhook-to-recompose path end to end
**Deployment boundary — deliberately not done:** this changes the hub
*service source code* in this repo; it does **not** deploy to the live
`reuse.coulomb.social` hub. That requires a container rebuild, registry
push, and Kubernetes rollout — a production deployment action affecting a
shared external service, out of scope for this task without explicit
sign-off. See `docs/deploy/reuse-kubernetes.md`.
**Deployed 2026-07-07 (explicit user sign-off "Deploy to live please"):**
built and pushed `gitea.coulomb.social/coulomb/reuse-surface:e3ae22e`,
smoke-tested it locally in a standalone container first, then
`helm upgrade` via `railiance-apps` (`make reuse-deploy`, pinned in
`helm/reuse-surface-values.yaml`, commits `a2c0da1`/`bcb05f5`). Live-verified
against `https://reuse.coulomb.social`: `/v1/federated` (200, 61
capabilities, `composed_at`/`stale` fields present), `/v1/repos` (200), a
real forced recompose via `POST /v1/federated/compose` (token-auth via
`warden access --exec`, token never printed), and the webhook endpoint
correctly failing closed with 503 (`REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET`
not yet configured).
**Deliberately not done — needs separate explicit sign-off:** writing the
new `REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET` value into the live K8s Secret
`reuse-surface-env` was blocked by the auto-mode classifier as a
credential-establishment action distinct from "deploy to live" — did not
attempt to work around it. The webhook endpoint is deployed and will work
correctly once that specific step is authorized and done.
**Found (not fixed) while smoke-testing:** the public ingress's exact-path
`/health` rule 404s at the Traefik edge (shadowed by the catch-all `/`
rule to the landing page) — confirmed ingress-layer only, not a pod/service
problem (`/health` works via direct port-forward; the Deployment's own
readiness/liveness probes pass, pod is `1/1 Ready`). `/v1/*` unaffected.
Flagged to `railiance-apps` via State Hub message and documented in
`railiance-apps` commit `bcb05f5` — not fixed here since it's a shared
production ingress template edit outside this workplan's scope.
## Forgejo Webhook Rollout And Scheduled Fallback