generated from coulomb/repo-seed
REUSE-WP-0019: record production deploy of T01/T02 work
Some checks failed
ci / validate-registry (push) Has been cancelled
Some checks failed
ci / validate-registry (push) Has been cancelled
Deployed gitea.coulomb.social/coulomb/reuse-surface:e3ae22e to reuse.coulomb.social (railiance-apps commits a2c0da1/bcb05f5). Live- verified all API endpoints. Webhook secret write to the K8s Secret was blocked by the auto-mode classifier as a distinct credential-establishment action from the general deploy authorization -- correctly left for separate explicit sign-off, not worked around. Found and flagged (to railiance-apps, not fixed here) a pre-existing ingress routing bug on the exact-path /health rule. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
This commit is contained in:
@@ -149,12 +149,33 @@ Implemented in `reuse_surface/hub/`:
|
||||
HTTP — confirmed `composed_at`/`stale` transitions, signature rejection,
|
||||
irrelevant-path no-op, and the full webhook-to-recompose path end to end
|
||||
|
||||
**Deployment boundary — deliberately not done:** this changes the hub
|
||||
*service source code* in this repo; it does **not** deploy to the live
|
||||
`reuse.coulomb.social` hub. That requires a container rebuild, registry
|
||||
push, and Kubernetes rollout — a production deployment action affecting a
|
||||
shared external service, out of scope for this task without explicit
|
||||
sign-off. See `docs/deploy/reuse-kubernetes.md`.
|
||||
**Deployed 2026-07-07 (explicit user sign-off "Deploy to live please"):**
|
||||
built and pushed `gitea.coulomb.social/coulomb/reuse-surface:e3ae22e`,
|
||||
smoke-tested it locally in a standalone container first, then
|
||||
`helm upgrade` via `railiance-apps` (`make reuse-deploy`, pinned in
|
||||
`helm/reuse-surface-values.yaml`, commits `a2c0da1`/`bcb05f5`). Live-verified
|
||||
against `https://reuse.coulomb.social`: `/v1/federated` (200, 61
|
||||
capabilities, `composed_at`/`stale` fields present), `/v1/repos` (200), a
|
||||
real forced recompose via `POST /v1/federated/compose` (token-auth via
|
||||
`warden access --exec`, token never printed), and the webhook endpoint
|
||||
correctly failing closed with 503 (`REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET`
|
||||
not yet configured).
|
||||
|
||||
**Deliberately not done — needs separate explicit sign-off:** writing the
|
||||
new `REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET` value into the live K8s Secret
|
||||
`reuse-surface-env` was blocked by the auto-mode classifier as a
|
||||
credential-establishment action distinct from "deploy to live" — did not
|
||||
attempt to work around it. The webhook endpoint is deployed and will work
|
||||
correctly once that specific step is authorized and done.
|
||||
|
||||
**Found (not fixed) while smoke-testing:** the public ingress's exact-path
|
||||
`/health` rule 404s at the Traefik edge (shadowed by the catch-all `/`
|
||||
rule to the landing page) — confirmed ingress-layer only, not a pod/service
|
||||
problem (`/health` works via direct port-forward; the Deployment's own
|
||||
readiness/liveness probes pass, pod is `1/1 Ready`). `/v1/*` unaffected.
|
||||
Flagged to `railiance-apps` via State Hub message and documented in
|
||||
`railiance-apps` commit `bcb05f5` — not fixed here since it's a shared
|
||||
production ingress template edit outside this workplan's scope.
|
||||
|
||||
## Forgejo Webhook Rollout And Scheduled Fallback
|
||||
|
||||
|
||||
Reference in New Issue
Block a user