diff --git a/.gitea/workflows/harbor-110-local-repair.yaml b/.gitea/workflows/harbor-110-local-repair.yaml index 1da8682e..75a8df94 100644 --- a/.gitea/workflows/harbor-110-local-repair.yaml +++ b/.gitea/workflows/harbor-110-local-repair.yaml @@ -1,7 +1,8 @@ # AWOOOI Harbor 110 Local Repair # # Controlled runtime: -# - workflow_dispatch only; no push / pull_request / pull_request_target trigger +# - workflow_dispatch + low-frequency schedule only +# - no push / pull_request / pull_request_target trigger # - runs only on the 110-local awoooi-host lane # - no secret read, no Docker daemon restart, no reboot, no node drain # - runs the existing bounded recovery script, then verifies local and public /v2/ @@ -10,10 +11,13 @@ name: AWOOOI Harbor 110 Local Repair on: workflow_dispatch: + schedule: + - cron: "*/10 * * * *" env: AWOOOI_HARBOR_110_LOCAL_REPAIR_ENABLED: "1" AWOOOI_110_EXPECTED_HOST_IP: 192.168.0.110 + AWOOOI_HARBOR_110_LOCAL_REPAIR_TRIGGER: ${{ github.event_name }} jobs: workflow-shape: @@ -58,25 +62,35 @@ jobs: chmod +x scripts/reboot-recovery/harbor-watchdog.sh chmod +x scripts/reboot-recovery/recover-110-control-path-and-harbor-local.sh + run_recovery() { + sudo -n env \ + TARGET_USER=wooo \ + RELOAD_SSH=0 \ + AWOOOI_110_EXPECTED_HOST_IP="${AWOOOI_110_EXPECTED_HOST_IP}" \ + AWOOOI_110_SSH_REPAIR_SCRIPT="${PWD}/scripts/reboot-recovery/repair-110-ssh-publickey-auth-local.sh" \ + AWOOOI_HARBOR_WATCHDOG_SCRIPT="${PWD}/scripts/reboot-recovery/harbor-watchdog.sh" \ + "${PWD}/scripts/reboot-recovery/recover-110-control-path-and-harbor-local.sh" \ + "$@" + } + echo "harbor_110_local_repair_check_start=1" - sudo -n env \ - TARGET_USER=wooo \ - RELOAD_SSH=0 \ - AWOOOI_110_EXPECTED_HOST_IP="${AWOOOI_110_EXPECTED_HOST_IP}" \ - AWOOOI_110_SSH_REPAIR_SCRIPT="${PWD}/scripts/reboot-recovery/repair-110-ssh-publickey-auth-local.sh" \ - AWOOOI_HARBOR_WATCHDOG_SCRIPT="${PWD}/scripts/reboot-recovery/harbor-watchdog.sh" \ - "${PWD}/scripts/reboot-recovery/recover-110-control-path-and-harbor-local.sh" \ - --check + set +e + check_output="$(run_recovery --check 2>&1)" + check_rc=$? + set -e + printf '%s\n' "${check_output}" + echo "harbor_110_local_repair_check_rc=${check_rc}" + + trigger="${GITHUB_EVENT_NAME:-${AWOOOI_HARBOR_110_LOCAL_REPAIR_TRIGGER:-unknown}}" + echo "harbor_110_local_repair_trigger=${trigger}" + if [ "${trigger}" != "workflow_dispatch" ] \ + && printf '%s\n' "${check_output}" | grep -q "harbor_ready=true"; then + echo "harbor_110_local_repair_skipped=already_ready" + exit 0 + fi echo "harbor_110_local_repair_apply_all_start=1" - sudo -n env \ - TARGET_USER=wooo \ - RELOAD_SSH=0 \ - AWOOOI_110_EXPECTED_HOST_IP="${AWOOOI_110_EXPECTED_HOST_IP}" \ - AWOOOI_110_SSH_REPAIR_SCRIPT="${PWD}/scripts/reboot-recovery/repair-110-ssh-publickey-auth-local.sh" \ - AWOOOI_HARBOR_WATCHDOG_SCRIPT="${PWD}/scripts/reboot-recovery/harbor-watchdog.sh" \ - "${PWD}/scripts/reboot-recovery/recover-110-control-path-and-harbor-local.sh" \ - --apply-all + run_recovery --apply-all - name: Verify Harbor registry routes after local repair run: | diff --git a/ops/runner/test_cd_controlled_runtime_profile.py b/ops/runner/test_cd_controlled_runtime_profile.py index d94542ae..4b31ee12 100644 --- a/ops/runner/test_cd_controlled_runtime_profile.py +++ b/ops/runner/test_cd_controlled_runtime_profile.py @@ -109,6 +109,8 @@ def test_harbor_110_local_repair_workflow_is_dispatch_only_and_bounded() -> None text = HARBOR_110_REPAIR_WORKFLOW.read_text(encoding="utf-8") assert "workflow_dispatch:" in text + assert "schedule:" in text + assert 'cron: "*/10 * * * *"' in text assert "push:" not in text assert "pull_request:" not in text assert "pull_request_target:" not in text @@ -119,6 +121,8 @@ def test_harbor_110_local_repair_workflow_is_dispatch_only_and_bounded() -> None assert "--check" in text assert "--apply-all" in text assert "sudo -n env" in text + assert "GITHUB_EVENT_NAME" in text + assert "harbor_110_local_repair_skipped=already_ready" in text assert "192.168.0.110" in text assert "http://127.0.0.1:5000/v2/" in text assert "https://registry.wooo.work/v2/" in text