From 0eeef72e0146826389c7c77c7766165942a5ab12 Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Fri, 29 May 2026 12:22:29 -0700 Subject: [PATCH] =?UTF-8?q?docs:=20session=20log=202026-05-29=20=E2=80=94?= =?UTF-8?q?=20release=20pipeline=20validated=20(signed=20v0.2.2)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Opus 4.8 (1M context) --- session-logs/2026-05-29-session.md | 56 ++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/session-logs/2026-05-29-session.md b/session-logs/2026-05-29-session.md index 430f657..6091d5e 100644 --- a/session-logs/2026-05-29-session.md +++ b/session-logs/2026-05-29-session.md @@ -168,3 +168,59 @@ Also located the portal and recorded infra knowledge (see below). - GC commits: `60519be` (tooling), `f2e0456` (gate), `1c5c1e7` (cargo fmt), `b2f9cbc` (clippy/target), `cd88fac` (clippy informational), `8a47332` (native Pluto build), `39e9ac4` (workflow_dispatch), `4ddced1` (CI suite fixes). build-and-test run #17 green. - claudetools: `…ab78de2` (submodule bumps), `7d326f2` (Pluto memory/wiki docs). - SPEC-001: `projects/msp-tools/guru-connect/docs/specs/SPEC-001-operational-tooling-parity.md`. + +--- + +## Update: 19:21 PT — Release pipeline validated (signed v0.2.2 published) + +### Session Summary + +Validated the GuruConnect `release.yml` pipeline end-to-end by dispatching it (workflow_dispatch). +It took three dispatches, each surfacing one real bug, all fixed: +1. Run 18: version-bump + native Pluto build succeeded; sign failed — jsign 6.0 lacks the + `TRUSTEDSIGNING` keystore type (Azure Trusted Signing needs jsign >= 7.0). Fixed by pinning + jsign 7.1 (matches `/usr/share/jsign/jsign-7.1.jar` on the build host). +2. Run 20: jsign 7.1 signed the binary successfully ("Adding Authenticode signature... [OK]"), + but the separate verify step called `jsign --info` (not a real jsign subcommand) and wrongly + failed the job. Removed the bogus verify; jsign's non-zero exit under `set -euo pipefail` + already gates signing fail-closed. +3. Run 22: ALL GREEN. Published release `v0.2.2` (draft=false) with assets `guruconnect.exe` + (Azure-Trusted-Signing-signed), `guruconnect.exe.sha256`, `CHANGELOG.md`. + +Confirmed the full chain works: conventional-commit version bump -> git-cliff changelog -> native +MSVC build on the Pluto runner -> Azure Trusted Signing (jsign 7.1) -> Gitea REST release. Deleted +the two orphan tags (v0.2.0, v0.2.1) from the failed attempts; v0.2.2 is the sole tag/release. GC +manifest versions now start at 0.2.2 (legitimate first signed release). + +### Key Decisions +- jsign 7.1 (not 6.0) for Azure Trusted Signing in CI; matches the build host's version. +- Removed the jsign-based verify step rather than replace it — jsign's exit code is the fail-closed gate; `jsign --info` does not exist. +- Kept the validation release real (v0.2.2) rather than reverting version churn; cleaned up only the orphan tags. + +### Problems Encountered +- Two-workflow confusion in the CI poller (build-and-test + test.yml/deploy.yml sharing pushes) → filtered the poller by `workflow_id` and run_number threshold. +- Release dispatch queued ~10 min behind the push-triggered build-and-test before starting (single shared runner concurrency). + +### Configuration Changes +- `projects/msp-tools/guru-connect/.gitea/workflows/release.yml`: JSIGN_VERSION 6.0 -> 7.1 (commit `e7f38ce`/rebased `5727ccf`); removed broken `jsign --info` verify step (commit `5727ccf`). +- Gitea: deleted tags v0.2.0, v0.2.1 (HTTP 204 each); v0.2.2 release published. + +### Credentials & Secrets +- No new secrets. Signing used the 8 Actions secrets set earlier (Azure Trusted Signing SP + CI_PUSH_TOKEN); source `services/azure-trusted-signing.sops.yaml` / `/etc/gururmm-signing.env`. + +### Infrastructure & Servers +- jsign on build host (172.16.3.30): `/usr/bin/jsign` wrapper -> `/usr/share/jsign/jsign-7.1.jar` (the known-good Trusted Signing version). +- Published release: `http://172.16.3.20:3000/azcomputerguru/guru-connect/releases/tag/v0.2.2`. + +### Commands & Outputs +- Dispatch a workflow: `POST /api/v1/repos/azcomputerguru/guru-connect/actions/workflows/release.yml/dispatches` `{"ref":"main"}` (HTTP 204). +- Delete a tag: `DELETE /api/v1/repos/.../tags/` (HTTP 204). +- jsign 6.0 error: `Unknown keystore type 'TRUSTEDSIGNING'`. jsign sign success marker: `Adding Authenticode signature to guruconnect.exe`. + +### Pending / Incomplete Tasks +- GC re-spec: re-tighten clippy + cargo audit to hard gates after dependency refresh; build the end-user support-code portal. +- 5 unrelated `temp/` scratch files remain untracked on GURU-5070 (datto/ksteen — another session's; left untouched). + +### Reference Information +- GC release commits: `e7f38ce`/`5727ccf` (jsign 7.1 + verify fix). Release run #22 green. Release `v0.2.2`. +- claudetools: `…70d2190` (submodule bump for verify fix).