azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: session log 2026-05-29 — release pipeline validated (signed v0.2.2)

Browse Source 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-05-29 12:22:29 -07:00
parent 95daa70551
commit 0eeef72e01
1 changed files with 56 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
session-logs/2026-05-29-session.md
View File

@@ -168,3 +168,59 @@ Also located the portal and recorded infra knowledge (see below).
- GC commits: `60519be` (tooling), `f2e0456` (gate), `1c5c1e7` (cargo fmt), `b2f9cbc` (clippy/target), `cd88fac` (clippy informational), `8a47332` (native Pluto build), `39e9ac4` (workflow_dispatch), `4ddced1` (CI suite fixes). build-and-test run #17 green.
- claudetools: `…ab78de2` (submodule bumps), `7d326f2` (Pluto memory/wiki docs).
- SPEC-001: `projects/msp-tools/guru-connect/docs/specs/SPEC-001-operational-tooling-parity.md`.
---
## Update: 19:21 PT — Release pipeline validated (signed v0.2.2 published)
### Session Summary
Validated the GuruConnect `release.yml` pipeline end-to-end by dispatching it (workflow_dispatch).
It took three dispatches, each surfacing one real bug, all fixed:
1. Run 18: version-bump + native Pluto build succeeded; sign failed — jsign 6.0 lacks the
`TRUSTEDSIGNING` keystore type (Azure Trusted Signing needs jsign >= 7.0). Fixed by pinning
jsign 7.1 (matches `/usr/share/jsign/jsign-7.1.jar` on the build host).
2. Run 20: jsign 7.1 signed the binary successfully ("Adding Authenticode signature... [OK]"),
but the separate verify step called `jsign --info` (not a real jsign subcommand) and wrongly
failed the job. Removed the bogus verify; jsign's non-zero exit under `set -euo pipefail`
already gates signing fail-closed.
3. Run 22: ALL GREEN. Published release `v0.2.2` (draft=false) with assets `guruconnect.exe`
(Azure-Trusted-Signing-signed), `guruconnect.exe.sha256`, `CHANGELOG.md`.
Confirmed the full chain works: conventional-commit version bump -> git-cliff changelog -> native
MSVC build on the Pluto runner -> Azure Trusted Signing (jsign 7.1) -> Gitea REST release. Deleted
the two orphan tags (v0.2.0, v0.2.1) from the failed attempts; v0.2.2 is the sole tag/release. GC
manifest versions now start at 0.2.2 (legitimate first signed release).
### Key Decisions
- jsign 7.1 (not 6.0) for Azure Trusted Signing in CI; matches the build host's version.
- Removed the jsign-based verify step rather than replace it — jsign's exit code is the fail-closed gate; `jsign --info` does not exist.
- Kept the validation release real (v0.2.2) rather than reverting version churn; cleaned up only the orphan tags.
### Problems Encountered
- Two-workflow confusion in the CI poller (build-and-test + test.yml/deploy.yml sharing pushes) → filtered the poller by `workflow_id` and run_number threshold.
- Release dispatch queued ~10 min behind the push-triggered build-and-test before starting (single shared runner concurrency).
### Configuration Changes
- `projects/msp-tools/guru-connect/.gitea/workflows/release.yml`: JSIGN_VERSION 6.0 -> 7.1 (commit `e7f38ce`/rebased `5727ccf`); removed broken `jsign --info` verify step (commit `5727ccf`).
- Gitea: deleted tags v0.2.0, v0.2.1 (HTTP 204 each); v0.2.2 release published.
### Credentials & Secrets
- No new secrets. Signing used the 8 Actions secrets set earlier (Azure Trusted Signing SP + CI_PUSH_TOKEN); source `services/azure-trusted-signing.sops.yaml` / `/etc/gururmm-signing.env`.
### Infrastructure & Servers
- jsign on build host (172.16.3.30): `/usr/bin/jsign` wrapper -> `/usr/share/jsign/jsign-7.1.jar` (the known-good Trusted Signing version).
- Published release: `http://172.16.3.20:3000/azcomputerguru/guru-connect/releases/tag/v0.2.2`.
### Commands & Outputs
- Dispatch a workflow: `POST /api/v1/repos/azcomputerguru/guru-connect/actions/workflows/release.yml/dispatches` `{"ref":"main"}` (HTTP 204).
- Delete a tag: `DELETE /api/v1/repos/.../tags/<tag>` (HTTP 204).
- jsign 6.0 error: `Unknown keystore type 'TRUSTEDSIGNING'`. jsign sign success marker: `Adding Authenticode signature to guruconnect.exe`.
### Pending / Incomplete Tasks
- GC re-spec: re-tighten clippy + cargo audit to hard gates after dependency refresh; build the end-user support-code portal.
- 5 unrelated `temp/` scratch files remain untracked on GURU-5070 (datto/ksteen — another session's; left untouched).
### Reference Information
- GC release commits: `e7f38ce`/`5727ccf` (jsign 7.1 + verify fix). Release run #22 green. Release `v0.2.2`.
- claudetools: `…70d2190` (submodule bump for verify fix).