akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
Files
80e37b4920931d79b7cba71abdfdd9ecc25d109a
Charon/docs/plans/current_spec.md
GitHub Actions 80e37b4920 Merge branch 'development' into feature/beta-release
2026-01-25 06:11:29 +00:00

369 lines
8.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Git & Workflow Recovery Plan
**Plan ID**: GIT-2026-001
**Status**: 📋 PENDING
**Priority**: High
**Created**: 2026-01-25
**Scope**: Git recovery, Renovate fix, Workflow simplification
---
## Problem Summary
1. **Git State**: Feature branch `feature/beta-release` is in a broken rebase state
2. **Renovate**: Targeting feature branches creates orphaned PRs and merge conflicts
3. **Propagate Workflow**: Overly complex cascade (`main → development → nightly → feature/*`) causes confusion
4. **Nightly Branch**: Unnecessary intermediate branch adding complexity
---
## Phase 1: Git Recovery
### Step 1.1 — Abort the Rebase
```bash
# Check current state
git status
# Abort the in-progress rebase
git rebase --abort
# Verify clean state
git status
```
### Step 1.2 — Fetch Latest from Origin
```bash
# Fetch all branches
git fetch origin --prune
# Ensure we're on the feature branch
git checkout feature/beta-release
```
### Step 1.3 — Merge Development into Feature Branch
**Use merge, NOT rebase** to preserve commit history and avoid force-push issues.
```bash
# Merge development into feature/beta-release
git merge origin/development --no-ff -m "Merge development into feature/beta-release"
```
### Step 1.4 — Resolve Conflicts (if any)
Likely conflict files based on Renovate activity:
- `package.json` / `package-lock.json` (version bumps)
- `backend/go.mod` / `backend/go.sum` (Go dependency updates)
- `.github/workflows/*.yml` (action digest pins)
**Resolution strategy:**
```bash
# For package.json - accept development's versions, then run npm install
git checkout --theirs package.json package-lock.json
npm install
git add package.json package-lock.json
# For go.mod/go.sum - accept development's versions, then tidy
git checkout --theirs backend/go.mod backend/go.sum
cd backend && go mod tidy && cd ..
git add backend/go.mod backend/go.sum
# For workflow files - usually safe to accept development
git checkout --theirs .github/workflows/
# Complete the merge
git commit
```
### Step 1.5 — Push the Merged Branch
```bash
git push origin feature/beta-release
```
---
## Phase 2: Renovate Fix
### Problem
Current config in `.github/renovate.json`:
```json
"baseBranches": [
"development",
"feature/beta-release"
]
```
This causes:
- Duplicate PRs for the same dependency (one per branch)
- Orphaned branches like `renovate/feature/beta-release-*` when feature merges
- Constant merge conflicts between branches
### Solution
Only target `development`. Changes flow naturally via propagate workflow.
### Old Config (REMOVE)
```json
{
"baseBranches": [
"development",
"feature/beta-release"
],
...
}
```
### New Config (REPLACE WITH)
```json
{
"baseBranches": [
"development"
],
...
}
```
### File to Edit
**File**: `.github/renovate.json`
**Line**: ~12-15
---
## Phase 3: Propagate Workflow Fix
### Problem
Current workflow in `.github/workflows/propagate-changes.yml`:
```yaml
on:
push:
branches:
- main
- development
- nightly # <-- Unnecessary
```
Cascade logic:
- `main``development` ✅ (Correct)
- `development``nightly` ❌ (Unnecessary)
- `nightly``feature/*` ❌ (Overly complex)
### Solution
Simplify to **only** `main → development` propagation.
### Old Trigger (REMOVE)
```yaml
on:
push:
branches:
- main
- development
- nightly
```
### New Trigger (REPLACE WITH)
```yaml
on:
push:
branches:
- main
```
### Old Script Logic (REMOVE)
```javascript
if (currentBranch === 'main') {
// Main -> Development
await createPR('main', 'development');
} else if (currentBranch === 'development') {
// Development -> Nightly
await createPR('development', 'nightly');
} else if (currentBranch === 'nightly') {
// Nightly -> Feature branches
const branches = await github.paginate(github.rest.repos.listBranches, {
owner: context.repo.owner,
repo: context.repo.repo,
});
const featureBranches = branches
.map(b => b.name)
.filter(name => name.startsWith('feature/'));
core.info(`Found ${featureBranches.length} feature branches: ${featureBranches.join(', ')}`);
for (const featureBranch of featureBranches) {
await createPR('development', featureBranch);
}
}
```
### New Script Logic (REPLACE WITH)
```javascript
if (currentBranch === 'main') {
// Main -> Development (only propagation needed)
await createPR('main', 'development');
}
```
### File to Edit
**File**: `.github/workflows/propagate-changes.yml`
---
## Phase 4: Cleanup
### Step 4.1 — Delete Nightly Branch
```bash
# Delete remote nightly branch (if exists)
git push origin --delete nightly 2>/dev/null || echo "nightly branch does not exist"
# Delete local tracking branch
git branch -D nightly 2>/dev/null || true
```
### Step 4.2 — Delete Orphaned Renovate Branches
```bash
# List all renovate branches targeting feature/beta-release
git fetch origin
git branch -r | grep 'renovate/feature/beta-release' | while read branch; do
remote_branch="${branch#origin/}"
echo "Deleting: $remote_branch"
git push origin --delete "$remote_branch"
done
```
### Step 4.3 — Close Orphaned Renovate PRs
After branches are deleted, any associated PRs will be automatically closed by GitHub.
---
## Execution Checklist
- [ ] **Phase 1**: Git Recovery
- [ ] 1.1 Abort rebase
- [ ] 1.2 Fetch latest
- [ ] 1.3 Merge development
- [ ] 1.4 Resolve conflicts
- [ ] 1.5 Push merged branch
- [ ] **Phase 2**: Renovate Fix
- [ ] Edit `.github/renovate.json` - remove `feature/beta-release` from baseBranches
- [ ] Commit and push
- [ ] **Phase 3**: Propagate Workflow Fix
- [ ] Edit `.github/workflows/propagate-changes.yml` - simplify triggers and logic
- [ ] Commit and push
- [ ] **Phase 4**: Cleanup
- [ ] 4.1 Delete nightly branch
- [ ] 4.2 Delete orphaned `renovate/feature/beta-release-*` branches
- [ ] 4.3 Verify orphaned PRs are closed
---
## Verification
After all phases complete:
```bash
# Confirm no rebase in progress
git status
# Expected: "On branch feature/beta-release" with clean state
# Confirm nightly deleted
git branch -r | grep nightly
# Expected: no output
# Confirm orphaned renovate branches deleted
git branch -r | grep 'renovate/feature/beta-release'
# Expected: no output
# Confirm Renovate config only targets development
cat .github/renovate.json | grep -A2 baseBranches
# Expected: only "development"
```
---
## Rollback Plan
If issues occur:
1. **Git Recovery Failed**:
```bash
git fetch origin
git checkout feature/beta-release
git reset --hard origin/feature/beta-release
```
2. **Renovate Changes Broke Something**: Revert the commit to `.github/renovate.json`
3. **Propagate Workflow Issues**: Revert the commit to `.github/workflows/propagate-changes.yml`
---
## Archived Spec (Prior Implementation)
# Security Fix: Remove Hardcoded Encryption Keys from Docker Compose Files
**Plan ID**: SEC-2026-001
**Status**: ✅ IMPLEMENTED
**Priority**: Critical (Security)
**Created**: 2026-01-25
**Implemented By**: Management Agent
---
### Summary
Removed hardcoded encryption keys from Docker Compose test files and implemented ephemeral key generation in CI workflows.
### Changes Applied
| File | Change |
|------|--------|
| `.docker/compose/docker-compose.playwright.yml` | Replaced hardcoded key with `${CHARON_ENCRYPTION_KEY:?...}` |
| `.docker/compose/docker-compose.e2e.yml` | Replaced hardcoded key with `${CHARON_ENCRYPTION_KEY:?...}` |
| `.github/workflows/e2e-tests.yml` | Added ephemeral key generation step |
| `.env.test.example` | Added prominent documentation |
### Security Notes
- The old key `ucDWy5ScLubd3QwCHhQa2SY7wL2OF48p/c9nZhyW1mA=` exists in git history
- This key should **NEVER** be used in any production environment
- Each CI run now generates a unique ephemeral key
### Testing
```bash
# Verify compose fails without key
unset CHARON_ENCRYPTION_KEY
docker compose -f .docker/compose/docker-compose.playwright.yml config 2>&1
# Expected: "CHARON_ENCRYPTION_KEY is required"
# Verify compose succeeds with key
export CHARON_ENCRYPTION_KEY=$(openssl rand -base64 32)
docker compose -f .docker/compose/docker-compose.playwright.yml config
# Expected: Valid YAML output
```
### References
- **OWASP**: [A02:2021 Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)
Reference in New Issue View Git Blame Copy Permalink