ci(gitea): add deploy-node1-runtime workflow with hard phase6 gate

2026-03-05 10:40:06 -08:00
parent 72e74635cf
commit 5b3a7e3998
2 changed files with 253 additions and 0 deletions
--- a/docs/ops/deploy_gate.md
+++ b/docs/ops/deploy_gate.md
@@ -0,0 +1,45 @@
+# Deploy Gate (Gitea)
+
+## Purpose
+
+`deploy-node1-runtime` is a hard release gate for NODA1 runtime changes:
+
+1. `deploy` job syncs target git ref on NODA1 (and can optionally rebuild `gateway` + `experience-learner`).
+2. `phase6_gate` job runs `make phase6-smoke` on NODA1.
+3. If `phase6_gate` fails, the workflow fails.
+
+This prevents a deploy from being considered successful without a Phase-6 closed-loop smoke pass.
+
+## Workflow
+
+File: `.gitea/workflows/deploy-node1-runtime.yml`
+
+Manual trigger inputs:
+
+- `deploy_ref` (default: `main`)
+- `redeploy_runtime` (default: `false`)
+- `ssh_host` (optional override)
+- `ssh_user` (optional override, default `root`)
+
+Required repo secrets:
+
+- `NODA1_SSH_HOST`
+- `NODA1_SSH_USER`
+- `NODA1_SSH_KEY`
+
+## Safety notes
+
+- `redeploy_runtime=false` only syncs git on NODA1 and runs gate checks.
+- `redeploy_runtime=true` recreates `gateway` and `experience-learner` containers.
+- Workflow uses SSH key validation and `IdentitiesOnly=yes` to avoid host key collisions.
+
+## Expected PASS
+
+- `deploy` job: successful SSH sync of selected `deploy_ref`.
+- `phase6_gate` job: `make phase6-smoke` returns PASS.
+- Workflow conclusion: `success`.
+
+## Failure handling
+
+- SSH/network issues: one retry is attempted in gate step.
+- Gate FAIL: treat as release blocker, inspect `artifacts/phase6-gate*.log`.