-
Notifications
You must be signed in to change notification settings - Fork 18
config: support Ubuntu — distro-agnostic scripts #10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
Closed
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| { | ||
| "id": "20e26efc", | ||
| "title": "CI job: run setup + tests on Ubuntu droplet per PR", | ||
| "tags": [ | ||
| "infra", | ||
| "ci", | ||
| "ubuntu" | ||
| ], | ||
| "status": "todo", | ||
| "created_at": "2026-02-17T02:30:52.375Z" | ||
| } | ||
|
|
||
| ## Goal | ||
| Add a GitHub Actions workflow that SSHes into the DigitalOcean droplet and runs the full hornet setup + test suite on every PR. | ||
|
|
||
| ## Depends on | ||
| - TODO-cb931656 (manual verification must pass first) | ||
|
|
||
| ## Design decisions needed | ||
| - **Fresh state per run**: `uninstall.sh` at start of each run? Or snapshot/restore? Or ephemeral droplet via DO API? | ||
| - **Secrets**: droplet IP + SSH key stored as GitHub Actions secrets (`DROPLET_IP`, `DROPLET_SSH_KEY`) | ||
| - **Concurrency**: only one CI run at a time on the droplet (use GitHub concurrency group) | ||
| - **Scope**: full setup + test, or just test.sh (setup is slow, ~2-3 min)? | ||
|
|
||
| ## Proposed workflow | ||
| ```yaml | ||
| name: Integration (Ubuntu) | ||
| on: | ||
| pull_request: | ||
| branches: [main] | ||
|
|
||
| concurrency: | ||
| group: droplet-integration | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| integration: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Run on droplet | ||
| env: | ||
| DROPLET_IP: ${{ secrets.DROPLET_IP }} | ||
| SSH_KEY: ${{ secrets.DROPLET_SSH_KEY }} | ||
| run: | | ||
| # SSH into droplet, rsync repo, run uninstall (clean slate), | ||
| # run setup.sh, deploy.sh, test.sh, security-audit.sh | ||
| ``` | ||
|
|
||
| ## Steps | ||
| 1. Create SSH key pair for CI, add public key to droplet | ||
| 2. Add `DROPLET_IP` and `DROPLET_SSH_KEY` as GitHub repo secrets | ||
| 3. Write the workflow file (`.github/workflows/integration.yml`) | ||
| 4. Handle cleanup: uninstall.sh at start of run for clean state | ||
| 5. Fail the PR if any step exits non-zero | ||
| 6. Consider: also run security-audit.sh (some checks need live system) | ||
|
|
||
| ## Open questions | ||
| - Do we want to spin up/destroy droplets per run (more isolated, costs more) or reuse one? | ||
| - Should we test `start.sh` actually booting an agent, or just setup + unit tests? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| { | ||
| "id": "cb931656", | ||
| "title": "Verify hornet setup on Ubuntu droplet (manual)", | ||
| "tags": [ | ||
| "infra", | ||
| "ubuntu", | ||
| "ci" | ||
| ], | ||
| "status": "todo", | ||
| "created_at": "2026-02-17T02:30:39.055Z", | ||
| "assigned_to_session": "381813d9-c69a-4472-9a00-e232ffb746d1" | ||
| } | ||
|
|
||
| ## Goal | ||
| SSH into the DigitalOcean Ubuntu droplet and manually verify the full hornet setup works end-to-end. | ||
|
|
||
| ## Steps | ||
| 1. SSH into the box as root | ||
| 2. Install prerequisites: `git`, `curl`, `docker`, `iptables`, `tmux` | ||
| 3. Clone the hornet repo | ||
| 4. Run `setup.sh <admin_user>` — creates `hornet_agent` user, installs Node, pi, firewall, etc. | ||
| 5. Create a minimal `.env` with dummy/test values (enough to pass varlock validation) | ||
| 6. Run `bin/deploy.sh` — deploy extensions, skills, bridge to runtime | ||
| 7. Run `bin/test.sh` — all 207 tests must pass | ||
| 8. Run `bin/security-audit.sh` — verify firewall, perms, proc isolation | ||
| 9. Boot the agent: `sudo -u hornet_agent ~/runtime/start.sh` — verify it starts without errors | ||
| 10. Tear down: run `bin/uninstall.sh` to verify clean removal | ||
|
|
||
| ## Success criteria | ||
| - `setup.sh` completes without errors on Ubuntu | ||
| - All tests pass | ||
| - Security audit is clean | ||
| - Agent boots and varlock validates the env | ||
|
|
||
| ## Notes | ||
| - Need droplet IP, root credentials (store securely, don't commit) | ||
| - This is a one-time manual run; the CI todo automates it afterward |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bug: The use of
|| trueinharden-permissions.shsilences errors from thechmodcommand, potentially leaving sensitive session logs with incorrect permissions without any failure indication.Severity: HIGH
Suggested Fix
Remove the
|| trueto allow the script to fail correctly if thechmodcommand returns a non-zero exit code. The script should exit with an error if it cannot successfully harden the permissions on the session log files, ensuring that failures are not silent.Prompt for AI Agent