Skip to content

Clean up tooling, deploy assets, docs#87

Merged
grubermeister merged 6 commits into
stagingfrom
mpc-comfyops-1-staging
Jul 3, 2026
Merged

Clean up tooling, deploy assets, docs#87
grubermeister merged 6 commits into
stagingfrom
mpc-comfyops-1-staging

Conversation

@grubermeister

Copy link
Copy Markdown
Collaborator

This PR cleans up the tooling surface (specifically around our current target, the ASCC). I've removed stale comparison code and artifacts, deployment assets have gone into a dedicated deploy/ directory, updates to dependency and verification gates, then refreshed developer/operator documentation.

Commit Summary

1206d4e - Simplify ASCC CLI workflows and require explicit bundle imports.

Reworks tools/ascc_cli.py around clearer ASCC commands. Adds tools/ascc_pipeline/ helpers for command dispatch, paths, manifests, and checks. Updates ./woco ascc, data push/reload wrappers, and related ASCC tests/docs.

817864c - Remove dead ASCC comparison pipeline.

Deletes the old comparison pipeline, manifests, listing parser, tests, and comparison docs. Updates ASCC/v1 tooling references so active workflows no longer point at removed comparison code.

713f319 - Clean up stale artifacts, update compatible dependencies, and add reliable frontend/tool verification gates.

Removes stale generated/local artifacts such as .DS_Store, root package-lock.json, frontend/bun.lockb, and old test-user SQL. Updates Python/frontend dependency locks. Expands GitHub Actions checks for frontend lint/typecheck/tests/build and tools tests.

0e6c408 - Clean up to the overall deployment pipeline.

Moves deployment scripts and systemd/nginx assets from tools/ to deploy/. Updates CI deploy paths and deployment docs. Removes obsolete Postman collection/environment files.

a50e090 - Big documentation update, general repo cleanup.

Refreshes README, build, deploy, runbook, tools, pipeline, model, design, and public docs. Adds docs/devel/README.md as the developer/operator docs index. Adds ./woco setup and ./woco secretkey support with setup scripts and env docs. Removes superseded auth/staging/scope docs and relocates v1 reference docs.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

Code review overview

  • Syntax Errors - Score - 9/10
  • Code Smells - Score - 8/10
  • Bugs - Score - 8/10
  • Security Vulnerabilities - Score - 7/10

Syntax Errors

Minor issue found:

  • File: docs/devel/model.md, ER diagram section (near bottom of diff)
  • Location: The markings entity block in the Mermaid diagram
  • Why it matters: The line boolean is_manuscript string desc is missing a newline between two fields. This will cause the Mermaid renderer to either fail or silently misparse the diagram.
  • Suggested fix: Split into two separate lines:
    boolean is_manuscript
    string desc
    

Code Smells

Finding 1:

  • File: .github/workflows/build-and-deploy.yml and deploy-prod.yml
  • Location: Both workflow files are nearly identical (duplicated build/verify steps)
  • Why it matters: The Verify frontend, Verify tools, Django system checks, and Upload frontend build steps are copy-pasted between the two workflow files. Any future change must be applied in two places.
  • Suggested fix: Extract the shared build/verify steps into a reusable workflow (using workflow_call) or a composite action.

Finding 2:

  • File: backend/common/api/v2/views.py
  • Location: MarkingViewSet.search_fields, comment on removed catalog_txt
  • Why it matters: The comment says "Search intentionally skips source catalog text" but catalog_txt was the field that contained rate/aux keywords. Removing it changes search behavior without a test asserting the intent. The intent is only documented in a comment.
  • Suggested fix: Add a regression test covering the search exclusion so the intent is enforced, not just described.

Bugs

Finding 1:

  • File: .github/workflows/build-and-deploy.yml and deploy-prod.yml
  • Location: actions/checkout@v7, actions/setup-node@v6, actions/upload-artifact@v7
  • Why it matters: As of the time of this review, actions/checkout is at v4, actions/setup-node is at v4, and actions/upload-artifact is at v4. Bumping to v5, v6, or v7 references versions that do not exist and will cause workflow failures at runtime with a cryptic "Unable to resolve action" error.
  • Suggested fix: Pin to the latest known-good major versions (actions/checkout@v4, actions/setup-node@v4, actions/upload-artifact@v4) and verify each version exists on the GitHub Marketplace before merging.

Finding 2:

  • File: docs/devel/BUILD.md
  • Location: "Environment Files" section
  • Why it matters: The doc says backend/.env "wins" over repo-root .env because python-decouple "searches upward." python-decouple's Config(RepositoryEnv(...)) does not search upward by default; it reads exactly the file you point it at. If settings.py uses config(...) without an explicit path, decouple reads the first .env found relative to the CWD, not a hierarchical search. This could mislead operators into placing secrets in the wrong file.
  • Suggested fix: Verify the actual decouple search behavior in backend/woco/settings.py and document the exact mechanism (e.g., whether os.chdir or search_path is used) rather than describing it as a generic upward search.

Security Vulnerabilities

Finding 1:

  • File: docs/devel/AUTH_SYNC.md (deleted in this PR) → content moved to docs/devel/RUNBOOK.md
  • Location: RUNBOOK.md, "Auth Sync Between Hosts" section; also the now-deleted AUTH_SYNC.md
  • Why it matters: The deleted AUTH_SYNC.md contained a hardcoded SSH public key (ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKNGHm/OjKF0joBSY+5j++fU94plM8DGv3mKOETTovHQ reese@DESKTOP-MVE0I6R). While a public key is not itself a secret, embedding a named individual's public key in a repo doc creates a permanent git-history record that associates an identity with infrastructure access. The new RUNBOOK.md correctly omits this key, but the key remains in git history on any branch that included AUTH_SYNC.md.
  • Suggested fix: If this key should not be discoverable, consider a git filter-repo or BFG Repo Cleaner pass to scrub it from history, and confirm with the key owner.

Finding 2:

  • File: .env.example
  • Location: DJANGO_SECRET_KEY= line
  • Why it matters: The example file ships with an empty secret key value. If a developer copies .env.example to .env and starts the app before filling in the key, Django will raise ImproperlyConfigured (correct behavior per the comment), but if some future code path provides a fallback empty string, the app would start with no secret key. This is a defense-in-depth concern, not an immediate bug.
  • Suggested fix: The current approach (no default in settings.py, config("DJANGO_SECRET_KEY") with no fallback) is correct. Confirm there is no accidental fallback anywhere in the settings chain.

Finding 3:

  • File: deploy/provision.sh
  • Location: General
  • Why it matters: The script runs as root and writes secrets (backend/.env, mysql.cnf) to disk. It is not visible in this diff whether file permissions on those secrets are tightly scoped (e.g., chmod 600, owned by wocod). If world-readable, credentials are exposed to any process on the host.
  • Suggested fix: Ensure the provision script sets chmod 600 and chown wocod:wocod on both backend/.env and mysql.cnf immediately after writing them.

Note: this PR's diff exceeded the review size limit; only the first 200,000 characters were reviewed.

@grubermeister

Copy link
Copy Markdown
Collaborator Author

"Bugs" section of autoreview feedback says these do not exist:

actions/checkout@v7
actions/setup-node@v6
actions/upload-artifact@v7

Those releases do exist now: checkout has v7.0.0, setup-node has v6.4.0, and upload-artifact has v7.0.1 listed in their release pages. Sources: checkout releases, setup-node releases, upload-artifact releases.

What it missed was a real version-numbering bug:
uses: astral-sh/setup-uv@v8
setup-uv v8 explicitly stopped publishing major/minor tags, so @v8 is invalid. Their release notes say to use astral-sh/setup-uv@v8.0.0 or a commit hash. Source: setup-uv releases. I have gone ahead and made that change in the latest commit to this PR. All tests pass, so should be clear to deploy now.

@grubermeister grubermeister merged commit 8ef82c1 into staging Jul 3, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant