Stability checkpoint — Q2 OVH activated + observability shipped + 4 CI fixes
Waves landed since stable-v1.0.38 (2026-04-23) :
✨ Features
- ADR-0054 + activation : GitLab Observability dual-sink (free beta).
Endpoint hardcoded for mirador1 group ; reviewers see traces/metrics/
logs in https://gitlab.com/groups/mirador1/-/observability without
cloning the repo.
♻️ Refactoring
- release-please removed entirely (GitHub-API-only, 401 on GitLab PAT).
Replaced by bin/ship/ shell scripts (changelog.sh + gitlab-release.sh).
ADR-0055 documents the trade-offs vs semantic-release / git-cliff.
🐛 Bug fixes
- openapi-lint : hardcoded -Dspring.datasource.{username,password,url}
on the java -jar command line. DB_PASSWORD env var wasn't being
inherited by the JVM somehow → 5 main pipelines failed identically
with "FATAL: password authentication failed for user demo" despite
psql probe succeeding seconds before. -D bypass works.
- ci/lint.yml : added postgresql-client + psql auth probe right before
java -jar to verify demo user is provisioned (was the first hypothesis,
necessary but not sufficient).
- ci/deploy.yml terraform-plan : dropped -var=db_password (GCP module
no longer declares it ; Cloud SQL was removed in favour of in-cluster
postgres). Surface'd after TF_STATE_BUCKET was wired.
- bin/ship/changelog.sh : fixed silent exit on chore/ci/build/style
commits (set -e + [ 0 -eq 1 ] killed $(classify) callers without
--include-chore). Plus regex grep that was always falling through.
- bin/ship/gitlab-release.sh : wrap $TAG in braces — bash was reading
$TAG followed by … (horizontal ellipsis) as a single variable name.
🌍 OVH (Q2 activation)
- terraform-plan UUID fix : `regions_attributes[*].openstackid` instead
of the vRack-style .id (which OVH API rejects as "not a correct uuid").
- node_flavor lowercase : `b2-7` not `B2-7` (OVH API case-sensitive).
- README documents real per-resource timings : apply ~12 min total
(network 48s + subnet 4s + kube 4m55s + nodepool 6m45s) ; destroy
~2m08s. ~40% faster than GKE Autopilot.
📚 Documentation
- ADR-0054 (GitLab Observability dual-export) : decision + 4 alternatives
- ADR-0055 (shell-based release automation) : revisit triggers explicit
- ADR-0050 status refresh (UI Phase B-4 done + release-please pruned)
- docs/how-to/changelog-workflow.md : 5-step release workflow
- ADR-README documents the 0045/0046 reserved-never-drafted gap
🚦 CI hygiene
- workflow:rules allowlists : .gitlab-ci/**/* on UI (was missing → MRs
changing test.yml/security.yml merged silently with stale validation).
- Stability-check section_file_length : added .owasp-data/ + .terraform/
to allowlist (auto-generated NVD cache + terraform provider artefacts).
Post-merge main pipeline #765 green on SHA 6a50817 (MR !174 merge with
all the openapi-lint + terraform-plan fixes).