VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(ci): notify-chart workflows push to Forgejo, not GitHub

Browse source 
The chart repo (BMCD/tnd-zddc-chart) is mirrored Forgejo→GitHub
one-way (we set this up so the chart matches the same canonical-
on-Forgejo pattern as the public repos). When notify-chart-prod
and notify-chart-dev pushed directly to GitHub, the bump landed
on GitHub but Forgejo never got it — and the next time Forgejo's
push-mirror ran, it force-overwrote GitHub's bump with Forgejo's
older state. Symptom: prod stuck at v0.0.9 even after auto-bump
appeared to succeed; manual investigation showed Chart.yaml
appVersion was actually still 0.0.10 (the previous manual bump
that DID land on Forgejo).

Fix: clone+push to Forgejo (git.varasys.io/BMCD/tnd-zddc-chart)
instead of GitHub. Forgejo's mirror replicates to GitHub on the
next sync — going through the canonical-Forgejo path keeps both
sides in sync. Uses a new CHART_FORGEJO_TOKEN secret (separate
from CHART_GITHUB_TOKEN, which is no longer needed for these
workflows but kept for any future direct-GitHub use case).
This commit is contained in:
ZDDC 2026-05-03 19:39:48 -05:00
parent bf54651fb0
commit 1033d30ad9
2 changed files with 25 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
.forgejo/workflows/deploy-release.yml
View file

@ -109,9 +109,15 @@ jobs:
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/zddc-server-v') if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/zddc-server-v')
runs-on: host runs-on: host
env: env:
CHART_GITHUB_TOKEN: ${{ secrets.CHART_GITHUB_TOKEN }} # Push to Forgejo (BMCD/tnd-zddc-chart on git.varasys.io), NOT
# directly to GitHub. The chart repo is mirrored Forgejo→GitHub
# one-way; pushing directly to GitHub would be silently overwritten
# the next time Forgejo's mirror syncs (force-push semantics).
# The runner reaches git.varasys.io via the caddy-net network it
# joined when the runner container was provisioned.
CHART_FORGEJO_TOKEN: ${{ secrets.CHART_FORGEJO_TOKEN }}
steps: steps:
- name: Auto-bump tnd-zddc-chart appVersion on main + develop - name: Auto-bump tnd-zddc-chart appVersion on main + develop (via Forgejo)
run: | run: |
set -eu set -eu
VERSION="${GITHUB_REF#refs/tags/zddc-server-v}" VERSION="${GITHUB_REF#refs/tags/zddc-server-v}"
@ -119,8 +125,8 @@ jobs:
# Sanity: make sure the secret was injected. If not, fail loud # Sanity: make sure the secret was injected. If not, fail loud
# (rather than silently failing on the git push later). # (rather than silently failing on the git push later).
if [ -z "${CHART_GITHUB_TOKEN:-}" ]; then if [ -z "${CHART_FORGEJO_TOKEN:-}" ]; then
echo "::error::CHART_GITHUB_TOKEN secret not set on this repo" >&2 echo "::error::CHART_FORGEJO_TOKEN secret not set on this repo" >&2
exit 1 exit 1
fi fi
@ -131,6 +137,9 @@ jobs:
# dev images both rebuild against the new ZDDC stable. Loop # dev images both rebuild against the new ZDDC stable. Loop
# is idempotent per-branch — if a branch's appVersion already # is idempotent per-branch — if a branch's appVersion already
# matches the new version, it's a no-op for that branch. # matches the new version, it's a no-op for that branch.
# The push goes to Forgejo (BMCD/tnd-zddc-chart on
# git.varasys.io); Forgejo's push-mirror replicates the bump
# to GitHub on the next sync (which is sync_on_commit: true).
TMP=$(mktemp -d) TMP=$(mktemp -d)
cd "$TMP" cd "$TMP"
for BRANCH in main develop; do for BRANCH in main develop; do
@ -138,7 +147,7 @@ jobs:
echo "=== bumping $BRANCH ===" echo "=== bumping $BRANCH ==="
rm -rf tnd-zddc-chart rm -rf tnd-zddc-chart
git clone --depth=20 --branch="$BRANCH" \ git clone --depth=20 --branch="$BRANCH" \
"https://oauth2:${CHART_GITHUB_TOKEN}@github.com/burnsmcd/tnd-zddc-chart.git" "https://oauth2:${CHART_FORGEJO_TOKEN}@git.varasys.io/BMCD/tnd-zddc-chart.git"
cd tnd-zddc-chart cd tnd-zddc-chart
CURRENT=$(grep '^appVersion:' chart/Chart.yaml | sed -E 's/^appVersion: *"?([^"]*)"?.*/\1/') CURRENT=$(grep '^appVersion:' chart/Chart.yaml | sed -E 's/^appVersion: *"?([^"]*)"?.*/\1/')
@ -166,6 +175,6 @@ jobs:
-m "Triggered by zddc-server-v$VERSION tag push on git.varasys.io/VARASYS/ZDDC. Bumps appVersion so the $BRANCH-branch image is tagged zddc:$VERSION, ensuring kubelet pulls a fresh image on the next helm upgrade. Chart version bumped to $NEW_CHART_VER (patch) so JFrog has a clean chart history per deploy." \ -m "Triggered by zddc-server-v$VERSION tag push on git.varasys.io/VARASYS/ZDDC. Bumps appVersion so the $BRANCH-branch image is tagged zddc:$VERSION, ensuring kubelet pulls a fresh image on the next helm upgrade. Chart version bumped to $NEW_CHART_VER (patch) so JFrog has a clean chart history per deploy." \
-m "Auto-generated by .forgejo/workflows/deploy-release.yml's notify-chart-prod job. Do not edit manually — the next ZDDC stable cut will overwrite this commit's changes." -m "Auto-generated by .forgejo/workflows/deploy-release.yml's notify-chart-prod job. Do not edit manually — the next ZDDC stable cut will overwrite this commit's changes."
git push origin "$BRANCH" git push origin "$BRANCH"
echo " pushed $BRANCH bump - BMCD pipeline-$([ \"$BRANCH\" = main ] && echo prod || echo dev) will fire" echo " pushed $BRANCH bump to Forgejo - mirror replicates to GitHub - BMCD pipeline-$([ \"$BRANCH\" = main ] && echo prod || echo dev) will fire"
cd .. cd ..
done done

15
.forgejo/workflows/notify-chart-dev.yml
View file

@ -23,7 +23,12 @@ jobs:
notify-chart-dev: notify-chart-dev:
runs-on: host runs-on: host
env: env:
CHART_GITHUB_TOKEN: ${{ secrets.CHART_GITHUB_TOKEN }} # Push to Forgejo (BMCD/tnd-zddc-chart on git.varasys.io), NOT
# directly to GitHub. See notify-chart-prod's comment in
# deploy-release.yml for the full rationale (mirror is one-way
# Forgejo→GitHub; direct GitHub pushes get silently overwritten
# on the next mirror sync).
CHART_FORGEJO_TOKEN: ${{ secrets.CHART_FORGEJO_TOKEN }}
steps: steps:
- name: Checkout (need tags to detect stable cut) - name: Checkout (need tags to detect stable cut)
uses: actions/checkout@v4 uses: actions/checkout@v4
@ -47,8 +52,8 @@ jobs:
run: | run: |
set -eu set -eu
if [ -z "${CHART_GITHUB_TOKEN:-}" ]; then if [ -z "${CHART_FORGEJO_TOKEN:-}" ]; then
echo "::error::CHART_GITHUB_TOKEN secret not set on this repo" >&2 echo "::error::CHART_FORGEJO_TOKEN secret not set on this repo" >&2
exit 1 exit 1
fi fi
@ -68,7 +73,7 @@ jobs:
TMP=$(mktemp -d) TMP=$(mktemp -d)
cd "$TMP" cd "$TMP"
git clone --depth=20 --branch=develop \ git clone --depth=20 --branch=develop \
"https://oauth2:${CHART_GITHUB_TOKEN}@github.com/burnsmcd/tnd-zddc-chart.git" "https://oauth2:${CHART_FORGEJO_TOKEN}@git.varasys.io/BMCD/tnd-zddc-chart.git"
cd tnd-zddc-chart cd tnd-zddc-chart
# Idempotent: same SHA ⇒ same version ⇒ no-op. # Idempotent: same SHA ⇒ same version ⇒ no-op.
@ -97,4 +102,4 @@ jobs:
-m "Triggered by push to git.varasys.io/VARASYS/ZDDC main with embedded/* changes (a ./build beta cut). Bumps appVersion so the dev Docker image is tagged zddc:$BETA_VERSION, ensuring kubelet pulls a fresh image on the next helm upgrade." \ -m "Triggered by push to git.varasys.io/VARASYS/ZDDC main with embedded/* changes (a ./build beta cut). Bumps appVersion so the dev Docker image is tagged zddc:$BETA_VERSION, ensuring kubelet pulls a fresh image on the next helm upgrade." \
-m "Auto-generated by .forgejo/workflows/notify-chart-dev.yml. The next ZDDC beta or stable cut will overwrite this." -m "Auto-generated by .forgejo/workflows/notify-chart-dev.yml. The next ZDDC beta or stable cut will overwrite this."
git push origin develop git push origin develop
echo "pushed chart develop bump - BMCD pipeline-dev will fire" echo "pushed chart develop bump to Forgejo - mirror replicates to GitHub - BMCD pipeline-dev will fire"