diff --git a/.forgejo/workflows/deploy-release.yml b/.forgejo/workflows/deploy-release.yml index b88155f..aee4cfe 100644 --- a/.forgejo/workflows/deploy-release.yml +++ b/.forgejo/workflows/deploy-release.yml @@ -87,3 +87,82 @@ jobs: curl -ksI --connect-to "zddc.varasys.io:8443:caddy:8443" \ "https://zddc.varasys.io:8443/releases/archive_${MIRROR}.html" \ | head -3 + + # On a stable cut (tag push), auto-bump tnd-zddc-chart's appVersion to + # match the new ZDDC version, then push to the chart's main branch. + # The chart's pipeline-prod fires automatically on its own main push, + # rebuilds the prod Docker image with a new tag (image tag derives from + # Chart.AppVersion), and helm rolls the deployment. Net effect: a + # single ZDDC stable cut deploys to BMCD prod with zero manual steps + # on the chart repo. Dispatch-only invocations of this workflow + # (workflow_dispatch with channel=release) skip — the chart bump is + # only meaningful when the actual git tag exists at refs/tags/. + notify-chart-prod: + needs: build-and-deploy + if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/zddc-server-v') + runs-on: host + env: + CHART_GITHUB_TOKEN: ${{ secrets.CHART_GITHUB_TOKEN }} + steps: + - name: Auto-bump tnd-zddc-chart appVersion + push to chart main + run: | + set -eu + VERSION="${GITHUB_REF#refs/tags/zddc-server-v}" + echo "ZDDC stable cut: $VERSION" + + # Sanity: make sure the secret was injected. If not, fail loud + # (rather than silently failing on the git push later). + if [ -z "${CHART_GITHUB_TOKEN:-}" ]; then + echo "::error::CHART_GITHUB_TOKEN secret not set on this repo" >&2 + exit 1 + fi + + # Clone tnd-zddc-chart into a tmp workspace. Shallow is fine — + # we only ever produce one commit on top of main. + TMP=$(mktemp -d) + cd "$TMP" + git clone --depth=20 --branch=main \ + "https://oauth2:${CHART_GITHUB_TOKEN}@github.com/burnsmcd/tnd-zddc-chart.git" + cd tnd-zddc-chart + + # Idempotent: skip if appVersion already matches the new ZDDC + # version (e.g. if the operator already manually bumped it, or + # this job is being re-run on the same tag). + CURRENT=$(grep '^appVersion:' chart/Chart.yaml | sed -E 's/^appVersion: *"?([^"]*)"?.*/\1/') + if [ "$CURRENT" = "$VERSION" ]; then + echo "Chart appVersion already at $VERSION; nothing to do" + exit 0 + fi + + # Bump appVersion to track ZDDC stable. Also bump the chart's + # own version (patch) so each deploy carries a unique chart + # identity in JFrog — clean release history vs. silent rev + # within the same chart version. + sed -i "s/^appVersion: .*/appVersion: \"$VERSION\"/" chart/Chart.yaml + OLD_CHART_VER=$(grep '^version:' chart/Chart.yaml | awk '{print $2}') + MAJ=$(echo "$OLD_CHART_VER" | cut -d. -f1) + MIN=$(echo "$OLD_CHART_VER" | cut -d. -f2) + PAT=$(echo "$OLD_CHART_VER" | cut -d. -f3) + NEW_PAT=$((PAT + 1)) + NEW_CHART_VER="$MAJ.$MIN.$NEW_PAT" + sed -i "s/^version: .*/version: $NEW_CHART_VER/" chart/Chart.yaml + + echo " appVersion: $CURRENT → $VERSION" + echo " version: $OLD_CHART_VER → $NEW_CHART_VER" + + git config user.name "ZDDC Release Bot" + git config user.email "noreply@zddc.varasys.io" + git add chart/Chart.yaml + git commit -m "chore(chart): auto-bump appVersion to $VERSION (ZDDC stable cut) + +Triggered by zddc-server-v$VERSION tag push on git.varasys.io/VARASYS/ZDDC. +Bumps Chart.yaml so the prod Docker image is tagged \`zddc:$VERSION\`, +ensuring kubelet pulls a fresh image on the next helm upgrade. Chart +\`version\` bumped to $NEW_CHART_VER (patch) so JFrog has a clean +chart history per deploy. + +Auto-generated by .forgejo/workflows/deploy-release.yml's +notify-chart-prod job. Do not edit manually — the next ZDDC stable +cut will overwrite this commit's changes." + git push origin main + echo "✓ pushed chart appVersion bump → BMCD pipeline-prod will fire" diff --git a/.forgejo/workflows/notify-chart-dev.yml b/.forgejo/workflows/notify-chart-dev.yml new file mode 100644 index 0000000..c32dce2 --- /dev/null +++ b/.forgejo/workflows/notify-chart-dev.yml @@ -0,0 +1,105 @@ +name: Notify chart dev on beta cut + +# Mirrors deploy-release.yml's notify-chart-prod job, but for beta. +# Triggers when a push to ZDDC main touches zddc/internal/apps/embedded/* +# — i.e. a `./build beta` cut whose embedded artifacts the operator +# committed to main. Pushes a chart appVersion bump to the chart's +# develop branch, which fires BMCD's pipeline-dev → dev image rebuilt +# with the new beta-labeled bytes baked in. +# +# Stable cuts ALSO touch embedded/, but their workflow path is the +# tag-triggered notify-chart-prod in deploy-release.yml. To avoid +# double-firing when a stable cut pushes main + tags together, we +# check if HEAD has a zddc-server-v* tag and skip if so — the +# stable workflow handles the chart bump in that case. + +on: + push: + branches: [main] + paths: + - 'zddc/internal/apps/embedded/**' + +jobs: + notify-chart-dev: + runs-on: host + env: + CHART_GITHUB_TOKEN: ${{ secrets.CHART_GITHUB_TOKEN }} + steps: + - name: Checkout (need tags to detect stable cut) + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Detect cut type (skip if HEAD has stable tag) + id: gate + run: | + set -eu + if git tag --points-at HEAD | grep -q '^zddc-server-v'; then + echo "is_beta=false" >> "$GITHUB_OUTPUT" + echo "HEAD has zddc-server-v* tag — stable workflow handles this; skipping dev notify" + else + echo "is_beta=true" >> "$GITHUB_OUTPUT" + echo "No stable tag at HEAD; treating as beta cut" + fi + + - name: Auto-bump chart develop appVersion + push + if: steps.gate.outputs.is_beta == 'true' + run: | + set -eu + + if [ -z "${CHART_GITHUB_TOKEN:-}" ]; then + echo "::error::CHART_GITHUB_TOKEN secret not set on this repo" >&2 + exit 1 + fi + + # Compose a beta version string that's unique per ZDDC commit. + # Uses the next-stable target (max of latest tag + 1, mirrors + # ./build's _coordinated_next_stable) and the short SHA. + # Example: "0.0.11-beta-c099676". Always unique per push. + LATEST_STABLE=$(git tag --list 'zddc-server-v*' --sort=-v:refname | head -1) + MAJ=$(echo "${LATEST_STABLE#zddc-server-v}" | cut -d. -f1) + MIN=$(echo "${LATEST_STABLE#zddc-server-v}" | cut -d. -f2) + PAT=$(echo "${LATEST_STABLE#zddc-server-v}" | cut -d. -f3) + NEXT_STABLE="$MAJ.$MIN.$((PAT + 1))" + SHORT_SHA=$(git rev-parse --short=7 HEAD) + BETA_VERSION="${NEXT_STABLE}-beta-${SHORT_SHA}" + echo "ZDDC beta cut: $BETA_VERSION (HEAD=$(git rev-parse HEAD))" + + TMP=$(mktemp -d) + cd "$TMP" + git clone --depth=20 --branch=develop \ + "https://oauth2:${CHART_GITHUB_TOKEN}@github.com/burnsmcd/tnd-zddc-chart.git" + cd tnd-zddc-chart + + # Idempotent: same SHA ⇒ same version ⇒ no-op. + CURRENT=$(grep '^appVersion:' chart/Chart.yaml | sed -E 's/^appVersion: *"?([^"]*)"?.*/\1/') + if [ "$CURRENT" = "$BETA_VERSION" ]; then + echo "Chart develop already at $BETA_VERSION; nothing to do" + exit 0 + fi + + sed -i "s/^appVersion: .*/appVersion: \"$BETA_VERSION\"/" chart/Chart.yaml + OLD_CHART_VER=$(grep '^version:' chart/Chart.yaml | awk '{print $2}') + MAJC=$(echo "$OLD_CHART_VER" | cut -d. -f1) + MINC=$(echo "$OLD_CHART_VER" | cut -d. -f2) + PATC=$(echo "$OLD_CHART_VER" | cut -d. -f3) + NEW_CHART_VER="$MAJC.$MINC.$((PATC + 1))" + sed -i "s/^version: .*/version: $NEW_CHART_VER/" chart/Chart.yaml + + echo " appVersion: $CURRENT → $BETA_VERSION" + echo " version: $OLD_CHART_VER → $NEW_CHART_VER" + + git config user.name "ZDDC Release Bot" + git config user.email "noreply@zddc.varasys.io" + git add chart/Chart.yaml + git commit -m "chore(chart): auto-bump appVersion to $BETA_VERSION (ZDDC beta cut) + +Triggered by push to git.varasys.io/VARASYS/ZDDC main with +embedded/* changes (a \`./build beta\` cut). Bumps Chart.yaml so +the dev Docker image is tagged \`zddc:$BETA_VERSION\`, ensuring +kubelet pulls a fresh image on the next helm upgrade. + +Auto-generated by .forgejo/workflows/notify-chart-dev.yml. The +next ZDDC beta or stable cut will overwrite this." + git push origin develop + echo "✓ pushed chart develop bump → BMCD pipeline-dev will fire"