From 2f9f26a54481b4edc6cca68356a064e88d2272d6 Mon Sep 17 00:00:00 2001 From: ZDDC Date: Sun, 3 May 2026 18:16:50 -0500 Subject: [PATCH] ci: auto-bump tnd-zddc-chart appVersion on ZDDC cut MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes the loop on the user-described workflow: 1. Iterate on tools / cut alpha → no chart involvement. 2. `./build beta` → embedded/ commits to ZDDC main → notify-chart-dev.yml pushes a chart appVersion bump to burnsmcd/tnd-zddc-chart's develop branch → BMCD pipeline-dev fires automatically → dev image rebuilt with new beta bytes baked in. 3. `./build release` → tag pushed → existing deploy-release.yml's new notify-chart-prod job pushes a chart appVersion bump to burnsmcd/tnd-zddc-chart's main branch → BMCD pipeline-prod fires automatically → prod image rebuilt with new stable bytes. The chart repo IS still committed to (one Chart.yaml line, auto- generated by either workflow), but no human ever touches it for routine ZDDC releases. The chart commits are idempotent (skip if appVersion already at target) and clearly marked as bot-generated. The truly chart-commit-free version would require either (a) BMCD's private helm-deploy-latest reusable to accept --set overrides we'd compute, or (b) bypassing it entirely with our own helm step. Both are deeper changes than this PR; this is the simplest reliable solution within the existing reusable. Auth: a new repo-scoped Forgejo Actions secret CHART_GITHUB_TOKEN holds the classic GitHub PAT (already provisioned for the Forgejo→GitHub mirror; same token, repo+workflow scopes, SAML-SSO authorized for burnsmcd). The bot identity is 'ZDDC Release Bot '. Tested behavior: - Workflow files are added by THIS commit. Pushing this commit does not fire either workflow (notify-chart-prod requires a tag; notify-chart-dev requires changes under zddc/internal/apps/embedded/). Safe to land before testing. - First real test fires on the next ZDDC stable cut or beta cut. --- .forgejo/workflows/deploy-release.yml | 79 ++++++++++++++++++ .forgejo/workflows/notify-chart-dev.yml | 105 ++++++++++++++++++++++++ 2 files changed, 184 insertions(+) create mode 100644 .forgejo/workflows/notify-chart-dev.yml diff --git a/.forgejo/workflows/deploy-release.yml b/.forgejo/workflows/deploy-release.yml index b88155f..aee4cfe 100644 --- a/.forgejo/workflows/deploy-release.yml +++ b/.forgejo/workflows/deploy-release.yml @@ -87,3 +87,82 @@ jobs: curl -ksI --connect-to "zddc.varasys.io:8443:caddy:8443" \ "https://zddc.varasys.io:8443/releases/archive_${MIRROR}.html" \ | head -3 + + # On a stable cut (tag push), auto-bump tnd-zddc-chart's appVersion to + # match the new ZDDC version, then push to the chart's main branch. + # The chart's pipeline-prod fires automatically on its own main push, + # rebuilds the prod Docker image with a new tag (image tag derives from + # Chart.AppVersion), and helm rolls the deployment. Net effect: a + # single ZDDC stable cut deploys to BMCD prod with zero manual steps + # on the chart repo. Dispatch-only invocations of this workflow + # (workflow_dispatch with channel=release) skip — the chart bump is + # only meaningful when the actual git tag exists at refs/tags/. + notify-chart-prod: + needs: build-and-deploy + if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/zddc-server-v') + runs-on: host + env: + CHART_GITHUB_TOKEN: ${{ secrets.CHART_GITHUB_TOKEN }} + steps: + - name: Auto-bump tnd-zddc-chart appVersion + push to chart main + run: | + set -eu + VERSION="${GITHUB_REF#refs/tags/zddc-server-v}" + echo "ZDDC stable cut: $VERSION" + + # Sanity: make sure the secret was injected. If not, fail loud + # (rather than silently failing on the git push later). + if [ -z "${CHART_GITHUB_TOKEN:-}" ]; then + echo "::error::CHART_GITHUB_TOKEN secret not set on this repo" >&2 + exit 1 + fi + + # Clone tnd-zddc-chart into a tmp workspace. Shallow is fine — + # we only ever produce one commit on top of main. + TMP=$(mktemp -d) + cd "$TMP" + git clone --depth=20 --branch=main \ + "https://oauth2:${CHART_GITHUB_TOKEN}@github.com/burnsmcd/tnd-zddc-chart.git" + cd tnd-zddc-chart + + # Idempotent: skip if appVersion already matches the new ZDDC + # version (e.g. if the operator already manually bumped it, or + # this job is being re-run on the same tag). + CURRENT=$(grep '^appVersion:' chart/Chart.yaml | sed -E 's/^appVersion: *"?([^"]*)"?.*/\1/') + if [ "$CURRENT" = "$VERSION" ]; then + echo "Chart appVersion already at $VERSION; nothing to do" + exit 0 + fi + + # Bump appVersion to track ZDDC stable. Also bump the chart's + # own version (patch) so each deploy carries a unique chart + # identity in JFrog — clean release history vs. silent rev + # within the same chart version. + sed -i "s/^appVersion: .*/appVersion: \"$VERSION\"/" chart/Chart.yaml + OLD_CHART_VER=$(grep '^version:' chart/Chart.yaml | awk '{print $2}') + MAJ=$(echo "$OLD_CHART_VER" | cut -d. -f1) + MIN=$(echo "$OLD_CHART_VER" | cut -d. -f2) + PAT=$(echo "$OLD_CHART_VER" | cut -d. -f3) + NEW_PAT=$((PAT + 1)) + NEW_CHART_VER="$MAJ.$MIN.$NEW_PAT" + sed -i "s/^version: .*/version: $NEW_CHART_VER/" chart/Chart.yaml + + echo " appVersion: $CURRENT → $VERSION" + echo " version: $OLD_CHART_VER → $NEW_CHART_VER" + + git config user.name "ZDDC Release Bot" + git config user.email "noreply@zddc.varasys.io" + git add chart/Chart.yaml + git commit -m "chore(chart): auto-bump appVersion to $VERSION (ZDDC stable cut) + +Triggered by zddc-server-v$VERSION tag push on git.varasys.io/VARASYS/ZDDC. +Bumps Chart.yaml so the prod Docker image is tagged \`zddc:$VERSION\`, +ensuring kubelet pulls a fresh image on the next helm upgrade. Chart +\`version\` bumped to $NEW_CHART_VER (patch) so JFrog has a clean +chart history per deploy. + +Auto-generated by .forgejo/workflows/deploy-release.yml's +notify-chart-prod job. Do not edit manually — the next ZDDC stable +cut will overwrite this commit's changes." + git push origin main + echo "✓ pushed chart appVersion bump → BMCD pipeline-prod will fire" diff --git a/.forgejo/workflows/notify-chart-dev.yml b/.forgejo/workflows/notify-chart-dev.yml new file mode 100644 index 0000000..c32dce2 --- /dev/null +++ b/.forgejo/workflows/notify-chart-dev.yml @@ -0,0 +1,105 @@ +name: Notify chart dev on beta cut + +# Mirrors deploy-release.yml's notify-chart-prod job, but for beta. +# Triggers when a push to ZDDC main touches zddc/internal/apps/embedded/* +# — i.e. a `./build beta` cut whose embedded artifacts the operator +# committed to main. Pushes a chart appVersion bump to the chart's +# develop branch, which fires BMCD's pipeline-dev → dev image rebuilt +# with the new beta-labeled bytes baked in. +# +# Stable cuts ALSO touch embedded/, but their workflow path is the +# tag-triggered notify-chart-prod in deploy-release.yml. To avoid +# double-firing when a stable cut pushes main + tags together, we +# check if HEAD has a zddc-server-v* tag and skip if so — the +# stable workflow handles the chart bump in that case. + +on: + push: + branches: [main] + paths: + - 'zddc/internal/apps/embedded/**' + +jobs: + notify-chart-dev: + runs-on: host + env: + CHART_GITHUB_TOKEN: ${{ secrets.CHART_GITHUB_TOKEN }} + steps: + - name: Checkout (need tags to detect stable cut) + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Detect cut type (skip if HEAD has stable tag) + id: gate + run: | + set -eu + if git tag --points-at HEAD | grep -q '^zddc-server-v'; then + echo "is_beta=false" >> "$GITHUB_OUTPUT" + echo "HEAD has zddc-server-v* tag — stable workflow handles this; skipping dev notify" + else + echo "is_beta=true" >> "$GITHUB_OUTPUT" + echo "No stable tag at HEAD; treating as beta cut" + fi + + - name: Auto-bump chart develop appVersion + push + if: steps.gate.outputs.is_beta == 'true' + run: | + set -eu + + if [ -z "${CHART_GITHUB_TOKEN:-}" ]; then + echo "::error::CHART_GITHUB_TOKEN secret not set on this repo" >&2 + exit 1 + fi + + # Compose a beta version string that's unique per ZDDC commit. + # Uses the next-stable target (max of latest tag + 1, mirrors + # ./build's _coordinated_next_stable) and the short SHA. + # Example: "0.0.11-beta-c099676". Always unique per push. + LATEST_STABLE=$(git tag --list 'zddc-server-v*' --sort=-v:refname | head -1) + MAJ=$(echo "${LATEST_STABLE#zddc-server-v}" | cut -d. -f1) + MIN=$(echo "${LATEST_STABLE#zddc-server-v}" | cut -d. -f2) + PAT=$(echo "${LATEST_STABLE#zddc-server-v}" | cut -d. -f3) + NEXT_STABLE="$MAJ.$MIN.$((PAT + 1))" + SHORT_SHA=$(git rev-parse --short=7 HEAD) + BETA_VERSION="${NEXT_STABLE}-beta-${SHORT_SHA}" + echo "ZDDC beta cut: $BETA_VERSION (HEAD=$(git rev-parse HEAD))" + + TMP=$(mktemp -d) + cd "$TMP" + git clone --depth=20 --branch=develop \ + "https://oauth2:${CHART_GITHUB_TOKEN}@github.com/burnsmcd/tnd-zddc-chart.git" + cd tnd-zddc-chart + + # Idempotent: same SHA ⇒ same version ⇒ no-op. + CURRENT=$(grep '^appVersion:' chart/Chart.yaml | sed -E 's/^appVersion: *"?([^"]*)"?.*/\1/') + if [ "$CURRENT" = "$BETA_VERSION" ]; then + echo "Chart develop already at $BETA_VERSION; nothing to do" + exit 0 + fi + + sed -i "s/^appVersion: .*/appVersion: \"$BETA_VERSION\"/" chart/Chart.yaml + OLD_CHART_VER=$(grep '^version:' chart/Chart.yaml | awk '{print $2}') + MAJC=$(echo "$OLD_CHART_VER" | cut -d. -f1) + MINC=$(echo "$OLD_CHART_VER" | cut -d. -f2) + PATC=$(echo "$OLD_CHART_VER" | cut -d. -f3) + NEW_CHART_VER="$MAJC.$MINC.$((PATC + 1))" + sed -i "s/^version: .*/version: $NEW_CHART_VER/" chart/Chart.yaml + + echo " appVersion: $CURRENT → $BETA_VERSION" + echo " version: $OLD_CHART_VER → $NEW_CHART_VER" + + git config user.name "ZDDC Release Bot" + git config user.email "noreply@zddc.varasys.io" + git add chart/Chart.yaml + git commit -m "chore(chart): auto-bump appVersion to $BETA_VERSION (ZDDC beta cut) + +Triggered by push to git.varasys.io/VARASYS/ZDDC main with +embedded/* changes (a \`./build beta\` cut). Bumps Chart.yaml so +the dev Docker image is tagged \`zddc:$BETA_VERSION\`, ensuring +kubelet pulls a fresh image on the next helm upgrade. + +Auto-generated by .forgejo/workflows/notify-chart-dev.yml. The +next ZDDC beta or stable cut will overwrite this." + git push origin develop + echo "✓ pushed chart develop bump → BMCD pipeline-dev will fire"