VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ci: auto-bump tnd-zddc-chart appVersion on ZDDC cut

Browse source 
Closes the loop on the user-described workflow:

  1. Iterate on tools / cut alpha → no chart involvement.
  2. `./build beta` → embedded/ commits to ZDDC main →
     notify-chart-dev.yml pushes a chart appVersion bump to
     burnsmcd/tnd-zddc-chart's develop branch → BMCD pipeline-dev
     fires automatically → dev image rebuilt with new beta bytes
     baked in.
  3. `./build release` → tag pushed → existing deploy-release.yml's
     new notify-chart-prod job pushes a chart appVersion bump to
     burnsmcd/tnd-zddc-chart's main branch → BMCD pipeline-prod
     fires automatically → prod image rebuilt with new stable bytes.

The chart repo IS still committed to (one Chart.yaml line, auto-
generated by either workflow), but no human ever touches it for
routine ZDDC releases. The chart commits are idempotent (skip if
appVersion already at target) and clearly marked as bot-generated.

The truly chart-commit-free version would require either (a)
BMCD's private helm-deploy-latest reusable to accept --set overrides
we'd compute, or (b) bypassing it entirely with our own helm step.
Both are deeper changes than this PR; this is the simplest reliable
solution within the existing reusable.

Auth: a new repo-scoped Forgejo Actions secret CHART_GITHUB_TOKEN
holds the classic GitHub PAT (already provisioned for the
Forgejo→GitHub mirror; same token, repo+workflow scopes,
SAML-SSO authorized for burnsmcd). The bot identity is
'ZDDC Release Bot <noreply@zddc.varasys.io>'.

Tested behavior:
- Workflow files are added by THIS commit. Pushing this commit
  does not fire either workflow (notify-chart-prod requires a
  tag; notify-chart-dev requires changes under
  zddc/internal/apps/embedded/). Safe to land before testing.
- First real test fires on the next ZDDC stable cut or beta cut.
This commit is contained in:
ZDDC 2026-05-03 18:16:50 -05:00
parent f5ffd408f2
commit 2f9f26a544
2 changed files with 184 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

79
.forgejo/workflows/deploy-release.yml
View file

@ -87,3 +87,82 @@ jobs:
curl -ksI --connect-to "zddc.varasys.io:8443:caddy:8443" \
"https://zddc.varasys.io:8443/releases/archive_${MIRROR}.html" \
| head -3
# On a stable cut (tag push), auto-bump tnd-zddc-chart's appVersion to
# match the new ZDDC version, then push to the chart's main branch.
# The chart's pipeline-prod fires automatically on its own main push,
# rebuilds the prod Docker image with a new tag (image tag derives from
# Chart.AppVersion), and helm rolls the deployment. Net effect: a
# single ZDDC stable cut deploys to BMCD prod with zero manual steps
# on the chart repo. Dispatch-only invocations of this workflow
# (workflow_dispatch with channel=release) skip — the chart bump is
# only meaningful when the actual git tag exists at refs/tags/.
notify-chart-prod:
needs: build-and-deploy
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/zddc-server-v')
runs-on: host
env:
CHART_GITHUB_TOKEN: ${{ secrets.CHART_GITHUB_TOKEN }}
steps:
- name: Auto-bump tnd-zddc-chart appVersion + push to chart main
run: |
set -eu
VERSION="${GITHUB_REF#refs/tags/zddc-server-v}"
echo "ZDDC stable cut: $VERSION"
# Sanity: make sure the secret was injected. If not, fail loud
# (rather than silently failing on the git push later).
if [ -z "${CHART_GITHUB_TOKEN:-}" ]; then
echo "::error::CHART_GITHUB_TOKEN secret not set on this repo" >&2
exit 1
fi
# Clone tnd-zddc-chart into a tmp workspace. Shallow is fine —
# we only ever produce one commit on top of main.
TMP=$(mktemp -d)
cd "$TMP"
git clone --depth=20 --branch=main \
"https://oauth2:${CHART_GITHUB_TOKEN}@github.com/burnsmcd/tnd-zddc-chart.git"
cd tnd-zddc-chart
# Idempotent: skip if appVersion already matches the new ZDDC
# version (e.g. if the operator already manually bumped it, or
# this job is being re-run on the same tag).
CURRENT=$(grep '^appVersion:' chart/Chart.yaml | sed -E 's/^appVersion: *"?([^"]*)"?.*/\1/')
if [ "$CURRENT" = "$VERSION" ]; then
echo "Chart appVersion already at $VERSION; nothing to do"
exit 0
fi
# Bump appVersion to track ZDDC stable. Also bump the chart's
# own version (patch) so each deploy carries a unique chart
# identity in JFrog — clean release history vs. silent rev
# within the same chart version.
sed -i "s/^appVersion: .*/appVersion: \"$VERSION\"/" chart/Chart.yaml
OLD_CHART_VER=$(grep '^version:' chart/Chart.yaml | awk '{print $2}')
MAJ=$(echo "$OLD_CHART_VER" | cut -d. -f1)
MIN=$(echo "$OLD_CHART_VER" | cut -d. -f2)
PAT=$(echo "$OLD_CHART_VER" | cut -d. -f3)
NEW_PAT=$((PAT + 1))
NEW_CHART_VER="$MAJ.$MIN.$NEW_PAT"
sed -i "s/^version: .*/version: $NEW_CHART_VER/" chart/Chart.yaml
echo " appVersion: $CURRENT → $VERSION"
echo " version: $OLD_CHART_VER → $NEW_CHART_VER"
git config user.name "ZDDC Release Bot"
git config user.email "noreply@zddc.varasys.io"
git add chart/Chart.yaml
git commit -m "chore(chart): auto-bump appVersion to $VERSION (ZDDC stable cut)
Triggered by zddc-server-v$VERSION tag push on git.varasys.io/VARASYS/ZDDC.
Bumps Chart.yaml so the prod Docker image is tagged \`zddc:$VERSION\`,
ensuring kubelet pulls a fresh image on the next helm upgrade. Chart
\`version\` bumped to $NEW_CHART_VER (patch) so JFrog has a clean
chart history per deploy.
Auto-generated by .forgejo/workflows/deploy-release.yml's
notify-chart-prod job. Do not edit manually — the next ZDDC stable
cut will overwrite this commit's changes."
git push origin main
echo "✓ pushed chart appVersion bump → BMCD pipeline-prod will fire"

105
.forgejo/workflows/notify-chart-dev.yml Normal file
View file

@ -0,0 +1,105 @@
name: Notify chart dev on beta cut
# Mirrors deploy-release.yml's notify-chart-prod job, but for beta.
# Triggers when a push to ZDDC main touches zddc/internal/apps/embedded/*
# — i.e. a `./build beta` cut whose embedded artifacts the operator
# committed to main. Pushes a chart appVersion bump to the chart's
# develop branch, which fires BMCD's pipeline-dev → dev image rebuilt
# with the new beta-labeled bytes baked in.
#
# Stable cuts ALSO touch embedded/, but their workflow path is the
# tag-triggered notify-chart-prod in deploy-release.yml. To avoid
# double-firing when a stable cut pushes main + tags together, we
# check if HEAD has a zddc-server-v* tag and skip if so — the
# stable workflow handles the chart bump in that case.
on:
push:
branches: [main]
paths:
- 'zddc/internal/apps/embedded/**'
jobs:
notify-chart-dev:
runs-on: host
env:
CHART_GITHUB_TOKEN: ${{ secrets.CHART_GITHUB_TOKEN }}
steps:
- name: Checkout (need tags to detect stable cut)
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Detect cut type (skip if HEAD has stable tag)
id: gate
run: |
set -eu
if git tag --points-at HEAD | grep -q '^zddc-server-v'; then
echo "is_beta=false" >> "$GITHUB_OUTPUT"
echo "HEAD has zddc-server-v* tag — stable workflow handles this; skipping dev notify"
else
echo "is_beta=true" >> "$GITHUB_OUTPUT"
echo "No stable tag at HEAD; treating as beta cut"
fi
- name: Auto-bump chart develop appVersion + push
if: steps.gate.outputs.is_beta == 'true'
run: |
set -eu
if [ -z "${CHART_GITHUB_TOKEN:-}" ]; then
echo "::error::CHART_GITHUB_TOKEN secret not set on this repo" >&2
exit 1
fi
# Compose a beta version string that's unique per ZDDC commit.
# Uses the next-stable target (max of latest tag + 1, mirrors
# ./build's _coordinated_next_stable) and the short SHA.
# Example: "0.0.11-beta-c099676". Always unique per push.
LATEST_STABLE=$(git tag --list 'zddc-server-v*' --sort=-v:refname | head -1)
MAJ=$(echo "${LATEST_STABLE#zddc-server-v}" | cut -d. -f1)
MIN=$(echo "${LATEST_STABLE#zddc-server-v}" | cut -d. -f2)
PAT=$(echo "${LATEST_STABLE#zddc-server-v}" | cut -d. -f3)
NEXT_STABLE="$MAJ.$MIN.$((PAT + 1))"
SHORT_SHA=$(git rev-parse --short=7 HEAD)
BETA_VERSION="${NEXT_STABLE}-beta-${SHORT_SHA}"
echo "ZDDC beta cut: $BETA_VERSION (HEAD=$(git rev-parse HEAD))"
TMP=$(mktemp -d)
cd "$TMP"
git clone --depth=20 --branch=develop \
"https://oauth2:${CHART_GITHUB_TOKEN}@github.com/burnsmcd/tnd-zddc-chart.git"
cd tnd-zddc-chart
# Idempotent: same SHA ⇒ same version ⇒ no-op.
CURRENT=$(grep '^appVersion:' chart/Chart.yaml | sed -E 's/^appVersion: *"?([^"]*)"?.*/\1/')
if [ "$CURRENT" = "$BETA_VERSION" ]; then
echo "Chart develop already at $BETA_VERSION; nothing to do"
exit 0
fi
sed -i "s/^appVersion: .*/appVersion: \"$BETA_VERSION\"/" chart/Chart.yaml
OLD_CHART_VER=$(grep '^version:' chart/Chart.yaml | awk '{print $2}')
MAJC=$(echo "$OLD_CHART_VER" | cut -d. -f1)
MINC=$(echo "$OLD_CHART_VER" | cut -d. -f2)
PATC=$(echo "$OLD_CHART_VER" | cut -d. -f3)
NEW_CHART_VER="$MAJC.$MINC.$((PATC + 1))"
sed -i "s/^version: .*/version: $NEW_CHART_VER/" chart/Chart.yaml
echo " appVersion: $CURRENT → $BETA_VERSION"
echo " version: $OLD_CHART_VER → $NEW_CHART_VER"
git config user.name "ZDDC Release Bot"
git config user.email "noreply@zddc.varasys.io"
git add chart/Chart.yaml
git commit -m "chore(chart): auto-bump appVersion to $BETA_VERSION (ZDDC beta cut)
Triggered by push to git.varasys.io/VARASYS/ZDDC main with
embedded/* changes (a \`./build beta\` cut). Bumps Chart.yaml so
the dev Docker image is tagged \`zddc:$BETA_VERSION\`, ensuring
kubelet pulls a fresh image on the next helm upgrade.
Auto-generated by .forgejo/workflows/notify-chart-dev.yml. The
next ZDDC beta or stable cut will overwrite this."
git push origin develop
echo "✓ pushed chart develop bump → BMCD pipeline-dev will fire"