From b8192c5d7aeb5c3d5c03002445a8e53a9247df8a Mon Sep 17 00:00:00 2001
From: ZDDC <caseywitt@proton.me>
Date: Mon, 4 May 2026 07:01:11 -0500
Subject: [PATCH] fix(ci): chart-bump uses the SHA baked into the embed (not
 git HEAD)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

./build beta runs locally at HEAD=N, generates embed/*.html with
build-label SHA=N, then the operator commits the generated bytes
as commit N+1. After push, git HEAD on the runner = N+1 but the
served website's BUILD_LABEL still encodes N (it's baked into the
HTML at build time, before the commit).

Previously the bump script computed BETA_VERSION using
`git rev-parse --short HEAD` = N+1, so the chart's appVersion
(and the dev image's tag, and the kubelet's pull) said N+1 while
the served label said N. Two SHAs for the same bytes — confusing
when triaging "is this image actually the latest?".

Read the SHA from zddc/internal/apps/embedded/versions.txt instead
(third pipe-delimited field of any line). That's the single source
of truth for what bytes were baked, and it lines up with what users
see in every tool's header.

Manually re-bumped chart develop after committing this script:
  appVersion: 0.0.16-beta-9a3e4d8 → 0.0.16-beta-8df0def
---
 .forgejo/scripts/notify-chart-bump.sh | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/.forgejo/scripts/notify-chart-bump.sh b/.forgejo/scripts/notify-chart-bump.sh
index 6ab6f53..863d1b6 100755
--- a/.forgejo/scripts/notify-chart-bump.sh
+++ b/.forgejo/scripts/notify-chart-bump.sh
@@ -59,7 +59,25 @@ case "$CHANNEL" in
         MIN=$(echo "${LATEST_STABLE#zddc-server-v}" | cut -d. -f2)
         PAT=$(echo "${LATEST_STABLE#zddc-server-v}" | cut -d. -f3)
         NEXT_STABLE="$MAJ.$MIN.$((PAT + 1))"
-        SHORT_SHA=$(git rev-parse --short=7 HEAD)
+
+        # Use the SHA baked into the embedded files (third field of
+        # versions.txt: "<tool>=<version> · <date> · <sha>"), NOT
+        # `git rev-parse HEAD`. This matters because `./build beta`
+        # runs locally at HEAD=N, then the operator commits the
+        # generated embed files as N+1; the embed label encodes N
+        # while git HEAD on push is N+1. If we used N+1 here, the
+        # chart's appVersion (N+1) wouldn't match the build label
+        # users see in the served website (N) — confusing on its
+        # face when triaging "is this image current?". Reading from
+        # versions.txt guarantees they line up.
+        VERSIONS_FILE="zddc/internal/apps/embedded/versions.txt"
+        SHORT_SHA=$(awk -F' · ' '/^[a-z]+=/ { print $NF; exit }' "$VERSIONS_FILE" \
+                    | tr -d '[:space:]')
+        if [ -z "$SHORT_SHA" ]; then
+            echo "::error::could not parse SHA from $VERSIONS_FILE" >&2
+            cat "$VERSIONS_FILE" >&2
+            exit 1
+        fi
         TARGET_VERSION="${NEXT_STABLE}-beta-${SHORT_SHA}"
         BRANCHES="develop"
         TRIGGER_DESC="ZDDC beta cut"