diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 6bba354..9a02ee6 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -93,7 +93,7 @@ jobs: with: repository: cartsnitch/infra token: ${{ secrets.CI_GITEA_TOKEN }} - ref: main + ref: ${{ github.ref == 'refs/heads/main' && 'main' || (github.ref == 'refs/heads/uat' && 'uat' || 'dev') }} path: infra - name: Install kustomize @@ -142,8 +142,9 @@ jobs: echo "::notice::Refusing to push directly to protected branch — falling back to contents API" exit 0 fi - PR_BODY=$(jq -n --arg head "$BRANCH" --arg body "Bumps apps/overlays/dev/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \ - '{head: $head, base: "main", title: ("ci(dev): update auth image (" + env.GITHUB_SHA[:12] + ")"), body: $body}') + TITLE="ci(dev): update auth image (${GITHUB_SHA::12})" + PR_BODY=$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base main --arg title "$TITLE" --arg body "Bumps apps/overlays/dev/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \ + '{head: $head, base: $base, title: $title, body: $body}') PR_JSON=$(curl -sS -X POST \ -H "Authorization: token ${CI_GITEA_TOKEN}" \ -H "Content-Type: application/json" \ @@ -163,6 +164,11 @@ jobs: if [ "${REVIEW_HTTP}" -lt 200 ] || [ "${REVIEW_HTTP}" -ge 300 ]; then echo "::notice::Failed to request reviewers for cartsnitch/infra PR #${PR_NUM} (HTTP ${REVIEW_HTTP}); continuing" fi + # CAR-1216: the in-job merge attempt is a best-effort fast-path only. + # `cartsnitch/infra` main requires a human approving review; the CI bot + # cannot self-approve. Treat any non-merged outcome (approvals pending, + # checks pending, any other Gitea message) as the GitOps approval gate + # — the PR is already opened and cs_savannah is requested as reviewer. MERGE_RESP=$(curl -sS -X POST \ -H "Authorization: token ${CI_GITEA_TOKEN}" \ -H "Content-Type: application/json" \ @@ -170,16 +176,12 @@ jobs: "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/merge") MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false') if [ "$MERGED" = "true" ]; then - echo "PR #${PR_NUM} merged into cartsnitch/infra main" - elif echo "$MERGE_RESP" | grep -qi 'does not have enough approvals'; then - # GitOps approval gate: PR is correctly opened and surfaces in - # CTO queue via the reviewers request above. Treat as success - # so the job does not hard-fail on approvals. - echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure" - exit 0 + echo "PR #${PR_NUM} merged into cartsnitch/infra dev" else - echo "::error::Auto-merge of cartsnitch/infra PR #${PR_NUM} failed: $MERGE_RESP" - exit 1 + # CAR-1438: PR opened successfully; any non-merged outcome (empty body, + # approval-gate, pending checks) is the GitOps gate — not a failure. + echo "::notice::infra PR #${PR_NUM} opened — auto-merge not available (${MERGE_RESP:-empty response}); awaiting CTO (cs_savannah) approve+merge" + exit 0 fi deploy-uat: @@ -192,7 +194,7 @@ jobs: with: repository: cartsnitch/infra token: ${{ secrets.CI_GITEA_TOKEN }} - ref: main + ref: ${{ github.ref == 'refs/heads/main' && 'main' || (github.ref == 'refs/heads/uat' && 'uat' || 'dev') }} path: infra - name: Install kustomize @@ -241,8 +243,9 @@ jobs: echo "::notice::Refusing to push directly to protected branch — falling back to contents API" exit 0 fi - PR_BODY=$(jq -n --arg head "$BRANCH" --arg body "Bumps apps/overlays/uat/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \ - '{head: $head, base: "main", title: ("ci(uat): update auth image (" + env.GITHUB_SHA[:12] + ")"), body: $body}') + TITLE="ci(uat): update auth image (${GITHUB_SHA::12})" + PR_BODY=$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base main --arg title "$TITLE" --arg body "Bumps apps/overlays/uat/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \ + '{head: $head, base: $base, title: $title, body: $body}') PR_JSON=$(curl -sS -X POST \ -H "Authorization: token ${CI_GITEA_TOKEN}" \ -H "Content-Type: application/json" \ @@ -262,6 +265,7 @@ jobs: if [ "${REVIEW_HTTP}" -lt 200 ] || [ "${REVIEW_HTTP}" -ge 300 ]; then echo "::notice::Failed to request reviewers for cartsnitch/infra PR #${PR_NUM} (HTTP ${REVIEW_HTTP}); continuing" fi + # CAR-1216: see deploy-dev — same never-fail on merge outcome. MERGE_RESP=$(curl -sS -X POST \ -H "Authorization: token ${CI_GITEA_TOKEN}" \ -H "Content-Type: application/json" \ @@ -269,14 +273,11 @@ jobs: "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/merge") MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false') if [ "$MERGED" = "true" ]; then - echo "PR #${PR_NUM} merged into cartsnitch/infra main" - elif echo "$MERGE_RESP" | grep -qi 'does not have enough approvals'; then - # GitOps approval gate: PR is correctly opened and surfaces in - # CTO queue via the reviewers request above. Treat as success - # so the job does not hard-fail on approvals. - echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure" - exit 0 + echo "PR #${PR_NUM} merged into cartsnitch/infra uat" else - echo "::error::Auto-merge of cartsnitch/infra PR #${PR_NUM} failed: $MERGE_RESP" - exit 1 + # CAR-1438: PR opened successfully; any non-merged outcome (empty body, + # approval-gate, pending checks) is the GitOps gate — not a failure. + echo "::notice::infra PR #${PR_NUM} opened — auto-merge not available (${MERGE_RESP:-empty response}); awaiting CTO (cs_savannah) approve+merge" + exit 0 fi +