From 011264a87bcf33fa0167a59ea3ae879fd9d6073d Mon Sep 17 00:00:00 2001 From: Barcode Betty <32+cs_betty@noreply.git.farh.net> Date: Tue, 23 Jun 2026 00:42:02 +0000 Subject: [PATCH] =?UTF-8?q?fix(ci):=20resolve=20dev=E2=86=92uat=20merge=20?= =?UTF-8?q?conflict,=20apply=20jq=20title=20fix=20(CAR-1436)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitea/workflows/ci.yml | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 6bba354..f8f9ac2 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -93,7 +93,7 @@ jobs: with: repository: cartsnitch/infra token: ${{ secrets.CI_GITEA_TOKEN }} - ref: main + ref: ${{ github.ref == 'refs/heads/main' && 'main' || (github.ref == 'refs/heads/uat' && 'uat' || 'dev') }} path: infra - name: Install kustomize @@ -142,8 +142,9 @@ jobs: echo "::notice::Refusing to push directly to protected branch — falling back to contents API" exit 0 fi - PR_BODY=$(jq -n --arg head "$BRANCH" --arg body "Bumps apps/overlays/dev/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \ - '{head: $head, base: "main", title: ("ci(dev): update auth image (" + env.GITHUB_SHA[:12] + ")"), body: $body}') + TITLE="ci(dev): update auth image (${GITHUB_SHA::12})" + PR_BODY=$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base dev --arg title "$TITLE" --arg body "Bumps apps/overlays/dev/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \ + '{head: $head, base: $base, title: $title, body: $body}') PR_JSON=$(curl -sS -X POST \ -H "Authorization: token ${CI_GITEA_TOKEN}" \ -H "Content-Type: application/json" \ @@ -163,6 +164,11 @@ jobs: if [ "${REVIEW_HTTP}" -lt 200 ] || [ "${REVIEW_HTTP}" -ge 300 ]; then echo "::notice::Failed to request reviewers for cartsnitch/infra PR #${PR_NUM} (HTTP ${REVIEW_HTTP}); continuing" fi + # CAR-1216: the in-job merge attempt is a best-effort fast-path only. + # `cartsnitch/infra` main requires a human approving review; the CI bot + # cannot self-approve. Treat any non-merged outcome (approvals pending, + # checks pending, any other Gitea message) as the GitOps approval gate + # — the PR is already opened and cs_savannah is requested as reviewer. MERGE_RESP=$(curl -sS -X POST \ -H "Authorization: token ${CI_GITEA_TOKEN}" \ -H "Content-Type: application/json" \ @@ -170,11 +176,8 @@ jobs: "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/merge") MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false') if [ "$MERGED" = "true" ]; then - echo "PR #${PR_NUM} merged into cartsnitch/infra main" + echo "PR #${PR_NUM} merged into cartsnitch/infra dev" elif echo "$MERGE_RESP" | grep -qi 'does not have enough approvals'; then - # GitOps approval gate: PR is correctly opened and surfaces in - # CTO queue via the reviewers request above. Treat as success - # so the job does not hard-fail on approvals. echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure" exit 0 else @@ -192,7 +195,7 @@ jobs: with: repository: cartsnitch/infra token: ${{ secrets.CI_GITEA_TOKEN }} - ref: main + ref: ${{ github.ref == 'refs/heads/main' && 'main' || (github.ref == 'refs/heads/uat' && 'uat' || 'dev') }} path: infra - name: Install kustomize @@ -241,8 +244,9 @@ jobs: echo "::notice::Refusing to push directly to protected branch — falling back to contents API" exit 0 fi - PR_BODY=$(jq -n --arg head "$BRANCH" --arg body "Bumps apps/overlays/uat/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \ - '{head: $head, base: "main", title: ("ci(uat): update auth image (" + env.GITHUB_SHA[:12] + ")"), body: $body}') + TITLE="ci(uat): update auth image (${GITHUB_SHA::12})" + PR_BODY=$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base uat --arg title "$TITLE" --arg body "Bumps apps/overlays/uat/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \ + '{head: $head, base: $base, title: $title, body: $body}') PR_JSON=$(curl -sS -X POST \ -H "Authorization: token ${CI_GITEA_TOKEN}" \ -H "Content-Type: application/json" \ @@ -262,6 +266,7 @@ jobs: if [ "${REVIEW_HTTP}" -lt 200 ] || [ "${REVIEW_HTTP}" -ge 300 ]; then echo "::notice::Failed to request reviewers for cartsnitch/infra PR #${PR_NUM} (HTTP ${REVIEW_HTTP}); continuing" fi + # CAR-1216: see deploy-dev — same never-fail on merge outcome. MERGE_RESP=$(curl -sS -X POST \ -H "Authorization: token ${CI_GITEA_TOKEN}" \ -H "Content-Type: application/json" \ @@ -269,11 +274,8 @@ jobs: "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/merge") MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false') if [ "$MERGED" = "true" ]; then - echo "PR #${PR_NUM} merged into cartsnitch/infra main" + echo "PR #${PR_NUM} merged into cartsnitch/infra uat" elif echo "$MERGE_RESP" | grep -qi 'does not have enough approvals'; then - # GitOps approval gate: PR is correctly opened and surfaces in - # CTO queue via the reviewers request above. Treat as success - # so the job does not hard-fail on approvals. echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure" exit 0 else -- 2.52.0