From 80a2ea54be957ead71503cb437f426970a5f3568 Mon Sep 17 00:00:00 2001 From: Barcode Betty <32+cs_betty@noreply.git.farh.net> Date: Mon, 22 Jun 2026 23:56:09 +0000 Subject: [PATCH 1/4] fix: use shell var for jq --arg title in deploy-dev/deploy-uat (CAR-1436) --- .gitea/workflows/ci.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 17e72a7..f8f9ac2 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -142,7 +142,8 @@ jobs: echo "::notice::Refusing to push directly to protected branch — falling back to contents API" exit 0 fi - PR_BODY=$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base dev --arg title ("ci(dev): update auth image (" + env.GITHUB_SHA[:12] + ")") --arg body "Bumps apps/overlays/dev/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \ + TITLE="ci(dev): update auth image (${GITHUB_SHA::12})" + PR_BODY=$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base dev --arg title "$TITLE" --arg body "Bumps apps/overlays/dev/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \ '{head: $head, base: $base, title: $title, body: $body}') PR_JSON=$(curl -sS -X POST \ -H "Authorization: token ${CI_GITEA_TOKEN}" \ @@ -243,7 +244,8 @@ jobs: echo "::notice::Refusing to push directly to protected branch — falling back to contents API" exit 0 fi - PR_BODY=$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base uat --arg title ("ci(uat): update auth image (" + env.GITHUB_SHA[:12] + ")") --arg body "Bumps apps/overlays/uat/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \ + TITLE="ci(uat): update auth image (${GITHUB_SHA::12})" + PR_BODY=$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base uat --arg title "$TITLE" --arg body "Bumps apps/overlays/uat/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \ '{head: $head, base: $base, title: $title, body: $body}') PR_JSON=$(curl -sS -X POST \ -H "Authorization: token ${CI_GITEA_TOKEN}" \ -- 2.52.0 From 7ff805c3a5189532295e9d7688b4b7a2600f5b4f Mon Sep 17 00:00:00 2001 From: Barcode Betty <32+cs_betty@noreply.git.farh.net> Date: Tue, 23 Jun 2026 00:38:36 +0000 Subject: [PATCH 2/4] fix(ci): broaden graceful-exit on infra PR auto-merge (CAR-1438) --- .gitea/workflows/ci.yml | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index f8f9ac2..7260518 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -177,12 +177,11 @@ jobs: MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false') if [ "$MERGED" = "true" ]; then echo "PR #${PR_NUM} merged into cartsnitch/infra dev" - elif echo "$MERGE_RESP" | grep -qi 'does not have enough approvals'; then - echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure" - exit 0 else - echo "::error::Auto-merge of cartsnitch/infra PR #${PR_NUM} failed: $MERGE_RESP" - exit 1 + # CAR-1438: PR opened successfully; any non-merged outcome (empty body, + # approval-gate, pending checks) is the GitOps gate — not a failure. + echo "::notice::infra PR #${PR_NUM} opened — auto-merge not available (${MERGE_RESP:-empty response}); awaiting CTO (cs_savannah) approve+merge" + exit 0 fi deploy-uat: @@ -275,10 +274,10 @@ jobs: MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false') if [ "$MERGED" = "true" ]; then echo "PR #${PR_NUM} merged into cartsnitch/infra uat" - elif echo "$MERGE_RESP" | grep -qi 'does not have enough approvals'; then - echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure" - exit 0 else - echo "::error::Auto-merge of cartsnitch/infra PR #${PR_NUM} failed: $MERGE_RESP" - exit 1 + # CAR-1438: PR opened successfully; any non-merged outcome (empty body, + # approval-gate, pending checks) is the GitOps gate — not a failure. + echo "::notice::infra PR #${PR_NUM} opened — auto-merge not available (${MERGE_RESP:-empty response}); awaiting CTO (cs_savannah) approve+merge" + exit 0 fi + -- 2.52.0 From 011264a87bcf33fa0167a59ea3ae879fd9d6073d Mon Sep 17 00:00:00 2001 From: Barcode Betty <32+cs_betty@noreply.git.farh.net> Date: Tue, 23 Jun 2026 00:42:02 +0000 Subject: [PATCH 3/4] =?UTF-8?q?fix(ci):=20resolve=20dev=E2=86=92uat=20merg?= =?UTF-8?q?e=20conflict,=20apply=20jq=20title=20fix=20(CAR-1436)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitea/workflows/ci.yml | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 6bba354..f8f9ac2 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -93,7 +93,7 @@ jobs: with: repository: cartsnitch/infra token: ${{ secrets.CI_GITEA_TOKEN }} - ref: main + ref: ${{ github.ref == 'refs/heads/main' && 'main' || (github.ref == 'refs/heads/uat' && 'uat' || 'dev') }} path: infra - name: Install kustomize @@ -142,8 +142,9 @@ jobs: echo "::notice::Refusing to push directly to protected branch — falling back to contents API" exit 0 fi - PR_BODY=$(jq -n --arg head "$BRANCH" --arg body "Bumps apps/overlays/dev/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \ - '{head: $head, base: "main", title: ("ci(dev): update auth image (" + env.GITHUB_SHA[:12] + ")"), body: $body}') + TITLE="ci(dev): update auth image (${GITHUB_SHA::12})" + PR_BODY=$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base dev --arg title "$TITLE" --arg body "Bumps apps/overlays/dev/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \ + '{head: $head, base: $base, title: $title, body: $body}') PR_JSON=$(curl -sS -X POST \ -H "Authorization: token ${CI_GITEA_TOKEN}" \ -H "Content-Type: application/json" \ @@ -163,6 +164,11 @@ jobs: if [ "${REVIEW_HTTP}" -lt 200 ] || [ "${REVIEW_HTTP}" -ge 300 ]; then echo "::notice::Failed to request reviewers for cartsnitch/infra PR #${PR_NUM} (HTTP ${REVIEW_HTTP}); continuing" fi + # CAR-1216: the in-job merge attempt is a best-effort fast-path only. + # `cartsnitch/infra` main requires a human approving review; the CI bot + # cannot self-approve. Treat any non-merged outcome (approvals pending, + # checks pending, any other Gitea message) as the GitOps approval gate + # — the PR is already opened and cs_savannah is requested as reviewer. MERGE_RESP=$(curl -sS -X POST \ -H "Authorization: token ${CI_GITEA_TOKEN}" \ -H "Content-Type: application/json" \ @@ -170,11 +176,8 @@ jobs: "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/merge") MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false') if [ "$MERGED" = "true" ]; then - echo "PR #${PR_NUM} merged into cartsnitch/infra main" + echo "PR #${PR_NUM} merged into cartsnitch/infra dev" elif echo "$MERGE_RESP" | grep -qi 'does not have enough approvals'; then - # GitOps approval gate: PR is correctly opened and surfaces in - # CTO queue via the reviewers request above. Treat as success - # so the job does not hard-fail on approvals. echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure" exit 0 else @@ -192,7 +195,7 @@ jobs: with: repository: cartsnitch/infra token: ${{ secrets.CI_GITEA_TOKEN }} - ref: main + ref: ${{ github.ref == 'refs/heads/main' && 'main' || (github.ref == 'refs/heads/uat' && 'uat' || 'dev') }} path: infra - name: Install kustomize @@ -241,8 +244,9 @@ jobs: echo "::notice::Refusing to push directly to protected branch — falling back to contents API" exit 0 fi - PR_BODY=$(jq -n --arg head "$BRANCH" --arg body "Bumps apps/overlays/uat/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \ - '{head: $head, base: "main", title: ("ci(uat): update auth image (" + env.GITHUB_SHA[:12] + ")"), body: $body}') + TITLE="ci(uat): update auth image (${GITHUB_SHA::12})" + PR_BODY=$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base uat --arg title "$TITLE" --arg body "Bumps apps/overlays/uat/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \ + '{head: $head, base: $base, title: $title, body: $body}') PR_JSON=$(curl -sS -X POST \ -H "Authorization: token ${CI_GITEA_TOKEN}" \ -H "Content-Type: application/json" \ @@ -262,6 +266,7 @@ jobs: if [ "${REVIEW_HTTP}" -lt 200 ] || [ "${REVIEW_HTTP}" -ge 300 ]; then echo "::notice::Failed to request reviewers for cartsnitch/infra PR #${PR_NUM} (HTTP ${REVIEW_HTTP}); continuing" fi + # CAR-1216: see deploy-dev — same never-fail on merge outcome. MERGE_RESP=$(curl -sS -X POST \ -H "Authorization: token ${CI_GITEA_TOKEN}" \ -H "Content-Type: application/json" \ @@ -269,11 +274,8 @@ jobs: "https://git.farh.net/api/v1/repos/cartsnitch/infra/pulls/${PR_NUM}/merge") MERGED=$(echo "$MERGE_RESP" | jq -r '.merged // false') if [ "$MERGED" = "true" ]; then - echo "PR #${PR_NUM} merged into cartsnitch/infra main" + echo "PR #${PR_NUM} merged into cartsnitch/infra uat" elif echo "$MERGE_RESP" | grep -qi 'does not have enough approvals'; then - # GitOps approval gate: PR is correctly opened and surfaces in - # CTO queue via the reviewers request above. Treat as success - # so the job does not hard-fail on approvals. echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure" exit 0 else -- 2.52.0 From 88da9ee771d5a992c1ad2498de018cf08da56167 Mon Sep 17 00:00:00 2001 From: Barcode Betty <32+cs_betty@noreply.git.farh.net> Date: Tue, 23 Jun 2026 01:07:17 +0000 Subject: [PATCH 4/4] =?UTF-8?q?fix(ci):=20revert=20deploy=20PR=20base=20de?= =?UTF-8?q?v/uat=20=E2=86=92=20main=20(CAR-1431)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Deploy-dev and deploy-uat jobs were opening image-tag-bump PRs against dev/uat branches per CAR-1371. Flux reconciles all overlays from infra main, so those PRs were never picked up. Revert --arg base back to main. Co-Authored-By: Paperclip --- .gitea/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 7260518..9a02ee6 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -143,7 +143,7 @@ jobs: exit 0 fi TITLE="ci(dev): update auth image (${GITHUB_SHA::12})" - PR_BODY=$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base dev --arg title "$TITLE" --arg body "Bumps apps/overlays/dev/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \ + PR_BODY=$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base main --arg title "$TITLE" --arg body "Bumps apps/overlays/dev/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \ '{head: $head, base: $base, title: $title, body: $body}') PR_JSON=$(curl -sS -X POST \ -H "Authorization: token ${CI_GITEA_TOKEN}" \ @@ -244,7 +244,7 @@ jobs: exit 0 fi TITLE="ci(uat): update auth image (${GITHUB_SHA::12})" - PR_BODY=$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base uat --arg title "$TITLE" --arg body "Bumps apps/overlays/uat/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \ + PR_BODY=$(jq -n --arg head "cartsnitch:${BRANCH}" --arg base main --arg title "$TITLE" --arg body "Bumps apps/overlays/uat/kustomization.yaml auth newTag to \`${{ steps.tag.outputs.tag }}\` from cartsnitch/auth CI build $GITHUB_SHA." \ '{head: $head, base: $base, title: $title, body: $body}') PR_JSON=$(curl -sS -X POST \ -H "Authorization: token ${CI_GITEA_TOKEN}" \ -- 2.52.0