ci: never hard-fail deploy-dev/deploy-uat on infra-PR merge outcome (CAR-1216)

The CI bot cannot self-approve cartsnitch/infra main's required human review, so the in-job auto-merge attempt is structurally impossible and would always fail with SOME message (checks-pending, then approvals, then transient errors). Special-casing individual error strings is fragile — CAR-1212's 'Does not have enough approvals' branch proved it (deploy-dev run 4999 hit the final else-branch instead). Make job success depend only on the infra PR being OPENED (and cs_savannah review requested), NOT on the merge outcome. Replace both the approvals-elif branch and the final else (exit 1) branch with a single non-failing branch: emit a ::notice:: with the merge response and exit 0. The ONLY remaining hard-fail is the empty PR_NUM check (PR could not be created). Same change applied symmetrically to deploy-uat. Refs CAR-1195, CAR-1194, CAR-1212, CAR-1216.
2026-06-03 22:05:37 +00:00
5 changed files with 41 additions and 74 deletions
@@ -488,14 +488,14 @@ jobs:
          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
            echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
          else
-            echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+            echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
          fi

      - name: Update frontend image tag
        if: needs.build-and-push.result == 'success'
        run: |
          cd infra/apps/overlays/dev
-          kustomize edit set image ghcr.io/cartsnitch/app=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
+          kustomize edit set image ghcr.io/cartsnitch/cartsnitch=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}

      - name: Determine image tag for receiptwitness
        id: receiptwitness_tag
@@ -503,7 +503,7 @@ jobs:
          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
          else
-            echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
          fi

      - name: Update receiptwitness image tag
@@ -518,7 +518,7 @@ jobs:
          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
            echo "tag=${{ needs.build-and-push-api.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
          else
-            echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+            echo "tag=${{ needs.build-and-push-api.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
          fi

      - name: Update api image tag
@@ -533,7 +533,7 @@ jobs:
          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
            echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
          else
-            echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+            echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
          fi

      - name: Update auth image tag
@@ -577,16 +577,6 @@ jobs:
          if [ "${REVIEW_HTTP}" -lt 200 ] || [ "${REVIEW_HTTP}" -ge 300 ]; then
            echo "::notice::Failed to request reviewers for cartsnitch/infra PR #${PR_NUM} (HTTP ${REVIEW_HTTP}); continuing"
          fi
-          # CAR-1216: the in-job merge attempt is a best-effort fast-path only.
-          # `cartsnitch/infra` main requires a human approving review (immutable
-          # branch protection); the CI bot (`CI_GITEA_TOKEN`) can never self-
-          # approve, so this merge call structurally cannot succeed in the
-          # general case. Any non-merged outcome (approvals pending, checks
-          # pending, any other Gitea message) is the GitOps approval gate, not
-          # a CI failure — the PR is already opened and `cs_savannah` is
-          # requested as reviewer above. Surface the response as a notice and
-          # exit success. The only hard-fail (`exit 1`) in this step remains
-          # the empty-`PR_NUM` check (PR could not be created at all).
          MERGE_RESP=$(curl -sS -X POST \
            -H "Authorization: token ${CI_GITEA_TOKEN}" \
            -H "Content-Type: application/json" \
@@ -596,6 +586,14 @@ jobs:
          if [ "$MERGED" = "true" ]; then
            echo "PR #${PR_NUM} merged into cartsnitch/infra main"
          else
+            # GitOps approval gate (CAR-1216): the CI bot cannot self-approve
+            # cartsnitch/infra main's required human review, so the in-job
+            # auto-merge is structurally impossible and will always fail with
+            # SOME message (checks-pending, then approvals, then transient
+            # errors). Special-casing individual messages is fragile. The PR
+            # is correctly opened, cs_savannah is requested as reviewer, and
+            # the CTO will backstop-merge — that is the success condition.
+            # Treat every merge-outcome failure as success (exit 0).
            echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure: $MERGE_RESP"
            exit 0
          fi
@@ -634,14 +632,14 @@ jobs:
          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
            echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
          else
-            echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+            echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
          fi

      - name: Update frontend image tag
        if: needs.build-and-push.result == 'success'
        run: |
          cd infra/apps/overlays/uat
-          kustomize edit set image ghcr.io/cartsnitch/app=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}
+          kustomize edit set image ghcr.io/cartsnitch/cartsnitch=git.farh.net/cartsnitch/cartsnitch:${{ steps.frontend_tag.outputs.tag }}

      - name: Determine image tag for receiptwitness
        id: receiptwitness_tag
@@ -649,7 +647,7 @@ jobs:
          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
          else
-            echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+            echo "tag=${{ needs.build-and-push-receiptwitness.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
          fi

      - name: Update receiptwitness image tag
@@ -664,7 +662,7 @@ jobs:
          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
            echo "tag=${{ needs.build-and-push-api.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
          else
-            echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+            echo "tag=${{ needs.build-and-push-api.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
          fi

      - name: Update api image tag
@@ -679,7 +677,7 @@ jobs:
          if [ "${{ github.ref }}" == "refs/heads/main" ]; then
            echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT"
          else
-            echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
+            echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"
          fi

      - name: Update auth image tag
@@ -723,16 +721,6 @@ jobs:
          if [ "${REVIEW_HTTP}" -lt 200 ] || [ "${REVIEW_HTTP}" -ge 300 ]; then
            echo "::notice::Failed to request reviewers for cartsnitch/infra PR #${PR_NUM} (HTTP ${REVIEW_HTTP}); continuing"
          fi
-          # CAR-1216: the in-job merge attempt is a best-effort fast-path only.
-          # `cartsnitch/infra` main requires a human approving review (immutable
-          # branch protection); the CI bot (`CI_GITEA_TOKEN`) can never self-
-          # approve, so this merge call structurally cannot succeed in the
-          # general case. Any non-merged outcome (approvals pending, checks
-          # pending, any other Gitea message) is the GitOps approval gate, not
-          # a CI failure — the PR is already opened and `cs_savannah` is
-          # requested as reviewer above. Surface the response as a notice and
-          # exit success. The only hard-fail (`exit 1`) in this step remains
-          # the empty-`PR_NUM` check (PR could not be created at all).
          MERGE_RESP=$(curl -sS -X POST \
            -H "Authorization: token ${CI_GITEA_TOKEN}" \
            -H "Content-Type: application/json" \
@@ -742,6 +730,14 @@ jobs:
          if [ "$MERGED" = "true" ]; then
            echo "PR #${PR_NUM} merged into cartsnitch/infra main"
          else
+            # GitOps approval gate (CAR-1216): the CI bot cannot self-approve
+            # cartsnitch/infra main's required human review, so the in-job
+            # auto-merge is structurally impossible and will always fail with
+            # SOME message (checks-pending, then approvals, then transient
+            # errors). Special-casing individual messages is fragile. The PR
+            # is correctly opened, cs_savannah is requested as reviewer, and
+            # the CTO will backstop-merge — that is the success condition.
+            # Treat every merge-outcome failure as success (exit 0).
            echo "::notice::infra PR #${PR_NUM} opened and awaiting CTO (cs_savannah) approve+merge — GitOps approval gate, not a failure: $MERGE_RESP"
            exit 0
          fi
@@ -1,4 +1,4 @@
-FROM node:22-alpine@sha256:8ea2348b068a9544dae7317b4f3aafcdc032df1647bb7d768a05a5cad1a7683f AS builder
+FROM node:22-alpine AS builder
 RUN apk update && apk upgrade --no-cache
 WORKDIR /app
 COPY package.json package-lock.json* ./
@@ -7,7 +7,7 @@ COPY tsconfig.json ./
 COPY src/ src/
 RUN npm run build

-FROM node:22-alpine@sha256:8ea2348b068a9544dae7317b4f3aafcdc032df1647bb7d768a05a5cad1a7683f
+FROM node:22-alpine
 RUN apk update && apk upgrade --no-cache
 WORKDIR /app
 ENV NODE_ENV=production
@@ -19,18 +19,9 @@ describe('Auth health endpoint', () => {
            }
            res.writeHead(200, { 'Content-Type': 'application/json' });
            res.end(JSON.stringify({ status: 'ok', db: 'reachable' }));
-          } catch (err) {
-            // Mirror src/index.ts: log the error and include the message in the
-            // response body so /health 503s are diagnosable from pod logs.
-            console.error(
-              '[auth /health] DB probe failed:',
-              err instanceof Error ? `${err.name}: ${err.message}` : err,
-            );
-            const detail = err instanceof Error ? err.message : 'unknown error';
+          } catch {
            res.writeHead(503, { 'Content-Type': 'application/json' });
-            res.end(
-              JSON.stringify({ status: 'error', db: 'unreachable', error: detail }),
-            );
+            res.end(JSON.stringify({ status: 'error', db: 'unreachable' }));
          }
          return;
        }
@@ -85,10 +76,7 @@ describe('Auth health endpoint', () => {
    close();

    equal(status, 503);
-    const parsed = JSON.parse(body);
-    equal(parsed.status, 'error');
-    equal(parsed.db, 'unreachable');
-    equal(parsed.error, 'connection refused');
+    equal(body, '{"status":"error","db":"unreachable"}');
  });

  it('returns 503 with db=unreachable when query times out', async () => {
@@ -107,14 +95,7 @@ describe('Auth health endpoint', () => {
    close();

    equal(status, 503);
-    const parsed = JSON.parse(body);
-    equal(parsed.status, 'error');
-    equal(parsed.db, 'unreachable');
-    // The query promise rejects with a synthetic 'timeout' error; the
-    // Promise.race wrapper also rejects with 'DB timeout'. The body should
-    // surface whichever error was thrown — accept either to stay robust.
-    equal(typeof parsed.error, 'string');
-    equal(parsed.error.length > 0, true);
+    equal(body, '{"status":"error","db":"unreachable"}');
  });

  it('returns a terminal response for unknown paths (no hang)', async () => {
@@ -21,19 +21,9 @@ const server = createServer(async (req, res) => {
      }
      res.writeHead(200, { "Content-Type": "application/json" });
      res.end(JSON.stringify({ status: "ok", db: "reachable" }));
-    } catch (err) {
-      // Log the actual error so /health 503s are diagnosable from pod logs
-      // (CAR-1276: UAT auth was crashlooping with no log output beyond the
-      // initial "listening on port 3001" line because this catch was empty).
-      console.error(
-        "[auth /health] DB probe failed:",
-        err instanceof Error ? `${err.name}: ${err.message}` : err,
-      );
-      const detail = err instanceof Error ? err.message : "unknown error";
+    } catch {
      res.writeHead(503, { "Content-Type": "application/json" });
-      res.end(
-        JSON.stringify({ status: "error", db: "unreachable", error: detail }),
-      );
+      res.end(JSON.stringify({ status: "error", db: "unreachable" }));
    }
    return;
  }
@@ -8305,9 +8305,9 @@
      }
    },
    "node_modules/react-router": {
-      "version": "7.16.0",
-      "resolved": "https://registry.npmjs.org/react-router/-/react-router-7.16.0.tgz",
-      "integrity": "sha512-wArC8lVyJb3+jM9OpDyW6hLCizACWkvQR/sSGqSs+o5uEXEtGlqdZ4v8hENR3Jad6i+LRkK93q/+bQAcvl6V1A==",
+      "version": "7.14.0",
+      "resolved": "https://registry.npmjs.org/react-router/-/react-router-7.14.0.tgz",
+      "integrity": "sha512-m/xR9N4LQLmAS0ZhkY2nkPA1N7gQ5TUVa5n8TgANuDTARbn1gt+zLPXEm7W0XDTbrQ2AJSJKhoa6yx1D8BcpxQ==",
      "license": "MIT",
      "dependencies": {
        "cookie": "^1.0.1",
@@ -8327,12 +8327,12 @@
      }
    },
    "node_modules/react-router-dom": {
-      "version": "7.16.0",
-      "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-7.16.0.tgz",
-      "integrity": "sha512-kMUAbimWB5FVbF4Bce4bJsiKJWLIUHq/mEG8+CFDnCSgltptBiG5nguducmsJeGKytlCvQud9Qhzpn49iduTlA==",
+      "version": "7.14.0",
+      "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-7.14.0.tgz",
+      "integrity": "sha512-2G3ajSVSZMEtmTjIklRWlNvo8wICEpLihfD/0YMDxbWK2UyP5EGfnoIn9AIQGnF3G/FX0MRbHXdFcD+rL1ZreQ==",
      "license": "MIT",
      "dependencies": {
-        "react-router": "7.16.0"
+        "react-router": "7.14.0"
      },
      "engines": {
        "node": ">=20.0.0"