From 04529666fc51509722381a3b41ae9891118789d3 Mon Sep 17 00:00:00 2001 From: Barcode Betty Date: Sun, 7 Jun 2026 11:28:41 +0000 Subject: [PATCH] fix(ci): deploy jobs compute sha tag from $GITHUB_SHA (CAR-1316, CAR-1195) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The four `build-and-push*` jobs declared a job-level output `sha_tag: sha-${{ github.sha }}` (literal prefix concatenated with an expression). Gitea Actions does NOT substitute ${{ github.sha }} inside that concatenated value, so the literal string `sha-${{ github.sha }}` propagated into needs..outputs.sha_tag. Each deploy job's 'Determine image tag' step then expanded `echo "tag=${{ needs..outputs.sha_tag }}" >> "$GITHUB_OUTPUT"` into `echo "tag=sha-${{ github.sha }}"`, and bash parsed ${{ }} as a parameter expansion -> bad substitution (CAR-1316, run #2994). Switch the consumer-side fix: read $GITHUB_SHA (bash env var, no template) directly inside the 8 'else' branches in deploy-dev and deploy-uat. Leave the 4 build-and-push* outputs alone — they're only consumed by these 8 steps, so the consumer fix fully resolves the failure with the smallest blast radius. Refs: CAR-1316, CAR-1195, CAR-1194. --- .gitea/workflows/ci.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index f94d2fb..8aea637 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -488,7 +488,7 @@ jobs: if [ "${{ github.ref }}" == "refs/heads/main" ]; then echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT" else - echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT" + echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT" fi - name: Update frontend image tag @@ -503,7 +503,7 @@ jobs: if [ "${{ github.ref }}" == "refs/heads/main" ]; then echo "tag=${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}" >> "$GITHUB_OUTPUT" else - echo "tag=${{ needs.build-and-push-receiptwitness.outputs.sha_tag }}" >> "$GITHUB_OUTPUT" + echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT" fi - name: Update receiptwitness image tag @@ -518,7 +518,7 @@ jobs: if [ "${{ github.ref }}" == "refs/heads/main" ]; then echo "tag=${{ needs.build-and-push-api.outputs.calver_tag }}" >> "$GITHUB_OUTPUT" else - echo "tag=${{ needs.build-and-push-api.outputs.sha_tag }}" >> "$GITHUB_OUTPUT" + echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT" fi - name: Update api image tag @@ -533,7 +533,7 @@ jobs: if [ "${{ github.ref }}" == "refs/heads/main" ]; then echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT" else - echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT" + echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT" fi - name: Update auth image tag @@ -634,7 +634,7 @@ jobs: if [ "${{ github.ref }}" == "refs/heads/main" ]; then echo "tag=${{ needs.build-and-push.outputs.calver_tag }}" >> "$GITHUB_OUTPUT" else - echo "tag=${{ needs.build-and-push.outputs.sha_tag }}" >> "$GITHUB_OUTPUT" + echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT" fi - name: Update frontend image tag @@ -649,7 +649,7 @@ jobs: if [ "${{ github.ref }}" == "refs/heads/main" ]; then echo "tag=${{ needs.build-and-push-receiptwitness.outputs.calver_tag }}" >> "$GITHUB_OUTPUT" else - echo "tag=${{ needs.build-and-push-receiptwitness.outputs.sha_tag }}" >> "$GITHUB_OUTPUT" + echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT" fi - name: Update receiptwitness image tag @@ -664,7 +664,7 @@ jobs: if [ "${{ github.ref }}" == "refs/heads/main" ]; then echo "tag=${{ needs.build-and-push-api.outputs.calver_tag }}" >> "$GITHUB_OUTPUT" else - echo "tag=${{ needs.build-and-push-api.outputs.sha_tag }}" >> "$GITHUB_OUTPUT" + echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT" fi - name: Update api image tag @@ -679,7 +679,7 @@ jobs: if [ "${{ github.ref }}" == "refs/heads/main" ]; then echo "tag=${{ needs.build-and-push-auth.outputs.calver_tag }}" >> "$GITHUB_OUTPUT" else - echo "tag=${{ needs.build-and-push-auth.outputs.sha_tag }}" >> "$GITHUB_OUTPUT" + echo "tag=sha-${GITHUB_SHA}" >> "$GITHUB_OUTPUT" fi - name: Update auth image tag