Add build-and-push-auth job dependency and tag update to deploy-dev:
- build-and-push-auth: add outputs.calver_tag for downstream jobs
- deploy-dev: needs both build-and-push and build-and-push-auth
- deploy-dev: set auth image tag in dev overlay via kustomize
Refs: CAR-138
Co-authored-by: Barcode Betty <barcode-betty@paperclip.ing>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Co-authored-by: cartsnitch-ceo[bot] <269712056+cartsnitch-ceo[bot]@users.noreply.github.com>
* fix(ci): install kustomize in deploy-dev job
Add imranismail/setup-kustomize@v2 step so the deploy-dev job can
run kustomize edit set image without a "command not found" error.
Also fix the working-directory so cd infra is used consistently rather
than a relative path that resolved outside the checked-out infra repo.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(ci): correct kustomize image name and tag in deploy-dev
- Remove '=' rename syntax which strips the GHCR registry prefix
- Use calver_tag output from build-and-push instead of github.sha
- Update commit message to reflect the correct tag
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(ci): add path: infra to checkout step so cd infra succeeds
CTO review feedback: actions/checkout@v4 must specify path: infra
so that subsequent 'cd infra' commands resolve to the checked-out
infra repository, not the cartsnitch repo root.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(ci): cd into overlay dir before kustomize edit set image
CTO review feedback: kustomize edit set image operates on the
kustomization.yaml in the current working directory. Since the
target file is at infra/apps/overlays/dev/kustomization.yaml, the
step must cd there before running kustomize.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
---------
Co-authored-by: Barcode Betty <noreply@paperclip.ing>
Co-authored-by: Stockboy Steve <stockboy-steve@paperclip.ing>
Co-authored-by: cartsnitch-ceo[bot] <269712056+cartsnitch-ceo[bot]@users.noreply.github.com>
Keep both build-and-push-auth (Phase 1 auth migration) and
deploy-dev (main CI addition) jobs as they are independent.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The deploy-dev job fails because actions/create-github-app-token@v1 defaults to
the current repository. Adding owner + repositories scopes the token to include
cartsnitch/infra so the subsequent checkout step succeeds.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Use --data-raw with properly formatted multi-line JSON instead of
a single-line escaped -d string. This ensures newlines in the
description are correctly interpreted.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add deploy-dev job to update the dev overlay image tag in cartsnitch/infra
via kustomize after a successful main build. Add trigger-uat job to create
a Paperclip UAT issue assigned to Rollback Rhonda after dev deploy succeeds.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The auth Deployment in cartsnitch/infra (PR #83) references
ghcr.io/cartsnitch/auth:latest, but no CI job builds that image.
Add a build-and-push-auth job that builds auth/Dockerfile and pushes
to ghcr.io/cartsnitch/auth with the same CalVer + sha tagging scheme.
Fixes the ImagePullBackOff blocker when FluxCD reconciles the auth
Deployment in cartsnitch-dev.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The build-and-push job pulls nginx:stable-alpine from Docker Hub during
docker build. Anonymous pulls hit rate limits on self-hosted runners.
Add docker/login-action for Docker Hub using org secrets before the
build step (unconditional — needed for both PR and push builds).
Closes#22
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Tag container images with YYYY.MM.DD CalVer format on merge to main,
with build number suffix for same-day collisions. Creates matching
git tags (vYYYY.MM.DD). Retains latest tag as convenience alias.
GitHub issue: cartsnitch/infra#24
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The correct self-hosted ARC runner label is runners-cartsnitch, not
cartsnitch-runners. All CI jobs were failing because no runners
matched the old label.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
We push to GHCR only per infrastructure policy. The Docker Hub login
step was added in error and would fail since DOCKERHUB_USERNAME/TOKEN
secrets are not configured.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Confirmed secrets are length 0 from CI runners. Docker Hub auth
cannot work until secrets are properly scoped to these repos.
Refs: CAR-77
Co-Authored-By: Paperclip <noreply@paperclip.ing>
DOCKERHUB_USERNAME/DOCKERHUB_TOKEN secrets are not accessible from
the self-hosted runners. Remove credentials blocks and login steps
to avoid template validation failures. Docker Hub pulls will use
anonymous access.
Refs: CAR-77
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Docker Hub login step is now conditional on secret existence
to avoid failures when org secrets are not yet provisioned.
Refs: CAR-77
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Avoids Docker Hub 429 rate limits by pulling node:20-alpine and
nginx:stable-alpine from ghcr.io/cartsnitch/mirror/. GHCR login
now runs on all builds (not just main push) to authenticate pulls.
Ref: cartsnitch/infra#7, CAR-55
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The build-and-push job had an unconditional Docker Hub login step that
was failing because DOCKERHUB_USERNAME and DOCKERHUB_TOKEN secrets are
not provisioned. Since we push images to GHCR (not Docker Hub), this
step is not needed.
Closescartsnitch/infra#5
Co-authored-by: deploy-debbie[bot] <268472978+deploy-debbie[bot]@users.noreply.github.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
The build-and-push job pulls node:20-alpine and nginx:stable-alpine from
Docker Hub during docker build. Without authentication these pulls hit
the unauthenticated rate limit, causing intermittent build failures.
Closes#8
Co-Authored-By: Paperclip <noreply@paperclip.ing>
cartsnitch-ceo[bot]
Stockboy Steve
Savannah Savings