From 0d610f5114d079102778f624e95f19fbc2fb7a9c Mon Sep 17 00:00:00 2001
From: "groombook-engineer[bot]"
 <269742240+groombook-engineer[bot]@users.noreply.github.com>
Date: Tue, 31 Mar 2026 02:29:35 +0000
Subject: [PATCH] fix(ci): use unique Job names per deploy to prevent Flux
 immutability errors (GRO-311)

Since Kubernetes Job spec.template is immutable, Flux cannot update a
completed Job with a new image tag. This change ensures the CI workflow
updates both the image newTag AND the Job metadata.name to include the
short SHA (e.g., migrate-schema-026a2c8), making each deploy's Job
unique and allowing Flux to reconcile consecutive deploys without
immutable field errors.

Co-authored-by: Barkley Trimsworth <barkley@groombook.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/ci.yml | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index dd48fc6..08f9243 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -309,17 +309,39 @@ jobs:
       - name: Update dev overlay image tags
         env:
           TAG: ${{ needs.docker.outputs.tag }}
+          SHA: ${{ github.sha }}
         run: |
           if [ -z "$TAG" ]; then
             TAG="$(date -u +%Y.%m.%d)-${GITHUB_SHA::7}"
           fi
+          SHORT_SHA="${SHA::7}"
           echo "Updating dev overlay image tags to: $TAG"
+          echo "Updating migration/seed Job names with SHA: $SHORT_SHA"
           cd /tmp/infra
           DEV_KUST="apps/groombook/overlays/dev/kustomization.yaml"
           yq -i '(.images[] | select(.name == "ghcr.io/groombook/api")).newTag = env(TAG)' "$DEV_KUST"
           yq -i '(.images[] | select(.name == "ghcr.io/groombook/web")).newTag = env(TAG)' "$DEV_KUST"
           yq -i '(.images[] | select(.name == "ghcr.io/groombook/migrate")).newTag = env(TAG)' "$DEV_KUST"
           yq -i '(.images[] | select(.name == "ghcr.io/groombook/seed")).newTag = env(TAG)' "$DEV_KUST"
+
+          # Update migrate Job name to include short SHA (immutable template fix)
+          MIGRATE_JOB="apps/groombook/base/migrate-job.yaml"
+          if [ -f "$MIGRATE_JOB" ]; then
+            yq -i '.metadata.name = "migrate-schema-" + env(SHORT_SHA)' "$MIGRATE_JOB"
+            yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$MIGRATE_JOB"
+            # Ensure ttlSecondsAfterFinished is set for automatic cleanup
+            yq -i '.spec.ttlSecondsAfterFinished //= 86400' "$MIGRATE_JOB"
+          fi
+
+          # Update seed Job name to include short SHA (immutable template fix)
+          SEED_JOB="apps/groombook/base/seed-job.yaml"
+          if [ -f "$SEED_JOB" ]; then
+            yq -i '.metadata.name = "seed-test-data-" + env(SHORT_SHA)' "$SEED_JOB"
+            yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$SEED_JOB"
+            # Ensure ttlSecondsAfterFinished is set for automatic cleanup
+            yq -i '.spec.ttlSecondsAfterFinished //= 86400' "$SEED_JOB"
+          fi
+
           git -C /tmp/infra diff --stat
 
       - name: Create PR on groombook/infra
@@ -335,8 +357,8 @@ jobs:
           git config user.name "groombook-engineer[bot]"
           git config user.email "3141748+groombook-engineer[bot]@users.noreply.github.com"
           git checkout -b "chore/update-image-tags-${TAG}"
-          git add apps/groombook/overlays/dev/
-          git commit -m "chore: update image tags to ${TAG}"
+          git add apps/groombook/overlays/dev/ apps/groombook/base/migrate-job.yaml apps/groombook/base/seed-job.yaml
+          git commit -m "chore: update image tags and migration/seed Job names to ${TAG}"
 
           git push -u origin "chore/update-image-tags-${TAG}"