From 6819bff2bf52395092c7c11fc6be5232facd2c9e Mon Sep 17 00:00:00 2001
From: Paperclip <noreply@paperclip.ing>
Date: Sat, 4 Apr 2026 13:16:19 +0000
Subject: [PATCH 1/2] fix(api): use correct schema in POST
 /admin/auth-provider/test (GRO-454)

Switch the test endpoint from putAuthProviderSchema.omit({ clientSecret })
(which requires providerId, displayName, clientId, scopes) to the
minimal authProviderTestSchema (issuerUrl, internalBaseUrl?) that matches
what the Settings.tsx frontend actually sends.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 apps/api/src/routes/authProvider.ts | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/apps/api/src/routes/authProvider.ts b/apps/api/src/routes/authProvider.ts
index 4467afa..e53e909 100644
--- a/apps/api/src/routes/authProvider.ts
+++ b/apps/api/src/routes/authProvider.ts
@@ -19,6 +19,12 @@ const putAuthProviderSchema = z.object({
   scopes: z.string().default("openid profile email"),
 });
 
+/** Minimal schema for the test endpoint — only issuer/internal URLs are needed for OIDC discovery. */
+const authProviderTestSchema = z.object({
+  issuerUrl: z.string().url(),
+  internalBaseUrl: z.string().url().nullable().optional(),
+});
+
 /**
  * GET /api/admin/auth-provider
  * Returns the current provider config with clientSecret redacted.
@@ -131,7 +137,7 @@ let encryptedSecret: string;
 authProviderRouter.post(
   "/test",
   requireSuperUser(),
-  zValidator("json", putAuthProviderSchema.omit({ clientSecret: true })),
+  zValidator("json", authProviderTestSchema),
   async (c) => {
     const body = c.req.valid("json");
 

From 90ad46f0d5968f1d8ad73e91fc5113eae236a0e7 Mon Sep 17 00:00:00 2001
From: Flea Flicker <flea-flicker@groombook.ing>
Date: Sun, 5 Apr 2026 11:14:17 +0000
Subject: [PATCH 2/2] fix(ci): rename base Jobs in promote-to-uat and
 promote-prod workflows (GRO-311)

Both workflows now update base migration/seed Job names with short SHA
extracted from the image tag, matching the dev CI cd job pattern.
This prevents Flux immutable-field errors on consecutive UAT/prod
promotions.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/promote-prod.yml   | 26 ++++++++++++++++++++++++--
 .github/workflows/promote-to-uat.yml | 24 ++++++++++++++++++++++--
 2 files changed, 46 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/promote-prod.yml b/.github/workflows/promote-prod.yml
index 65cd94c..e890112 100644
--- a/.github/workflows/promote-prod.yml
+++ b/.github/workflows/promote-prod.yml
@@ -31,16 +31,38 @@ jobs:
           sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
           sudo chmod +x /usr/local/bin/yq
 
-      - name: Update prod overlay image tags
+      - name: Update prod overlay image tags and base Job names
         env:
           TAG: ${{ inputs.tag }}
         run: |
           cd /tmp/infra
           PROD_KUST="apps/groombook/overlays/prod/kustomization.yaml"
+
+          SHORT_SHA="${TAG##*-}"
+          export SHORT_SHA
+          export TAG
+
           yq -i '(.images[] | select(.name == "ghcr.io/groombook/api")).newTag = env(TAG)' "$PROD_KUST"
           yq -i '(.images[] | select(.name == "ghcr.io/groombook/web")).newTag = env(TAG)' "$PROD_KUST"
           yq -i '(.images[] | select(.name == "ghcr.io/groombook/migrate")).newTag = env(TAG)' "$PROD_KUST"
           yq -i '(.images[] | select(.name == "ghcr.io/groombook/seed")).newTag = env(TAG)' "$PROD_KUST"
+
+          # Update migrate Job name to include short SHA (immutable template fix)
+          MIGRATE_JOB="apps/groombook/base/migrate-job.yaml"
+          if [ -f "$MIGRATE_JOB" ]; then
+            yq -i '.metadata.name = "migrate-schema-" + env(SHORT_SHA)' "$MIGRATE_JOB"
+            yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$MIGRATE_JOB"
+            yq -i '.spec.ttlSecondsAfterFinished = (.spec.ttlSecondsAfterFinished // 86400)' "$MIGRATE_JOB"
+          fi
+
+          # Update seed Job name to include short SHA (immutable template fix)
+          SEED_JOB="apps/groombook/base/seed-job.yaml"
+          if [ -f "$SEED_JOB" ]; then
+            yq -i '.metadata.name = "seed-test-data-" + env(SHORT_SHA)' "$SEED_JOB"
+            yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$SEED_JOB"
+            yq -i '.spec.ttlSecondsAfterFinished = (.spec.ttlSecondsAfterFinished // 86400)' "$SEED_JOB"
+          fi
+
           git -C /tmp/infra diff --stat
 
       - name: Create PR on groombook/infra
@@ -52,7 +74,7 @@ jobs:
           git config user.name "groombook-engineer[bot]"
           git config user.email "3141748+groombook-engineer[bot]@users.noreply.github.com"
           git checkout -b "release/promote-prod-${TAG}"
-          git add apps/groombook/overlays/prod/
+          git add apps/groombook/overlays/prod/ apps/groombook/base/migrate-job.yaml apps/groombook/base/seed-job.yaml
           git commit -m "release: promote ${TAG} to production"
           git push -u origin "release/promote-prod-${TAG}"
           gh pr create \
diff --git a/.github/workflows/promote-to-uat.yml b/.github/workflows/promote-to-uat.yml
index 587e749..c0ccff9 100644
--- a/.github/workflows/promote-to-uat.yml
+++ b/.github/workflows/promote-to-uat.yml
@@ -32,7 +32,7 @@ jobs:
           sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
           sudo chmod +x /usr/local/bin/yq
 
-      - name: Update UAT overlay image tags
+      - name: Update UAT overlay image tags and base Job names
         env:
           TAG: ${{ inputs.image_tag }}
         run: |
@@ -45,11 +45,31 @@ jobs:
             exit 1
           fi
 
+          SHORT_SHA="${TAG##*-}"
+          export SHORT_SHA
+          export TAG
+
           yq -i '(.images[] | select(.name == "ghcr.io/groombook/api")).newTag = env(TAG)' "$UAT_KUST"
           yq -i '(.images[] | select(.name == "ghcr.io/groombook/web")).newTag = env(TAG)' "$UAT_KUST"
           yq -i '(.images[] | select(.name == "ghcr.io/groombook/migrate")).newTag = env(TAG)' "$UAT_KUST"
           yq -i '(.images[] | select(.name == "ghcr.io/groombook/seed")).newTag = env(TAG)' "$UAT_KUST"
 
+          # Update migrate Job name to include short SHA (immutable template fix)
+          MIGRATE_JOB="apps/groombook/base/migrate-job.yaml"
+          if [ -f "$MIGRATE_JOB" ]; then
+            yq -i '.metadata.name = "migrate-schema-" + env(SHORT_SHA)' "$MIGRATE_JOB"
+            yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$MIGRATE_JOB"
+            yq -i '.spec.ttlSecondsAfterFinished = (.spec.ttlSecondsAfterFinished // 86400)' "$MIGRATE_JOB"
+          fi
+
+          # Update seed Job name to include short SHA (immutable template fix)
+          SEED_JOB="apps/groombook/base/seed-job.yaml"
+          if [ -f "$SEED_JOB" ]; then
+            yq -i '.metadata.name = "seed-test-data-" + env(SHORT_SHA)' "$SEED_JOB"
+            yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$SEED_JOB"
+            yq -i '.spec.ttlSecondsAfterFinished = (.spec.ttlSecondsAfterFinished // 86400)' "$SEED_JOB"
+          fi
+
           git -C /tmp/infra diff --stat
 
       - name: Create PR on groombook/infra
@@ -61,7 +81,7 @@ jobs:
           git config user.name "groombook-engineer[bot]"
           git config user.email "3141748+groombook-engineer[bot]@users.noreply.github.com"
           git checkout -b "chore/update-uat-image-tags-${TAG}"
-          git add apps/groombook/overlays/uat/
+          git add apps/groombook/overlays/uat/ apps/groombook/base/migrate-job.yaml apps/groombook/base/seed-job.yaml
           git commit -m "chore: promote ${TAG} to UAT"
 
           git push -u origin "chore/update-uat-image-tags-${TAG}"