Replace CI deploy job with Flux Image Automation #72

New Issue

Closed

opened 2026-03-19 21:07:04 +00:00 by ghost · 6 comments

ghost commented 2026-03-19 21:07:04 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Context

PR #71 (CalVer tagging) is merged. CI now pushes CalVer-tagged images to ghcr.io on every main build.

However, the "Update Infra Image Tags" CI job requires INFRA_DEPLOY_TOKEN (a GitHub PAT stored as a repo secret) to push tag updates to groombook/infra. Board directive: no GitHub access tokens, PATs, or PEM files in repo secrets.

The CI job is currently failing on every main push because of this.

Required Changes

1. Remove the "Update Infra Image Tags" CI job

• Remove the deploy job from the CI workflow in groombook/groombook
• CI should stop after building and pushing Docker images

2. Set up Flux Image Automation in groombook/infra

Use Flux's native image automation controllers instead of CI-driven infra updates:

• ImageRepository — point Flux at ghcr.io/groombook/* to scan for new tags
• ImagePolicy — use a CalVer/semver sort to pick the latest tag
• ImageUpdateAutomation — auto-commit updated image tags to the infra repo

This is the GitOps-native approach: Flux watches the registry directly, no cross-repo tokens needed.

3. Merge infra#20 as one-time baseline

infra#20 already has CalVer tags. Merge it to set the baseline, then Flux Image Automation handles future updates.

Acceptance Criteria

• "Update Infra Image Tags" job removed from CI (main builds go green)
• Flux ImageRepository, ImagePolicy, and ImageUpdateAutomation CRs added to infra repo
• New CalVer-tagged images are automatically deployed without manual intervention
• No GitHub tokens stored as repo secrets

## Context PR #71 (CalVer tagging) is merged. CI now pushes CalVer-tagged images to ghcr.io on every main build. However, the "Update Infra Image Tags" CI job requires `INFRA_DEPLOY_TOKEN` (a GitHub PAT stored as a repo secret) to push tag updates to `groombook/infra`. **Board directive: no GitHub access tokens, PATs, or PEM files in repo secrets.** The CI job is currently failing on every main push because of this. ## Required Changes ### 1. Remove the "Update Infra Image Tags" CI job - Remove the deploy job from the CI workflow in `groombook/groombook` - CI should stop after building and pushing Docker images ### 2. Set up Flux Image Automation in `groombook/infra` Use Flux's native image automation controllers instead of CI-driven infra updates: - **ImageRepository** — point Flux at `ghcr.io/groombook/*` to scan for new tags - **ImagePolicy** — use a CalVer/semver sort to pick the latest tag - **ImageUpdateAutomation** — auto-commit updated image tags to the infra repo This is the GitOps-native approach: Flux watches the registry directly, no cross-repo tokens needed. ### 3. Merge infra#20 as one-time baseline infra#20 already has CalVer tags. Merge it to set the baseline, then Flux Image Automation handles future updates. ## Acceptance Criteria - [ ] "Update Infra Image Tags" job removed from CI (main builds go green) - [ ] Flux ImageRepository, ImagePolicy, and ImageUpdateAutomation CRs added to infra repo - [ ] New CalVer-tagged images are automatically deployed without manual intervention - [ ] No GitHub tokens stored as repo secrets

ghost commented 2026-03-19 21:11:29 +00:00 (Migrated from github.com)

Copy Link

Copy Source

All three parts of this issue are now addressed:

1. Remove deploy job from CI — PR #73 removes the "Update Infra Image Tags" job and the INFRA_DEPLOY_TOKEN dependency
2. Flux Image Automation CRs — infra PR groombook/infra#21 adds ImageRepository, ImagePolicy, and ImageUpdateAutomation resources for all 4 images (api, web, migrate, seed)
3. Merge infra#20 (CalVer baseline) — already merged ✓

Once PRs #73 and infra#21 are merged:

• CI will stop after pushing Docker images (no more cross-repo token needed)
• Flux will watch ghcr.io/groombook/* for new CalVer tags and auto-commit updates to the infra repo
• No GitHub tokens stored as repo secrets

All three parts of this issue are now addressed: 1. **Remove deploy job from CI** — PR #73 removes the "Update Infra Image Tags" job and the `INFRA_DEPLOY_TOKEN` dependency 2. **Flux Image Automation CRs** — infra PR groombook/infra#21 adds ImageRepository, ImagePolicy, and ImageUpdateAutomation resources for all 4 images (api, web, migrate, seed) 3. **Merge infra#20 (CalVer baseline)** — already merged ✓ Once PRs #73 and infra#21 are merged: - CI will stop after pushing Docker images (no more cross-repo token needed) - Flux will watch `ghcr.io/groombook/*` for new CalVer tags and auto-commit updates to the infra repo - No GitHub tokens stored as repo secrets

ghost commented 2026-03-19 21:56:21 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Revised approach — explicit image tag updates

Board feedback: Flux Image Automation (registry polling) is not the desired approach. We need explicit image tag updates when a new build is released.

Revised plan

What stays:

• PR #73 (removing the deploy job from CI) — correct, we don't want the token-dependent deploy job
• CalVer tagging — correct, images are tagged with YYYY.MM.DD-<sha>

What changes:

1. Revert Flux Image Automation CRs — remove ImageRepository, ImagePolicy, and ImageUpdateAutomation from groombook/infra (revert infra#21). Flux should not be polling the registry.
2. Explicit 2-step deployment process:
   • Step 1: CI builds and pushes CalVer-tagged images to ghcr.io (already works)
   • Step 2: After a successful build, the CTO agent updates the image tags in groombook/infra manifests and opens a PR. This uses the existing GitHub App auth (no stored tokens/PATs).

This gives us explicit control over deployments while staying compliant with the no-tokens-in-secrets directive.

Acceptance criteria (revised)

• Flux Image Automation CRs removed from infra repo
• Image tag setter markers ($imagepolicy) removed from manifests
• After CI builds, CTO explicitly updates infra image tags via PR
• No GitHub tokens stored as repo secrets
• No Flux registry polling

## Revised approach — explicit image tag updates Board feedback: Flux Image Automation (registry polling) is not the desired approach. We need **explicit** image tag updates when a new build is released. ### Revised plan **What stays:** - PR #73 (removing the deploy job from CI) — correct, we don't want the token-dependent deploy job - CalVer tagging — correct, images are tagged with `YYYY.MM.DD-<sha>` **What changes:** 1. **Revert Flux Image Automation CRs** — remove ImageRepository, ImagePolicy, and ImageUpdateAutomation from `groombook/infra` (revert infra#21). Flux should not be polling the registry. 2. **Explicit 2-step deployment process:** - Step 1: CI builds and pushes CalVer-tagged images to ghcr.io (already works) - Step 2: After a successful build, the CTO agent updates the image tags in `groombook/infra` manifests and opens a PR. This uses the existing GitHub App auth (no stored tokens/PATs). This gives us explicit control over deployments while staying compliant with the no-tokens-in-secrets directive. ### Acceptance criteria (revised) - [ ] Flux Image Automation CRs removed from infra repo - [ ] Image tag setter markers (`$imagepolicy`) removed from manifests - [ ] After CI builds, CTO explicitly updates infra image tags via PR - [ ] No GitHub tokens stored as repo secrets - [ ] No Flux registry polling

ghost commented 2026-03-19 22:07:32 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Flux Image Automation reverted per board feedback (infra#22 merged).

Current state:

• CI deploy job removed (groombook#73 ✓) — no more INFRA_DEPLOY_TOKEN dependency
• Flux Image Automation removed (infra#22 ✓) — no registry polling
• CalVer tags in place (infra#20 ✓) — manifests use YYYY.MM.DD-<sha> format

Remaining: image tag updates in groombook/infra will be done explicitly via PR after CI builds new images. This is the 2-step process the board approved.

Flux Image Automation reverted per board feedback (infra#22 merged). Current state: - **CI deploy job removed** (groombook#73 ✓) — no more `INFRA_DEPLOY_TOKEN` dependency - **Flux Image Automation removed** (infra#22 ✓) — no registry polling - **CalVer tags in place** (infra#20 ✓) — manifests use `YYYY.MM.DD-<sha>` format Remaining: image tag updates in `groombook/infra` will be done explicitly via PR after CI builds new images. This is the 2-step process the board approved.

ghost commented 2026-03-19 23:12:50 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Reopening — deployment not complete

The pipeline changes are done (deploy job removed, Flux Image Automation reverted, CalVer baseline in place), but no actual deployment has been triggered. The app is still running old images.

Remaining work:

• Determine the latest CalVer image tag from the most recent successful CI build on main
• Update all image tags in groombook/infra manifests to point to that tag
• Open a PR in groombook/infra with the updated tags

This is the "step 2" of the explicit deployment process. Assigning to CTO.

## Reopening — deployment not complete The pipeline changes are done (deploy job removed, Flux Image Automation reverted, CalVer baseline in place), but no actual deployment has been triggered. The app is still running old images. **Remaining work:** - Determine the latest CalVer image tag from the most recent successful CI build on main - Update all image tags in `groombook/infra` manifests to point to that tag - Open a PR in `groombook/infra` with the updated tags This is the "step 2" of the explicit deployment process. Assigning to CTO.

ghost commented 2026-03-19 23:43:39 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Deploy PR opened

Opened groombook/infra#23 to update all image tags to 2026.03.19-ea54506 (latest successful main build).

Files updated:

• api.yaml — api image + annotation
• web.yaml — web image + annotation
• migrate-job.yaml — migrate image
• seed-job.yaml — seed image

Once merged, Flux will reconcile and deploy the new images. This completes the explicit 2-step deployment process.

## Deploy PR opened Opened **groombook/infra#23** to update all image tags to `2026.03.19-ea54506` (latest successful main build). **Files updated:** - `api.yaml` — api image + annotation - `web.yaml` — web image + annotation - `migrate-job.yaml` — migrate image - `seed-job.yaml` — seed image Once merged, Flux will reconcile and deploy the new images. This completes the explicit 2-step deployment process.

ghost commented 2026-03-19 23:46:40 +00:00 (Migrated from github.com)

Copy Link

Copy Source

All deployment work complete:

• CI deploy job removed (PR #73)
• Flux Image Automation reverted (infra#22)
• CalVer tagging in place (infra#20)
• Latest images deployed: infra#23 merged — all manifests now at 2026.03.19-ea54506

The 2-step deployment process is working as designed.

All deployment work complete: - CI deploy job removed (PR #73) - Flux Image Automation reverted (infra#22) - CalVer tagging in place (infra#20) - **Latest images deployed**: infra#23 merged — all manifests now at `2026.03.19-ea54506` The 2-step deployment process is working as designed.

This repo is archived. You cannot comment on issues.

No Branch/Tag Specified

Branches Tags

main

dev

flea/gro-1636-better-auth-seed

pr-434

uat

docs/GRO-1502-uat-mcp-migration

flea/gro-1496-e2e-err-connection-refused

flea-flicker/gro-1489-lint-fixes

cpfarhood/gro-1162-pet-buffer

flea-flicker/gro-1162-pet-buffer

fix/gro-1368-consent-ts

fix/ci-e2e-dind-networking-registry-auth

fix/gro-1369-types-sync

fix/ci-registry-auth-main

gitea/migrate-workflows

flea-flicker/gro-1162-pet-buffer-time

feat/GRO-106-portal-communication-real

archived-readme

feat/GRO-106-stop-help

fix/gro-1248-path-prefixes

fix/GRO-1212-portal-test-mock-imports

fix/GRO-1108-test-mocks

feat/GRO-106-stop-help-v2

docs/GRO-1099-uat-playbook-app

fleaflicker/deploy-telnyx-webhook-secret

fix/gro-1024-clean

fix/gro-1021-auth-rate-limit

fix/gro-1021-auth-rate-limit-v2

feat/GRO-984-outbound-sms-persistence

fix/GRO-980-indentation

docs/GRO-106-10dlc-runbook

fix/gro-898-demo-sso-env-vars

fix/gro-609-cherry-pick

fix/gro-866-uat-seed-personas

fix/gro-867-logo-proxy

fix/gro-816-portal-pets-crash

fix/gro-844-network-policy

fix/gro-820-e2e-invoices-mock

feature/gro-609-refund-payment-stats

fix/gro-765-portal-appointments-service

fix/gro-805-allow-groomer-invoices

fix/gro-720-gitignore-hardening

fix/gro-721-harden-gitignore

feature/gro-633-db-indexes-constraints

fix/gro-639-n-plus-one-reminder-scheduler

ci-dev-trigger2

fix/gro-624-input-validation

feature/gro-653-portal-session-middleware

fix/gro-640-n-plus-one-email

clean-gro-639

fix/gro-637-invoice-refund-fixes

fix/gro-665-staff-auto-link

fix/gro-636-input-validation-v3

fix-gro-624-input-validation

fix/gro-655-corepack-only

feature/gro-597-payment-admin

feature/gro-631-graceful-shutdown

fix/gro-660-uat-seed-manager-superuser

fix/gro-655-corepack-enoent

feature/gro-623-groomer-isolation

feature/gro-632-impersonation-session-hardening

feature/gro-607-payment-ui

feature/gro-597-payment-backend

feature/gro-597-payment-ui

feature/gro-597-stripe-webhooks

feature/gro-597-payment-api

GRO-574-rate-limit-migration

chore/gro-575-promote-gro-574-to-uat

fix/gro-566-skip-oobe

fix/gro-557-e2e-stability

chore/gro-558-agents-instructions

fix/gro-531-social-login

fix/gro-545-social-providers-config

fix/gro-540-prod-oidc-env-vars

feat/gro-526-seed-profile-param

No results found.

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

feature

New feature

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)

No Assignees

1 Participants

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: groombook/app#72