From 692202685228fc8f404a38e8ad952982cf10e570 Mon Sep 17 00:00:00 2001 From: "groombook-engineer[bot]" <3141748+groombook-engineer[bot]@users.noreply.github.com> Date: Sat, 28 Mar 2026 12:04:54 +0000 Subject: [PATCH 1/4] feat: add cd job to update groombook/infra image tags on main merge (GRO-178) - Adds `cd` job that runs after `docker` on main branch pushes only - Uses tibdex/github-app-token to get infra repo push token - Updates image tags in apps/groombook/base/{api,web,migrate-job,seed-job}.yaml - Opens auto-merge PR on groombook/infra Trade-off: deploy-dev continues using kubectl set image directly for PR previews (speed over full GitOps auditability for short-lived previews). Co-Authored-By: Paperclip --- .github/workflows/ci.yml | 79 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 935ab67..59f4bea 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -111,6 +111,8 @@ jobs: name: Build & Push Docker Images runs-on: ubuntu-latest needs: [build, e2e] + outputs: + tag: ${{ steps.version.outputs.tag }} permissions: contents: read packages: write @@ -268,3 +270,80 @@ jobs: 'Ready for UAT validation.' ].join('\n') }); + + cd: + name: Update Infra Image Tags + runs-on: ubuntu-latest + needs: [docker] + if: github.ref == 'refs/heads/main' && github.event_name == 'push' + permissions: + contents: write + pull-requests: write + steps: + - name: Generate infra repo token + id: infra-token + uses: tibdex/github-app-token@v2 + with: + app_id: ${{ vars.GH_APP_ID }} + private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} + + - name: Clone groombook/infra + run: | + git clone https://x-access-token:${{ steps.infra-token.outputs.token }}@github.com/groombook/infra.git /tmp/infra + + - name: Update image tags + env: + TAG: ${{ needs.docker.outputs.tag }} + run: | + if [ -z "$TAG" ]; then + TAG="$(date -u +%Y.%m.%d)-${GITHUB_SHA::7}" + fi + echo "Updating image tags to: $TAG" + + cd /tmp/infra + + # Update api.yaml + sed -i "s|ghcr.io/groombook/api:[0-9][0-9][0-9][0-9].[0-9][0-9].[0-9][0-9]-[a-f0-9]*|ghcr.io/groombook/api:${TAG}|g" apps/groombook/base/api.yaml + sed -i "s|groombook.dev/image-version: \"[0-9][0-9][0-9][0-9].[0-9][0-9].[0-9][0-9]-[a-f0-9]*\"|groombook.dev/image-version: \"${TAG}\"|g" apps/groombook/base/api.yaml + + # Update web.yaml + sed -i "s|ghcr.io/groombook/web:[0-9][0-9][0-9][0-9].[0-9][0-9].[0-9][0-9]-[a-f0-9]*|ghcr.io/groombook/web:${TAG}|g" apps/groombook/base/web.yaml + sed -i "s|groombook.dev/image-version: \"[0-9][0-9][0-9][0-9].[0-9][0-9].[0-9][0-9]-[a-f0-9]*\"|groombook.dev/image-version: \"${TAG}\"|g" apps/groombook/base/web.yaml + + # Update migrate-job.yaml + sed -i "s|ghcr.io/groombook/migrate:[0-9][0-9][0-9][0-9].[0-9][0-9].[0-9][0-9]-[a-f0-9]*|ghcr.io/groombook/migrate:${TAG}|g" apps/groombook/base/migrate-job.yaml + sed -i "s|groombook.app/deploy-version: \"[0-9][0-9][0-9][0-9].[0-9][0-9].[0-9][0-9]-[a-f0-9]*\"|groombook.app/deploy-version: \"${TAG}\"|g" apps/groombook/base/migrate-job.yaml + + # Update seed-job.yaml + sed -i "s|ghcr.io/groombook/seed:[0-9][0-9][0-9][0-9].[0-9][0-9].[0-9][0-9]-[a-f0-9]*|ghcr.io/groombook/seed:${TAG}|g" apps/groombook/base/seed-job.yaml + sed -i "s|groombook.app/deploy-version: \"[0-9][0-9][0-9][0-9].[0-9][0-9].[0-9][0-9]-[a-f0-9]*\"|groombook.app/deploy-version: \"${TAG}\"|g" apps/groombook/base/seed-job.yaml + + git -C /tmp/infra diff --stat + + - name: Create PR on groombook/infra + env: + TAG: ${{ needs.docker.outputs.tag }} + GH_TOKEN: ${{ steps.infra-token.outputs.token }} + run: | + if [ -z "$TAG" ]; then + TAG="$(date -u +%Y.%m.%d)-${GITHUB_SHA::7}" + fi + + cd /tmp/infra + git config user.name "groombook-engineer[bot]" + git config user.email "3141748+groombook-engineer[bot]@users.noreply.github.com" + git checkout -b "chore/update-image-tags-${TAG}" + git add apps/groombook/base/ + git commit -m "chore: update image tags to ${TAG}" + + git push -u origin "chore/update-image-tags-${TAG}" + + # Create PR with auto-merge + gh pr create \ + --repo groombook/infra \ + --base main \ + --head "groombook-engineer[bot]:chore/update-image-tags-${TAG}" \ + --title "chore: update image tags to ${TAG}" \ + --body "[GRO-178](/d50d9792/issues/GRO-178) — automated image tag update from main merge" \ + --auto-merges-branch=main \ + 2>&1 || echo "PR creation attempted" -- 2.52.0 From c1d49b05b274f01bc6e89b4b42110ee2ccf95c46 Mon Sep 17 00:00:00 2001 From: Flea Flicker Date: Sat, 28 Mar 2026 13:56:12 +0000 Subject: [PATCH 2/4] fix: correct --head branch format and use --enable-auto-merge (GRO-178) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CTO review fixes: - Remove bogus "groombook-engineer[bot]:" prefix from --head — gh pr create does not use owner:branch syntax when pushing from a cloned repo; just the branch name is needed - Replace invalid --auto-merges-branch=main flag with --enable-auto-merge (valid gh flag that activates repo auto-merge) Co-Authored-By: Paperclip --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 59f4bea..4c87868 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -342,8 +342,8 @@ jobs: gh pr create \ --repo groombook/infra \ --base main \ - --head "groombook-engineer[bot]:chore/update-image-tags-${TAG}" \ + --head "chore/update-image-tags-${TAG}" \ --title "chore: update image tags to ${TAG}" \ --body "[GRO-178](/d50d9792/issues/GRO-178) — automated image tag update from main merge" \ - --auto-merges-branch=main \ + --enable-auto-merge \ 2>&1 || echo "PR creation attempted" -- 2.52.0 From 0497ed2b5ca67a7a3c06609fa3a324e3f1af1ca1 Mon Sep 17 00:00:00 2001 From: Flea Flicker Date: Sat, 28 Mar 2026 13:58:49 +0000 Subject: [PATCH 3/4] fix: broaden annotation sed pattern, fix PR body link, remove error swallowing (GRO-178) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CTO review remaining fixes: - Annotation sed pattern: broaden [a-f0-9]* to [a-zA-Z0-9-]* since migrate-job and seed-job use "groXXX" suffixes (e.g. "2026.03.28-gro177") which contain non-hex letters - PR body link: fix /d50d9792/issues/GRO-178 → /GRO/issues/GRO-178 - Remove error swallowing: "|| echo" was hiding PR creation failures; let the step fail naturally so CI catches it Co-Authored-By: Paperclip --- .github/workflows/ci.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4c87868..7ce2d64 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -312,11 +312,11 @@ jobs: # Update migrate-job.yaml sed -i "s|ghcr.io/groombook/migrate:[0-9][0-9][0-9][0-9].[0-9][0-9].[0-9][0-9]-[a-f0-9]*|ghcr.io/groombook/migrate:${TAG}|g" apps/groombook/base/migrate-job.yaml - sed -i "s|groombook.app/deploy-version: \"[0-9][0-9][0-9][0-9].[0-9][0-9].[0-9][0-9]-[a-f0-9]*\"|groombook.app/deploy-version: \"${TAG}\"|g" apps/groombook/base/migrate-job.yaml + sed -i "s|groombook.app/deploy-version: \"[a-zA-Z0-9-]*\"|groombook.app/deploy-version: \"${TAG}\"|g" apps/groombook/base/migrate-job.yaml # Update seed-job.yaml sed -i "s|ghcr.io/groombook/seed:[0-9][0-9][0-9][0-9].[0-9][0-9].[0-9][0-9]-[a-f0-9]*|ghcr.io/groombook/seed:${TAG}|g" apps/groombook/base/seed-job.yaml - sed -i "s|groombook.app/deploy-version: \"[0-9][0-9][0-9][0-9].[0-9][0-9].[0-9][0-9]-[a-f0-9]*\"|groombook.app/deploy-version: \"${TAG}\"|g" apps/groombook/base/seed-job.yaml + sed -i "s|groombook.app/deploy-version: \"[a-zA-Z0-9-]*\"|groombook.app/deploy-version: \"${TAG}\"|g" apps/groombook/base/seed-job.yaml git -C /tmp/infra diff --stat @@ -344,6 +344,5 @@ jobs: --base main \ --head "chore/update-image-tags-${TAG}" \ --title "chore: update image tags to ${TAG}" \ - --body "[GRO-178](/d50d9792/issues/GRO-178) — automated image tag update from main merge" \ - --enable-auto-merge \ - 2>&1 || echo "PR creation attempted" + --body "[GRO-178](/GRO/issues/GRO-178) — automated image tag update from main merge" \ + --enable-auto-merge -- 2.52.0 From bffc98efef16f2295e26f87b8d1d63f594a913ff Mon Sep 17 00:00:00 2001 From: "groombook-engineer[bot]" <3141748+groombook-engineer[bot]@users.noreply.github.com> Date: Sat, 28 Mar 2026 20:32:47 +0000 Subject: [PATCH 4/4] fix(cd): split --enable-auto-merge into separate merge command CTO review fix: gh pr create does not support --enable-auto-merge flag. Split into two commands: create PR, then gh pr merge with --auto --merge. Co-Authored-By: Paperclip --- .github/workflows/ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7ce2d64..6064d9c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -339,10 +339,10 @@ jobs: git push -u origin "chore/update-image-tags-${TAG}" # Create PR with auto-merge - gh pr create \ + PR_URL=$(gh pr create \ --repo groombook/infra \ --base main \ --head "chore/update-image-tags-${TAG}" \ --title "chore: update image tags to ${TAG}" \ - --body "[GRO-178](/GRO/issues/GRO-178) — automated image tag update from main merge" \ - --enable-auto-merge + --body "[GRO-178](/GRO/issues/GRO-178) — automated image tag update from main merge") + gh pr merge "$PR_URL" --auto --merge -- 2.52.0