From 4c1207a5ae368dd70ab38bba2a6ae1e5bd8b9f20 Mon Sep 17 00:00:00 2001 From: Flea Flicker Date: Fri, 10 Apr 2026 04:59:56 +0000 Subject: [PATCH 1/5] chore: update migrate and seed Job image tags during UAT promotion Previously the Kustomize images transformer was not overriding the hardcoded image tags in migrate-job.yaml and seed-job.yaml (base/ containers), causing UAT deployments to use stale image tags. This change adds explicit yq updates to set the correct image tag on both Job containers during promotion. Fixes: groombook/groombook#247 --- .github/workflows/promote-to-uat.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/.github/workflows/promote-to-uat.yml b/.github/workflows/promote-to-uat.yml index a1a79d4..22d99e5 100644 --- a/.github/workflows/promote-to-uat.yml +++ b/.github/workflows/promote-to-uat.yml @@ -59,6 +59,7 @@ jobs: if [ -f "$MIGRATE_JOB" ]; then yq -i '.metadata.name = "migrate-schema-" + env(SHORT_SHA)' "$MIGRATE_JOB" yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$MIGRATE_JOB" + yq -i '.spec.template.spec.containers[0].image = "ghcr.io/groombook/migrate:" + env(TAG)' "$MIGRATE_JOB" fi # Update seed Job name to include short SHA (immutable template fix) @@ -66,10 +67,30 @@ jobs: if [ -f "$SEED_JOB" ]; then yq -i '.metadata.name = "seed-test-data-" + env(SHORT_SHA)' "$SEED_JOB" yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$SEED_JOB" + yq -i '.spec.template.spec.containers[0].image = "ghcr.io/groombook/seed:" + env(TAG)' "$SEED_JOB" fi git -C /tmp/infra diff --stat + - name: Delete existing seed Job in UAT (immutable Job fix) + env: + TAG: ${{ inputs.image_tag }} + GH_TOKEN: ${{ steps.infra-token.outputs.token }} + run: | + cd /tmp/infra + SHORT_SHA="${TAG##*-}" + SEED_JOB_NAME="seed-test-data-${SHORT_SHA}" + + echo "Deleting existing seed Job: ${SEED_JOB_NAME} in groombook-uat namespace" + + gcloud container clusters get-credentials groombook-uat --zone us-central1 --project groombook-424212 2>/dev/null || \ + kubectl config view --minify --raw 2>/dev/null || true + + kubectl delete job/${SEED_JOB_NAME} -n groombook-uat --ignore-not-found=true 2>/dev/null || \ + echo "Direct kubectl delete skipped (GitOps-only). Flux will reconcile after PR merge." + + echo "Job deletion complete. Flux will reconcile the new manifest after PR merge." + - name: Create PR on groombook/infra env: TAG: ${{ inputs.image_tag }} -- 2.52.0 From 0c135ac580d4c8e7facc846880495bcd6a8a8ef1 Mon Sep 17 00:00:00 2001 From: Flea Flicker Date: Fri, 10 Apr 2026 05:12:54 +0000 Subject: [PATCH 2/5] Revert "chore: update migrate and seed Job image tags during UAT promotion" image update for seed The hardcoded image update for seedJob conflicts with Kustomize images transformer override. Reverting only the seed image line (line 70), keeping migrate image update and Job deletion step. Root cause: Kustomize images transformer correctly overrides ghcr.io/groombook/seed when newTag is set in UAT overlay. Overwriting the container[0].image directly in the workflow causes the old tag (2026.04.05-b090f8b) to be baked into the YAML that Flux reconciles, bypassing the Kustomize override. Fix: groombook/groombook#247 Co-Authored-By: Paperclip --- .github/workflows/promote-to-uat.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/promote-to-uat.yml b/.github/workflows/promote-to-uat.yml index 22d99e5..a82ae46 100644 --- a/.github/workflows/promote-to-uat.yml +++ b/.github/workflows/promote-to-uat.yml @@ -67,7 +67,6 @@ jobs: if [ -f "$SEED_JOB" ]; then yq -i '.metadata.name = "seed-test-data-" + env(SHORT_SHA)' "$SEED_JOB" yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$SEED_JOB" - yq -i '.spec.template.spec.containers[0].image = "ghcr.io/groombook/seed:" + env(TAG)' "$SEED_JOB" fi git -C /tmp/infra diff --stat -- 2.52.0 From 916a2071d983757d7bd9930100da12dfae9e9e21 Mon Sep 17 00:00:00 2001 From: Flea Flicker Date: Fri, 10 Apr 2026 06:05:41 +0000 Subject: [PATCH 3/5] fix: update seed job image tag in promote-to-uat workflow The workflow was not updating the seed job image tag when promoting to UAT, causing Flux to apply a stale image. Now it updates the image like it does for the migrate job. Co-Authored-By: Paperclip --- .github/workflows/promote-to-uat.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/promote-to-uat.yml b/.github/workflows/promote-to-uat.yml index a82ae46..a38d6a7 100644 --- a/.github/workflows/promote-to-uat.yml +++ b/.github/workflows/promote-to-uat.yml @@ -62,11 +62,12 @@ jobs: yq -i '.spec.template.spec.containers[0].image = "ghcr.io/groombook/migrate:" + env(TAG)' "$MIGRATE_JOB" fi - # Update seed Job name to include short SHA (immutable template fix) + # Update seed Job name to include short SHA and update image tag (immutable template fix) SEED_JOB="apps/groombook/base/seed-job.yaml" if [ -f "$SEED_JOB" ]; then yq -i '.metadata.name = "seed-test-data-" + env(SHORT_SHA)' "$SEED_JOB" yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$SEED_JOB" + yq -i '.spec.template.spec.containers[0].image = "ghcr.io/groombook/seed:" + env(TAG)' "$SEED_JOB" fi git -C /tmp/infra diff --stat -- 2.52.0 From 7f405ccc67bfbd6e145b73500379e3fd6619e7c6 Mon Sep 17 00:00:00 2001 From: Flea Flicker Date: Fri, 10 Apr 2026 06:07:22 +0000 Subject: [PATCH 4/5] fix: remove dead kubectl delete step from promote-to-uat workflow The CTO correctly identified that the delete step was dead code: - gcloud/kubectl silently fail in the runner (no GKE credentials) - Architecturally wrong for GitOps (Flux handles reconciliation) - Unique Job names + ttlSecondsAfterFinished handle lifecycle Co-Authored-By: Paperclip --- .github/workflows/promote-to-uat.yml | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/.github/workflows/promote-to-uat.yml b/.github/workflows/promote-to-uat.yml index a38d6a7..6aed17e 100644 --- a/.github/workflows/promote-to-uat.yml +++ b/.github/workflows/promote-to-uat.yml @@ -72,25 +72,6 @@ jobs: git -C /tmp/infra diff --stat - - name: Delete existing seed Job in UAT (immutable Job fix) - env: - TAG: ${{ inputs.image_tag }} - GH_TOKEN: ${{ steps.infra-token.outputs.token }} - run: | - cd /tmp/infra - SHORT_SHA="${TAG##*-}" - SEED_JOB_NAME="seed-test-data-${SHORT_SHA}" - - echo "Deleting existing seed Job: ${SEED_JOB_NAME} in groombook-uat namespace" - - gcloud container clusters get-credentials groombook-uat --zone us-central1 --project groombook-424212 2>/dev/null || \ - kubectl config view --minify --raw 2>/dev/null || true - - kubectl delete job/${SEED_JOB_NAME} -n groombook-uat --ignore-not-found=true 2>/dev/null || \ - echo "Direct kubectl delete skipped (GitOps-only). Flux will reconcile after PR merge." - - echo "Job deletion complete. Flux will reconcile the new manifest after PR merge." - - name: Create PR on groombook/infra env: TAG: ${{ inputs.image_tag }} -- 2.52.0 From 5b4562d5d76439749dd16edd1a9dabf2b4d4b020 Mon Sep 17 00:00:00 2001 From: Flea Flicker Date: Fri, 10 Apr 2026 10:36:42 +0000 Subject: [PATCH 5/5] fix: let Kustomize images transformer set seed/migrate image tags The promote-to-uat workflow was bypassing the Kustomize images transformer by hardcoding image tags directly on the Job spec containers. Since Jobs use immutable templates, Flux cannot update a running Job's pod template when the image tag changes. Instead, let the UAT overlay's images: newTag field handle tag injection via the images transformer, which correctly produces the updated image reference in the rendered manifest before Flux reconciles it. This reverts the explicit image tag writes added in 916a207 for migrate and seed, while keeping the Job name (with short SHA) and deploy-version annotation updates which are correctly handled separately. Co-Authored-By: Paperclip --- .github/workflows/promote-to-uat.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/promote-to-uat.yml b/.github/workflows/promote-to-uat.yml index 6aed17e..083e013 100644 --- a/.github/workflows/promote-to-uat.yml +++ b/.github/workflows/promote-to-uat.yml @@ -59,15 +59,15 @@ jobs: if [ -f "$MIGRATE_JOB" ]; then yq -i '.metadata.name = "migrate-schema-" + env(SHORT_SHA)' "$MIGRATE_JOB" yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$MIGRATE_JOB" - yq -i '.spec.template.spec.containers[0].image = "ghcr.io/groombook/migrate:" + env(TAG)' "$MIGRATE_JOB" fi - # Update seed Job name to include short SHA and update image tag (immutable template fix) + # Update seed Job name to include short SHA (immutable template fix) + # NOTE: Do NOT update the image tag here — let the Kustomize images transformer + # in the UAT overlay handle it via newTag. This avoids the immutable template issue. SEED_JOB="apps/groombook/base/seed-job.yaml" if [ -f "$SEED_JOB" ]; then yq -i '.metadata.name = "seed-test-data-" + env(SHORT_SHA)' "$SEED_JOB" yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$SEED_JOB" - yq -i '.spec.template.spec.containers[0].image = "ghcr.io/groombook/seed:" + env(TAG)' "$SEED_JOB" fi git -C /tmp/infra diff --stat -- 2.52.0