Skip to content

GRIF-716.2: Add workflow_dispatch for promoting bricks stable tag #2081

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
santos1709 wants to merge 1 commit into
base: master
Choose a base branch
from
+114 −3
Open

GRIF-716.2: Add workflow_dispatch for promoting bricks stable tag #2081

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 18 additions & 3 deletions .github/workflows/lcm-pipeline.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -303,13 +303,28 @@ jobs:
--repo ${{ github.repository }} \
--body "## LCM bricks image available

New image \`stable/lcm-bricks\` available and tagged for all prod clusters.
Please, manually run the respective rundeck job for each: ${{ secrets.RUNDECK_URL }}
New image \`stable/lcm-bricks\` is available.

| | |
|---|---|
| **Version** | \`${{ needs.prepare-build.outputs.service_version }}\` |
| **Build tag** | \`${{ needs.prepare-build.outputs.image_tag }}\` |"
| **Build tag** | \`${{ needs.prepare-build.outputs.image_tag }}\` |

### Next steps

**1. Tag the image with its major version**
Run the [LCM: Retag stable image to major version](${{ github.server_url }}/${{ github.repository }}/actions/workflows/lcm-stable-retag.yaml) workflow dispatch:
- Go to **Actions → LCM: Retag stable image to major version → Run workflow**
- Set **tag** to \`${{ needs.prepare-build.outputs.service_version }}\`
- Leave **dry-run** unchecked and click **Run workflow**

@jiri-staroba jiri-staroba Jun 24, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[NEW] Instruction stale after dry-run default changed to true

Now that dry-run defaults to true, "leave dry-run unchecked" means the workflow runs in dry-run mode — no images will actually be tagged.

GitHub Actions renders boolean inputs as a true/false dropdown, not a checkbox, so "unchecked" is also the wrong UI term.

Suggested fix:

- Set **dry-run** to `false` and click **Run workflow**

The gh CLI example two lines below already passes -f dry-run=false explicitly, so that part is correct.


Or via gh CLI:
\`\`\`
gh workflow run lcm-stable-retag.yaml --repo ${{ github.repository }} -f tag=${{ needs.prepare-build.outputs.service_version }} -f dry-run=false
\`\`\`

**2. Register bricks to prod clusters**
Once the retag completes, manually run the respective Rundeck job for each cluster: ${{ secrets.RUNDECK_URL }}"
env:
GH_TOKEN: ${{ secrets.TOKEN_GITHUB_YENKINS }}

Expand Down
96 changes: 96 additions & 0 deletions .github/workflows/lcm-stable-retag.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
name: "LCM: Retag stable image to major version"
run-name: "Retag stable lcm-bricks ${{ inputs.tag }} → M<major>-<cluster>"

@jiri-staroba jiri-staroba Jun 24, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MODERATE] dry-run defaults to false — production writes on first click

With default: false, a user who opens Actions → Run workflow, fills in the tag, and clicks Run workflow without touching the dry-run checkbox immediately executes real crane tag against prod stable repos for 8 clusters × 2 images, with no confirmation gate.

Consider defaulting to true so a dry-run is the safe path and the user must explicitly opt into production writes:

default: true

@santos1709 santos1709 Jun 24, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure, why not


on:
workflow_dispatch:
inputs:
tag:
description: 'Stable image tag to retag (e.g. 3.7.106)'
required: true
type: string
dry-run:
description: 'Dry-run only — print crane commands without executing'
required: true
default: true
type: boolean

concurrency:
group: ${{ github.workflow }}
cancel-in-progress: false

jobs:
retag-stable:
name: Retag stable/${{ inputs.tag }} to major version
runs-on:
group: infra1-runners-arc
labels: runners-small
permissions:
id-token: write
contents: read
env:
INFRA_REPO_URL: ${{ secrets.ECR_URL }}
images: "lcm-bricks lcm-bricks-nextversion"
clusters: "na1 ca2 perf1 bom1 syd1 na3 eu1 fra1"
steps:
- name: Get required Vault secrets
uses: hashicorp/vault-action@v3
with:
url: ${{ secrets.VAULT_ADDRESS }}
method: jwt
path: jwt/github
role: ecr-push

@jiri-staroba jiri-staroba Jun 24, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[CRITICAL — still not fixed] Wrong Vault role/path for stable/ writes

The Vault credentials are still the staging-tier ones:

role: ecr-push
secrets: secret/data/v3/int/ecr/infra1-user-ecr-rw

This workflow writes to stable/ (via crane tag ${INFRA_REPO_URL}/stable/...), and every other stable/ write in this repo uses:

role: ecr-ii-push
secrets: secret/data/v2/data-special/infra1-user-ecr-rw

See promote-to-stable.yaml (line 32–35) and the .github/actions/container-build-push/action.yaml defaults. The deliberate staging/stable credential split strongly implies ecr-push+v3/int does not have push permission on stable/ repos — this will likely fail with AccessDenied at runtime.

secrets: |
secret/data/v3/int/ecr/infra1-user-ecr-rw aws_ecr_access_key | AWS_ACCESS_KEY ;
secret/data/v3/int/ecr/infra1-user-ecr-rw aws_ecr_secret_key | AWS_SECRET_KEY ;

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ env.AWS_ACCESS_KEY }}
aws-secret-access-key: ${{ env.AWS_SECRET_KEY }}

@jiri-staroba jiri-staroba Jun 24, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MODERATE] Hardcoded lcm-bricks-nextversion may not exist for this tag

lcm-bricks-nextversion is only promoted to stable/ when it was built (i.e. VERSION changed in the triggering push and paths-filter included it). If this retag is run for a tag where stable/lcm-bricks-nextversion:TAG was never promoted, crane tag fails because the source manifest is absent.

With set -euo pipefail, the job aborts mid-run — potentially having already retagged all clusters for lcm-bricks but none for lcm-bricks-nextversion, leaving a partially-tagged state.

Consider skipping images whose source tag is absent rather than hard-failing:

if crane manifest "${src}" > /dev/null 2>&1; then
  crane tag "${src}" "${major_tag}"
else
  echo "[warn] ${src} not found, skipping"
fi

@santos1709 santos1709 Jun 24, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Considering that this action is a manual triggered actually when a PR is merged - meaning CI has to have passed and consequently all the builds were successfully. I don't see an issue here

aws-region: us-east-1

- name: Login to Amazon ECR
uses: aws-actions/amazon-ecr-login@v2
with:
mask-password: 'true'

- name: Retag images
env:
TAG: ${{ inputs.tag }}
DRY_RUN: ${{ inputs.dry-run }}
run: |
set -euo pipefail
major=$(echo "$TAG" | cut -d. -f1)
images=( ${{ env.images }} )
clusters=( ${{ env.clusters }} )
for image in "${images[@]}"; do
src="${INFRA_REPO_URL}/stable/${image}:${TAG}"
for cluster in "${clusters[@]}"; do
major_tag="M${major}-${cluster}"
if [ "${DRY_RUN}" == 'true' ]; then
echo "[dry-run] crane tag ${src} ${major_tag}"
else
crane tag "${src}" "${major_tag}"
echo "Tagged ${image}:${TAG} → ${image}:${major_tag}"
fi
done
done

@jiri-staroba jiri-staroba Jun 24, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[CLEANUP] Cluster list and major extraction duplicated between steps

clusters=(na1 ca2 perf1 bom1 syd1 na3 eu1 fra1) and major=$(echo "$TAG" | cut -d. -f1) appear in both the Retag images step and this Summary step. If a cluster is added/removed in one place and missed in the other, the summary silently misreports what was actually tagged.

Consider setting these once as job-level env vars, or sharing via $GITHUB_OUTPUT from the retag step, and reading them here.

@santos1709 santos1709 Jun 24, 2026
edited
Loading

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed, worked with the same env var for both steps


- name: Summary
env:
TAG: ${{ inputs.tag }}
run: |
set -euo pipefail
major=$(echo "$TAG" | cut -d. -f1)
clusters=( ${{ env.clusters }} )
{
echo "## LCM stable retag"
echo ""
echo "| | |"
echo "|---|---|"
echo "| **Source tag** | \`${TAG}\` |"
echo "| **Major tag pattern** | \`M${major}-<cluster>\` |"
echo "| **Clusters** | \`${clusters[*]}\` |"
echo "| **Dry-run** | \`${{ inputs.dry-run }}\` |"
} >> "$GITHUB_STEP_SUMMARY"
Loading