openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 14 Packages Projects Releases Wiki Activity
8e96522d67
openova/.github/workflows/check-controller-workflow-uniformity.yaml
e3mrah e72efb87cd
chore(ci): add auto-bump-images + pkg/** path filter to all build-*-controller workflows (Closes #2006) (#2012) 
TBD-A69. PR #2005 fixed build-organization-controller.yaml only. The
other six controller workflows (application, blueprint, continuum,
environment, sandbox, useraccess) had the same gaps that caused the
#1997 18h deploy gap:

- application-controller: missing pkg/** in path filter (auto-bump
  already present from earlier work).
- blueprint, continuum, environment, useraccess: missing BOTH pkg/**
  path filter AND auto-bump pipeline (permissions promotion +
  values.yaml bump + commit/push + blueprint-release dispatch).
- sandbox: already complete (pkg/** + auto-bump to platform/sandbox
  chart) — left untouched.

Each updated workflow inherits the canonical shape from
build-organization-controller.yaml (PR #2005):

  1. `core/controllers/pkg/**` added to BOTH push.paths and
     pull_request.paths. Without this, a fix that only touches the
     shared HTTP-client tree (gitea/keycloak/kc-mappers) silently
     fails to rebuild the controller image.
  2. `permissions.contents: write` + `actions: write` so the build
     job can push the values.yaml bump and dispatch the downstream
     chart re-publish.
  3. An awk-scoped `Bump controllers.<who>.image.tag in values.yaml`
     step that updates ONLY the targeted controller's tag (verified
     locally — sibling tags remain untouched).
  4. A commit/push step that bumps
     products/catalyst/chart/values.yaml (or
     products/continuum/chart/values.yaml for continuum, which has
     its own chart).
  5. A `gh workflow run blueprint-release.yaml` dispatch so the
     bot-pushed commit fires the downstream chart re-publish
     (GitHub Actions silently filters bot pushes from path-trigger
     workflows otherwise).

Adds two new files to lock the shape in:

  - `scripts/check-controller-workflow-uniformity.sh` — a CI
    regression test that grep-asserts every controller workflow has
    the canonical pkg/** filter + auto-bump pipeline. Fails loudly
    if any new controller workflow ships without the canonical shape,
    or if an existing one regresses.
  - `.github/workflows/check-controller-workflow-uniformity.yaml` —
    push-on-touch + pull_request-on-touch event-driven wrapper that
    runs the script. Mirrors the shape of check-vendor-coupling.yaml.

Verified locally:
  - YAML syntax valid for all 7 controller workflows + the new check
    workflow.
  - Regression script passes on all 7 controller workflows.
  - Simulated awk bumps against products/catalyst/chart/values.yaml
    and products/continuum/chart/values.yaml — each script bumps
    ONLY the targeted controller's tag, sibling tags untouched.

No chart bumps. No Go/chart changes. CI-workflow-only.

Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-20 04:11:04 +04:00

50 lines
1.7 KiB
YAML
Raw Blame History

name: Controller-workflow uniformity guardrail
# Regression test for TBD-A69 (#2006). Asserts every
# build-*-controller.yaml + *-controller-build.yaml workflow contains
# the canonical CI shape:
#
# 1. `core/controllers/pkg/**` in BOTH push.paths and pull_request.paths.
# 2. `contents: write` + auto-bump step that stamps short SHA into
# the chart values.yaml.
# 3. blueprint-release.yaml dispatch after the bot push (catalyst
# bundle workflows only; sandbox is exempt — its own chart).
#
# Pre-#2006: only build-organization-controller.yaml carried the full
# shape (added in PR #2005); the other six controllers had partial /
# missing pieces and shipped the #1997 18h deploy gap.
#
# Per CLAUDE.md "every workflow MUST be event-driven, NEVER scheduled":
# this workflow is push-on-merge + pull-request-on-touch. No cron.
on:
push:
branches: [main]
paths:
- '.github/workflows/build-*-controller.yaml'
- '.github/workflows/*-controller-build.yaml'
- '.github/workflows/check-controller-workflow-uniformity.yaml'
- 'scripts/check-controller-workflow-uniformity.sh'
pull_request:
paths:
- '.github/workflows/build-*-controller.yaml'
- '.github/workflows/*-controller-build.yaml'
- '.github/workflows/check-controller-workflow-uniformity.yaml'
- 'scripts/check-controller-workflow-uniformity.sh'
workflow_dispatch:
permissions:
contents: read
jobs:
check:
name: Controller-workflow uniformity
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run controller-workflow uniformity check
run: bash scripts/check-controller-workflow-uniformity.sh
Reference in New Issue View Git Blame Copy Permalink