ci(deploy): auto-deploy on push to master#32
Merged
Conversation
A worker fix shipped to master but never deployed because someone had
to run `docker buildx build && kubectl set image` by hand. A user got
the same broken expiry email twice as a result. Close that gap — for
the worker repo, that's literally how the bug happened.
On every push to master this workflow now:
1. checks out worker + sibling common/ + proto/ to match Dockerfile
2. runs `go test ./... -short -count=1` (fails the job on red tests)
3. builds linux/amd64 with GIT_SHA/BUILD_TIME/VERSION build-args
4. pushes ghcr.io/mastermanas805/instant-worker:<master-SHA> + :latest
5. kubectl set image deployment/instant-worker + rollout status (180s)
6. verifies the deployment now points at the exact tag we built
7. shells into the new pod and curls localhost:8091/healthz to confirm
the binary reports the new commit_id (best-effort; the prod image
is distroless and may not have curl/wget, in which case the
image-tag check above is the load-bearing gate)
Operator action: add KUBECONFIG_B64 to repo secrets (base64-encoded
kubeconfig). Without it the kubeconfig step fails fast with a clear
error message.
Concurrency group `deploy-Deploy` with cancel-in-progress=false so
two merges in a row queue instead of racing.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
A worker code fix shipped to master but was never deployed because someone had to manually run
docker buildx build && kubectl set image. A user received the same broken expiry email twice as a result. This is the repo where the bug happened — auto-deploy here is the highest-priority fix.After this lands, the in-flight expiry-email fix (currently shipping via a separate manual agent push) will auto-propagate on its merge commit.
What it does
On every push to
master:worker+ siblingcommon/+proto/to match Dockerfile context.go test ./... -short -count=1— fails the deploy on red tests.linux/amd64withGIT_SHA=<short>,BUILD_TIME=<utc>,VERSION=master-<short>.ghcr.io/mastermanas805/instant-worker:<version>+:latest.kubectl set image deployment/instant-worker -n instant-infra worker=<image>+rollout status --timeout=180s.localhost:8091/healthzto confirmcommit_idmatches (best-effort — see gotcha below).Concurrency group
deploy-Deploywithcancel-in-progress: falseso two merges in a row queue instead of racing.Operator action required before this can fire green
Add
KUBECONFIG_B64to repo Settings → Secrets → Actions. Value =base64 -i ~/.kube/config. Without it the kubeconfig step fails fast with a clear error.The kubeconfig must have permission to
set imageondeployment/instant-worker -n instant-infra.Notes / gotchas
ci.ymltriggers onmainbut the repo's default branch ismaster— pre-existing.gcr.io/distroless/static-debian12— no shell, no curl, no wget. The in-pod/healthzSHA check is therefore best-effort and downgrades to a warning if it can't exec. The load-bearing gate is step 6 (image tag matches what we built) plusrollout statusconfirming Ready.Test plan
KUBECONFIG_B64repo secretkubectl get deployment instant-worker -n instant-infra -o jsonpath='{.spec.template.spec.containers[0].image}'matches the new tagDO NOT MERGE until KUBECONFIG_B64 is in place.
Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com