# cleanup-failed.yml — workflow_dispatch only. # # Tears down the kept-alive failed-deploy color (the inactive one # that survived a Phase D / Phase F failure for forensics). # Operator triggers this once they have read the journalctl output. # # Hard safety in playbooks/cleanup_failed.yml: refuses to destroy # the currently-active color. name: Veza cleanup failed-deploy color on: workflow_dispatch: inputs: env: description: "Environment to clean up" required: true type: choice options: [staging, prod] color: description: "Color to destroy (must NOT be the active one)" required: true type: choice options: [blue, green] concurrency: group: cleanup-${{ inputs.env }} cancel-in-progress: false jobs: cleanup: name: Destroy ${{ inputs.color }} app containers in ${{ inputs.env }} runs-on: [self-hosted, incus] timeout-minutes: 10 steps: - uses: actions/checkout@v4 with: fetch-depth: 1 - name: Install ansible run: | sudo apt-get update -qq sudo apt-get install -y ansible ansible-galaxy collection install community.general - name: Write vault password env: VAULT_PW: ${{ secrets.ANSIBLE_VAULT_PASSWORD }} run: | printf '%s' "$VAULT_PW" > "$RUNNER_TEMP/vault-pass" chmod 0400 "$RUNNER_TEMP/vault-pass" echo "VAULT_PASS_FILE=$RUNNER_TEMP/vault-pass" >> "$GITHUB_ENV" - name: Run cleanup_failed.yml working-directory: infra/ansible env: ANSIBLE_LOG_PATH: ${{ runner.temp }}/ansible-cleanup-${{ inputs.env }}-${{ inputs.color }}.log ANSIBLE_HOST_KEY_CHECKING: "False" run: | ansible-playbook \ -i inventory/${{ inputs.env }}.yml \ playbooks/cleanup_failed.yml \ --vault-password-file "$VAULT_PASS_FILE" \ -e veza_env=${{ inputs.env }} \ -e target_color=${{ inputs.color }} - name: Upload Ansible log if: always() uses: actions/upload-artifact@v4 with: name: ansible-cleanup-${{ inputs.env }}-${{ inputs.color }} path: ${{ runner.temp }}/ansible-cleanup-*.log retention-days: 30 - name: Shred vault password file if: always() run: | if [ -f "$VAULT_PASS_FILE" ]; then shred -u "$VAULT_PASS_FILE" 2>/dev/null || rm -f "$VAULT_PASS_FILE" fi