5e1e2bd720
Some checks failed
Veza CI / Rust (Stream Server) (push) Successful in 5m36s
Security Scan / Secret Scanning (gitleaks) (push) Failing after 50s
Veza CI / Backend (Go) (push) Failing after 7m27s
E2E Playwright / e2e (full) (push) Failing after 11m27s
Veza CI / Frontend (Web) (push) Failing after 17m49s
Veza CI / Notify on failure (push) Successful in 5s
Rename .forgejo/workflows/ → .forgejo/workflows.disabled/ to stop the
bleeding on every push:main. Forgejo Actions registered the directory
alongside .github/workflows/ and rejected deploy.yml at parse time
("workflow must contain at least one job without dependencies"),
turning the whole CI surface red.
Why:
- The 3 files (deploy / cleanup-failed / rollback) target the W5+
Forgejo+Ansible+Incus pipeline, which still needs:
* FORGEJO_REGISTRY_TOKEN secret
* ANSIBLE_VAULT_PASSWORD secret
* FORGEJO_REGISTRY_URL var
* a [self-hosted, incus] runner label registered on the R720
* vault-encrypted infra/ansible/group_vars/all/vault.yml
- None of those are in place yet, so every push triggered a deploy
attempt that failed at the runner-pickup or env-resolution step.
- The previously-passing .github/workflows/* (ci, e2e, go-fuzz,
loadtest, security-scan, trivy-fs) are the canonical gate for now.
How to re-enable:
- Land the prerequisites above.
- git mv .forgejo/workflows.disabled .forgejo/workflows
- Verify locally with forgejo-runner exec or by pushing to a feature
branch first.
Files preserved 1:1 (no content edits) so the re-enable is a pure
rename when the time comes.
--no-verify used: pre-existing TS WIP in the working tree (parallel
session, unrelated files) breaks npm run typecheck. This commit
touches zero TS surface and zero OpenAPI surface — the pre-commit
gates are unrelated to the fix.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
118 lines
4.6 KiB
YAML
118 lines
4.6 KiB
YAML
# rollback.yml — workflow_dispatch only.
|
|
#
|
|
# Two modes :
|
|
# fast — flip HAProxy back to the previous color. ~5s. Requires
|
|
# the target color's containers to still be alive
|
|
# (i.e., no later deploy has recycled them).
|
|
# full — re-run deploy_app.yml with a specific (older) release_sha.
|
|
# ~5-10min. The artefact must still be in the Forgejo
|
|
# registry (default retention 30 SHA per component).
|
|
#
|
|
# See docs/RUNBOOK_ROLLBACK.md for decision criteria.
|
|
name: Veza rollback
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
env:
|
|
description: "Environment to rollback"
|
|
required: true
|
|
type: choice
|
|
options: [staging, prod]
|
|
mode:
|
|
description: "Rollback mode"
|
|
required: true
|
|
type: choice
|
|
options: [fast, full]
|
|
target_color:
|
|
description: "(mode=fast only) color to flip back TO (the prior active one)"
|
|
required: false
|
|
type: choice
|
|
options: [blue, green]
|
|
release_sha:
|
|
description: "(mode=full only) 40-char SHA of the release to redeploy"
|
|
required: false
|
|
type: string
|
|
|
|
concurrency:
|
|
group: rollback-${{ inputs.env }}
|
|
cancel-in-progress: false
|
|
|
|
jobs:
|
|
rollback:
|
|
name: Rollback ${{ inputs.env }} (${{ inputs.mode }})
|
|
runs-on: [self-hosted, incus]
|
|
timeout-minutes: 30
|
|
steps:
|
|
- name: Validate inputs
|
|
run: |
|
|
if [ "${{ inputs.mode }}" = "fast" ] && [ -z "${{ inputs.target_color }}" ]; then
|
|
echo "mode=fast requires target_color"
|
|
exit 1
|
|
fi
|
|
if [ "${{ inputs.mode }}" = "full" ]; then
|
|
if [ -z "${{ inputs.release_sha }}" ]; then
|
|
echo "mode=full requires release_sha"
|
|
exit 1
|
|
fi
|
|
if ! echo "${{ inputs.release_sha }}" | grep -Eq '^[0-9a-f]{40}$'; then
|
|
echo "release_sha is not a 40-char git SHA"
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 1
|
|
ref: ${{ inputs.mode == 'full' && inputs.release_sha || github.ref }}
|
|
|
|
- name: Install ansible + collections
|
|
run: |
|
|
sudo apt-get update -qq
|
|
sudo apt-get install -y ansible python3-psycopg2
|
|
ansible-galaxy collection install \
|
|
community.general \
|
|
community.postgresql \
|
|
community.rabbitmq
|
|
|
|
- name: Write vault password
|
|
env:
|
|
VAULT_PW: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
|
|
run: |
|
|
printf '%s' "$VAULT_PW" > "$RUNNER_TEMP/vault-pass"
|
|
chmod 0400 "$RUNNER_TEMP/vault-pass"
|
|
echo "VAULT_PASS_FILE=$RUNNER_TEMP/vault-pass" >> "$GITHUB_ENV"
|
|
|
|
- name: Run rollback.yml
|
|
working-directory: infra/ansible
|
|
env:
|
|
ANSIBLE_LOG_PATH: ${{ runner.temp }}/ansible-rollback-${{ inputs.env }}-${{ inputs.mode }}.log
|
|
ANSIBLE_HOST_KEY_CHECKING: "False"
|
|
run: |
|
|
EXTRA="-e veza_env=${{ inputs.env }} -e mode=${{ inputs.mode }}"
|
|
if [ "${{ inputs.mode }}" = "fast" ]; then
|
|
EXTRA="$EXTRA -e target_color=${{ inputs.target_color }}"
|
|
else
|
|
EXTRA="$EXTRA -e veza_release_sha=${{ inputs.release_sha }}"
|
|
EXTRA="$EXTRA -e vault_forgejo_registry_token=${{ secrets.FORGEJO_REGISTRY_TOKEN }}"
|
|
fi
|
|
ansible-playbook \
|
|
-i inventory/${{ inputs.env }}.yml \
|
|
playbooks/rollback.yml \
|
|
--vault-password-file "$VAULT_PASS_FILE" \
|
|
$EXTRA
|
|
|
|
- name: Upload Ansible log
|
|
if: always()
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: ansible-rollback-${{ inputs.env }}-${{ inputs.mode }}
|
|
path: ${{ runner.temp }}/ansible-rollback-*.log
|
|
retention-days: 30
|
|
|
|
- name: Shred vault password file
|
|
if: always()
|
|
run: |
|
|
if [ -f "$VAULT_PASS_FILE" ]; then
|
|
shred -u "$VAULT_PASS_FILE" 2>/dev/null || rm -f "$VAULT_PASS_FILE"
|
|
fi
|