veza/.github/workflows/cleanup-failed.yml

# cleanup-failed.yml — workflow_dispatch only.
#
# Tears down the kept-alive failed-deploy color (the inactive one
# that survived a Phase D / Phase F failure for forensics).
# Operator triggers this once they have read the journalctl output.
#
# Hard safety in playbooks/cleanup_failed.yml: refuses to destroy
# the currently-active color.
name: Veza cleanup failed-deploy color

on:
    workflow_dispatch:
        inputs:
            env:
                description: "Environment to clean up"
                required: true
                type: choice
                options: [staging, prod]
            color:
                description: "Color to destroy (must NOT be the active one)"
                required: true
                type: choice
                options: [blue, green]

concurrency:
    group: cleanup-${{ inputs.env }}
    cancel-in-progress: false

jobs:
    cleanup:
        name: Destroy ${{ inputs.color }} app containers in ${{ inputs.env }}
        runs-on: [self-hosted, incus]
        timeout-minutes: 10
        steps:
            - uses: actions/checkout@v4
              with:
                  fetch-depth: 1

            - name: Install ansible
              run: |
                  sudo apt-get update -qq
                  sudo apt-get install -y ansible
                  ansible-galaxy collection install community.general                  

            - name: Write vault password
              env:
                  VAULT_PW: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
              run: |
                  printf '%s' "$VAULT_PW" > "$RUNNER_TEMP/vault-pass"
                  chmod 0400 "$RUNNER_TEMP/vault-pass"
                  echo "VAULT_PASS_FILE=$RUNNER_TEMP/vault-pass" >> "$GITHUB_ENV"                  

            - name: Run cleanup_failed.yml
              working-directory: infra/ansible
              env:
                  ANSIBLE_LOG_PATH: ${{ runner.temp }}/ansible-cleanup-${{ inputs.env }}-${{ inputs.color }}.log
                  ANSIBLE_HOST_KEY_CHECKING: "False"
              run: |
                  ansible-playbook \
                      -i inventory/${{ inputs.env }}.yml \
                      playbooks/cleanup_failed.yml \
                      --vault-password-file "$VAULT_PASS_FILE" \
                      -e veza_env=${{ inputs.env }} \
                      -e target_color=${{ inputs.color }}                  

            - name: Upload Ansible log
              if: always()
              uses: actions/upload-artifact@v4
              with:
                  name: ansible-cleanup-${{ inputs.env }}-${{ inputs.color }}
                  path: ${{ runner.temp }}/ansible-cleanup-*.log
                  retention-days: 30

            - name: Shred vault password file
              if: always()
              run: |
                  if [ -f "$VAULT_PASS_FILE" ]; then
                      shred -u "$VAULT_PASS_FILE" 2>/dev/null || rm -f "$VAULT_PASS_FILE"
                  fi