Files
2026-07-13 12:58:18 +08:00

91 lines
3.4 KiB
YAML

name: "Showcase: Reconcile prod vs staging (on-demand drift check)"
# On-demand prod-vs-staging reconciliation. The showcase deploy model: staging
# tracks a mutable `:latest` tag and is continuously rebuilt; prod is pinned to
# an immutable `@sha256:` digest and advances only on an explicit promote. So
# prod can sit BEHIND a green staging — which is OFTEN INTENTIONAL (changes are
# batched and promoted deliberately), so a recurring drift alert would be noise.
#
# This workflow is therefore MANUAL ONLY (workflow_dispatch). There is no
# schedule and no unsolicited Slack alert. A maintainer runs it from the Actions
# tab to answer "is prod caught up with staging right now?"; the per-service
# reconcile table is rendered into the GH step summary, and the run exits
# nonzero when a column is stale so the drift is visibly flagged on the run.
#
# Read-only: runs `bin/railway reconcile-prod`, which performs NO promotes /
# mutations.
on:
workflow_dispatch:
concurrency:
group: showcase-reconcile-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
reconcile:
name: Reconcile prod vs staging
runs-on: ubuntu-latest
timeout-minutes: 10
environment: railway
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
persist-credentials: false
- name: Set up Ruby
uses: ruby/setup-ruby@d45b1a4e94b71acab930e56e79c6aa188764e7f9 # v1.316.0
with:
ruby-version: "3.2"
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: 22.x
- name: Regenerate SSOT JSON
# bin/railway reads showcase/scripts/railway-envs.generated.json to
# derive the prod-eligible (probe.prod) set; it is never committed, so
# regenerate it here. Skip the oxfmt-canonical pass (repo-root oxfmt is
# not installed by this scripts-scoped `npm ci`), mirroring the promote
# workflow's resolve/promote jobs.
working-directory: showcase/scripts
env:
EMIT_SKIP_OXFMT: "1"
run: |
npm ci
npx tsx emit-railway-envs-json.ts
- name: Reconcile gate
id: gate
env:
RAILWAY_TOKEN: ${{ secrets.RAILWAY_TOKEN }}
GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Path the gate writes machine-readable JSON to (uploaded as an
# artifact below). Cheap to keep — handy for a maintainer inspecting a
# manual run, but no Slack/alert consumer.
RECONCILE_JSON: ${{ github.workspace }}/reconcile.json
run: |
set -uo pipefail
if [ -z "${RAILWAY_TOKEN:-}" ]; then
echo "::error::RAILWAY_TOKEN secret not configured; cannot run the reconcile gate."
exit 1
fi
# Run the gate. reconcile-prod-gate.sh surfaces the per-service table
# into the GH step summary and exits 1 on a stale service / 2 on a hard
# error — either reds the run so a manual run visibly flags drift.
RAILWAY_BIN="showcase/bin/railway" \
showcase/scripts/reconcile-prod-gate.sh
- name: Upload reconcile JSON
if: always()
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: reconcile-json
path: reconcile.json
if-no-files-found: ignore
retention-days: 7