91 lines
3.4 KiB
YAML
91 lines
3.4 KiB
YAML
name: "Showcase: Reconcile prod vs staging (on-demand drift check)"
|
|
|
|
# On-demand prod-vs-staging reconciliation. The showcase deploy model: staging
|
|
# tracks a mutable `:latest` tag and is continuously rebuilt; prod is pinned to
|
|
# an immutable `@sha256:` digest and advances only on an explicit promote. So
|
|
# prod can sit BEHIND a green staging — which is OFTEN INTENTIONAL (changes are
|
|
# batched and promoted deliberately), so a recurring drift alert would be noise.
|
|
#
|
|
# This workflow is therefore MANUAL ONLY (workflow_dispatch). There is no
|
|
# schedule and no unsolicited Slack alert. A maintainer runs it from the Actions
|
|
# tab to answer "is prod caught up with staging right now?"; the per-service
|
|
# reconcile table is rendered into the GH step summary, and the run exits
|
|
# nonzero when a column is stale so the drift is visibly flagged on the run.
|
|
#
|
|
# Read-only: runs `bin/railway reconcile-prod`, which performs NO promotes /
|
|
# mutations.
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
|
|
concurrency:
|
|
group: showcase-reconcile-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
reconcile:
|
|
name: Reconcile prod vs staging
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 10
|
|
environment: railway
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Set up Ruby
|
|
uses: ruby/setup-ruby@d45b1a4e94b71acab930e56e79c6aa188764e7f9 # v1.316.0
|
|
with:
|
|
ruby-version: "3.2"
|
|
|
|
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
|
|
with:
|
|
node-version: 22.x
|
|
|
|
- name: Regenerate SSOT JSON
|
|
# bin/railway reads showcase/scripts/railway-envs.generated.json to
|
|
# derive the prod-eligible (probe.prod) set; it is never committed, so
|
|
# regenerate it here. Skip the oxfmt-canonical pass (repo-root oxfmt is
|
|
# not installed by this scripts-scoped `npm ci`), mirroring the promote
|
|
# workflow's resolve/promote jobs.
|
|
working-directory: showcase/scripts
|
|
env:
|
|
EMIT_SKIP_OXFMT: "1"
|
|
run: |
|
|
npm ci
|
|
npx tsx emit-railway-envs-json.ts
|
|
|
|
- name: Reconcile gate
|
|
id: gate
|
|
env:
|
|
RAILWAY_TOKEN: ${{ secrets.RAILWAY_TOKEN }}
|
|
GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
# Path the gate writes machine-readable JSON to (uploaded as an
|
|
# artifact below). Cheap to keep — handy for a maintainer inspecting a
|
|
# manual run, but no Slack/alert consumer.
|
|
RECONCILE_JSON: ${{ github.workspace }}/reconcile.json
|
|
run: |
|
|
set -uo pipefail
|
|
if [ -z "${RAILWAY_TOKEN:-}" ]; then
|
|
echo "::error::RAILWAY_TOKEN secret not configured; cannot run the reconcile gate."
|
|
exit 1
|
|
fi
|
|
# Run the gate. reconcile-prod-gate.sh surfaces the per-service table
|
|
# into the GH step summary and exits 1 on a stale service / 2 on a hard
|
|
# error — either reds the run so a manual run visibly flags drift.
|
|
RAILWAY_BIN="showcase/bin/railway" \
|
|
showcase/scripts/reconcile-prod-gate.sh
|
|
|
|
- name: Upload reconcile JSON
|
|
if: always()
|
|
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
|
|
with:
|
|
name: reconcile-json
|
|
path: reconcile.json
|
|
if-no-files-found: ignore
|
|
retention-days: 7
|