fix(deploy-bump): scope git add to edited files, drop soft reset#290
Open
markusrubey wants to merge 2 commits into
Open
fix(deploy-bump): scope git add to edited files, drop soft reset#290markusrubey wants to merge 2 commits into
markusrubey wants to merge 2 commits into
Conversation
… reset The "Bump docker tag" commit step had two defects that allowed unrelated working-tree state to land on main, branded as a docker-tag bump: 1. `git add .` from the repo root stages every dirty file on the runner, not just the helm `values.yaml` we sed-edit. Anything that ends up in the workspace (stale state on a self-hosted runner, side effects from earlier steps) gets swept into the commit. 2. The rebase-conflict recovery did `git reset --soft origin/main` and then `git add .` again. Soft reset leaves the index pointing at the old tree, so the resulting commit's diff vs the new base is `diff(new base → old tree) + sed edits`, which silently reverts any commits that landed between the bases. Replace both `git add .` with `git add "$HELM_VALUES_PATH/values.yaml"` and the soft reset with a hard reset, then re-apply the seds on top of fresh main. Result: bump commits can only ever touch the single helm file the step is supposed to touch. Incident: monta-app/monorepo-typescript@716f5f7e3 committed two single-character TS edits alongside a react-storybook bump, leaving `apps/hub` failing to typecheck on main. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
….yml `component-deploy.yml` (the V1 reusable workflow consumed by `deploy-kotlin.yml`, `deploy-python.yml`, and `deploy-generic.yml`) contains the same bug as V2: repo-wide `git add .` plus a `git reset --soft` conflict-recovery path. V1 deploys against `kube-manifests` so the blast radius differs, but the structural defect is the same. Mirror the V2 fix: - Scope both `git add` calls to the two files the earlier steps edit (`$APP_PATH/values.yaml` and `$CLUSTER_PATH/config.yaml`). - Replace `git reset --soft origin/main` with `git reset --hard origin/main`. Also hoist the duplicated commit message into a `COMMIT_MSG` env var in both V1 and V2 to avoid drift across the four interpolated call sites, and trim the comments to the invariant (drop the incident-SHA narration). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
markusrubey
changed the title
markusrubey
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
Commit and push with automatic retrystep in bothcomponent-deploy.yml(V1) andcomponent-deploy-v2.ymlhad two defects that let unrelated working-tree state land on a target repo'smain, branded as a docker-tag bump.Defect 1 — repo-wide
git add .git add .from the repo root stages every dirty file on the runner. The sed step only edits one or two specific files, but the add scoops up everything: stale state on a self-hosted runner, side effects from earlier steps, anything left over in the workspace. The commit message says "Bump docker tag for X" but the commit can contain arbitrary diffs.Defect 2 — rebase-conflict recovery does a soft reset +
git add .When the retry loop's
git rebase origin/mainconflicts, the recovery path did:git reset --softmovesHEADto the new base but leaves the index pointing at the old tree. The subsequentgit add .reads the working tree (still at the old base + our edit) and stages it. The resulting commit's diff vs the new base is:i.e. it silently reverts every change that landed between the old and new base.
Fix
Applied to both
component-deploy.yml(V1) andcomponent-deploy-v2.yml:git add .with an explicit add of the files the earlier steps edit:git add "$APP_PATH/values.yaml" "$CLUSTER_PATH/config.yaml"git add "$HELM_VALUES_PATH/values.yaml"git reset --soft origin/mainwithgit reset --hard origin/main. We re-apply the edits from scratch anyway, so a hard reset is what was meant; it also wipes any leftover state from the failed rebase.COMMIT_MSGenv var so the two call sites can't drift.Why both files
V1 (
component-deploy.yml) is consumed bydeploy-kotlin.yml,deploy-python.yml, anddeploy-generic.yml. That covers all the Monta Kotlin services (server, service-api-gateways, service-core-api, service-search, service-feature, service-wallet, service-identity, etc.) and Python services. V2 covers the monorepo-typescript apps. Both had the identical bug.Incident
monta-app/monorepo-typescript@716f5f7e3— aBump docker tag for react-storybook on stagingcommit also contained two single-character TS edits inapps/hub/src/domain/dashboard/feature/control-tower/…, breakingapps/hubtypecheck onmain. TS revert:monta-app/monorepo-typescript#2990.Audited all 176
GitHub Action-authored commits onmonorepo-typescript'smainsince 2025-09 — that's the only one with non-helm files. This fix prevents recurrence regardless of how the runner's working tree gets dirtied.Test plan