daarion-admin/microdao-daarion

Files

Apple 526738dd75 ci(gitea): guard deploy sync when NODA1 origin is not deploy-safe

2026-03-05 11:35:56 -08:00

1.6 KiB

Raw Permalink Blame History

Deploy Gate (Gitea)

Purpose

deploy-node1-runtime is a hard release gate for NODA1 runtime changes:

deploy job syncs target git ref on NODA1 (and can optionally rebuild gateway + experience-learner).
phase6_gate job runs make phase6-smoke on NODA1.
If phase6_gate fails, the workflow fails.

This prevents a deploy from being considered successful without a Phase-6 closed-loop smoke pass.

Workflow

File: .gitea/workflows/deploy-node1-runtime.yml

Manual trigger inputs:

deploy_ref (default: main)
redeploy_runtime (default: false)
ssh_host (optional override)
ssh_user (optional override, default root)

Required repo secrets:

NODA1_SSH_HOST
NODA1_SSH_USER
NODA1_SSH_KEY

Safety notes

redeploy_runtime=false only syncs git on NODA1 and runs gate checks.
redeploy_runtime=true recreates gateway and experience-learner containers.
If NODA1 git tree is dirty, workflow skips checkout/pull and still enforces phase6_gate (safe mode for live nodes).
If NODA1 origin remote is not the expected deploy-safe repo, workflow skips checkout/pull and still enforces phase6_gate (prevents accidental downgrade from a stale remote).
Workflow uses SSH key validation and IdentitiesOnly=yes to avoid host key collisions.

Expected PASS

deploy job: successful SSH sync of selected deploy_ref.
phase6_gate job: make phase6-smoke returns PASS.
Workflow conclusion: success.

Failure handling

SSH/network issues: one retry is attempted in gate step.
Gate FAIL: treat as release blocker, inspect artifacts/phase6-gate*.log.