From 96d84c007bd2d6086b1ef693189e2f09820e2d61 Mon Sep 17 00:00:00 2001 From: Markus Rubey Date: Wed, 20 May 2026 15:03:12 +0200 Subject: [PATCH 1/2] fix(deploy-generic-v2): scope helm bump add to values.yaml, drop soft reset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The "Bump docker tag" commit step had two defects that allowed unrelated working-tree state to land on main, branded as a docker-tag bump: 1. `git add .` from the repo root stages every dirty file on the runner, not just the helm `values.yaml` we sed-edit. Anything that ends up in the workspace (stale state on a self-hosted runner, side effects from earlier steps) gets swept into the commit. 2. The rebase-conflict recovery did `git reset --soft origin/main` and then `git add .` again. Soft reset leaves the index pointing at the old tree, so the resulting commit's diff vs the new base is `diff(new base → old tree) + sed edits`, which silently reverts any commits that landed between the bases. Replace both `git add .` with `git add "$HELM_VALUES_PATH/values.yaml"` and the soft reset with a hard reset, then re-apply the seds on top of fresh main. Result: bump commits can only ever touch the single helm file the step is supposed to touch. Incident: monta-app/monorepo-typescript@716f5f7e3 committed two single-character TS edits alongside a react-storybook bump, leaving `apps/hub` failing to typecheck on main. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/component-deploy-v2.yml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/component-deploy-v2.yml b/.github/workflows/component-deploy-v2.yml index 20789ec..278f07a 100644 --- a/.github/workflows/component-deploy-v2.yml +++ b/.github/workflows/component-deploy-v2.yml @@ -154,7 +154,11 @@ jobs: git config user.name "GitHub Action" git config user.email "action@github.com" - git add . + # Stage only the helm values file we edited. A repo-wide `git add .` + # would sweep any other working-tree changes (stale runner state, + # side effects from earlier steps) into a commit mislabelled as a + # docker-tag bump — see monta-app/monorepo-typescript@716f5f7e3. + git add "$HELM_VALUES_PATH/values.yaml" git commit -m "Bump docker tag for ${{ inputs.service-identifier }} on ${{ inputs.stage }} to ${{ inputs.image-tag }}" for attempt in $(seq 1 10); do @@ -169,12 +173,16 @@ jobs: echo "Rebase clean, retrying push..." else echo "Rebase conflict, re-applying changes on top of latest main..." + # Hard-reset to the new origin/main and re-apply the seds from + # scratch. Previous logic used `git reset --soft` + `git add .`, + # which kept the old tree in the index and produced commits that + # silently reverted unrelated changes between bases. git rebase --abort - git reset --soft origin/main + git reset --hard origin/main sed -i "s/tag: .*/tag: ${{ inputs.image-tag }}/" "$HELM_VALUES_PATH/values.yaml" sed -i "s/revision: .*/revision: \"${GITHUB_SHA::8}\"/" "$HELM_VALUES_PATH/values.yaml" sed -i "s/build: .*/build: ${{ github.run_number }}/" "$HELM_VALUES_PATH/values.yaml" - git add . + git add "$HELM_VALUES_PATH/values.yaml" git commit -m "Bump docker tag for ${{ inputs.service-identifier }} on ${{ inputs.stage }} to ${{ inputs.image-tag }}" fi sleep 2 From 94fbaa168bf5b1b7ca4d18b11e61d93dffb82f9b Mon Sep 17 00:00:00 2001 From: Markus Rubey Date: Wed, 20 May 2026 15:10:42 +0200 Subject: [PATCH 2/2] fix(deploy-generic-v1): mirror bump-add scoping into component-deploy.yml `component-deploy.yml` (the V1 reusable workflow consumed by `deploy-kotlin.yml`, `deploy-python.yml`, and `deploy-generic.yml`) contains the same bug as V2: repo-wide `git add .` plus a `git reset --soft` conflict-recovery path. V1 deploys against `kube-manifests` so the blast radius differs, but the structural defect is the same. Mirror the V2 fix: - Scope both `git add` calls to the two files the earlier steps edit (`$APP_PATH/values.yaml` and `$CLUSTER_PATH/config.yaml`). - Replace `git reset --soft origin/main` with `git reset --hard origin/main`. Also hoist the duplicated commit message into a `COMMIT_MSG` env var in both V1 and V2 to avoid drift across the four interpolated call sites, and trim the comments to the invariant (drop the incident-SHA narration). Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/component-deploy-v2.yml | 18 ++++++++---------- .github/workflows/component-deploy.yml | 17 ++++++++++++----- 2 files changed, 20 insertions(+), 15 deletions(-) diff --git a/.github/workflows/component-deploy-v2.yml b/.github/workflows/component-deploy-v2.yml index 278f07a..8d45d8f 100644 --- a/.github/workflows/component-deploy-v2.yml +++ b/.github/workflows/component-deploy-v2.yml @@ -150,16 +150,15 @@ jobs: working-directory: ./service-repo env: HELM_VALUES_PATH: ${{ inputs.helm-values-path || format('helm/{0}/{1}/app', inputs.service-identifier, inputs.stage) }} + COMMIT_MSG: "Bump docker tag for ${{ inputs.service-identifier }} on ${{ inputs.stage }} to ${{ inputs.image-tag }}" run: | git config user.name "GitHub Action" git config user.email "action@github.com" - # Stage only the helm values file we edited. A repo-wide `git add .` - # would sweep any other working-tree changes (stale runner state, - # side effects from earlier steps) into a commit mislabelled as a - # docker-tag bump — see monta-app/monorepo-typescript@716f5f7e3. + # Stage only the file we sed-edited; a repo-wide `git add .` would + # sweep any other working-tree state into the bump commit. git add "$HELM_VALUES_PATH/values.yaml" - git commit -m "Bump docker tag for ${{ inputs.service-identifier }} on ${{ inputs.stage }} to ${{ inputs.image-tag }}" + git commit -m "$COMMIT_MSG" for attempt in $(seq 1 10); do echo "Push attempt $attempt..." @@ -173,17 +172,16 @@ jobs: echo "Rebase clean, retrying push..." else echo "Rebase conflict, re-applying changes on top of latest main..." - # Hard-reset to the new origin/main and re-apply the seds from - # scratch. Previous logic used `git reset --soft` + `git add .`, - # which kept the old tree in the index and produced commits that - # silently reverted unrelated changes between bases. + # Hard-reset rather than soft: soft leaves the old tree in the + # index, and a subsequent broad `git add` would commit a diff + # that silently reverts changes between the old and new base. git rebase --abort git reset --hard origin/main sed -i "s/tag: .*/tag: ${{ inputs.image-tag }}/" "$HELM_VALUES_PATH/values.yaml" sed -i "s/revision: .*/revision: \"${GITHUB_SHA::8}\"/" "$HELM_VALUES_PATH/values.yaml" sed -i "s/build: .*/build: ${{ github.run_number }}/" "$HELM_VALUES_PATH/values.yaml" git add "$HELM_VALUES_PATH/values.yaml" - git commit -m "Bump docker tag for ${{ inputs.service-identifier }} on ${{ inputs.stage }} to ${{ inputs.image-tag }}" + git commit -m "$COMMIT_MSG" fi sleep 2 done diff --git a/.github/workflows/component-deploy.yml b/.github/workflows/component-deploy.yml index 61238a9..ea84827 100644 --- a/.github/workflows/component-deploy.yml +++ b/.github/workflows/component-deploy.yml @@ -144,12 +144,16 @@ jobs: env: APP_PATH: apps/${{ inputs.service-identifier }}/${{ inputs.stage }}/app CLUSTER_PATH: apps/${{ inputs.service-identifier }}/${{ inputs.stage }}/cluster + COMMIT_MSG: "Bump docker tag for ${{ inputs.service-identifier }} on ${{ inputs.stage }} to ${{ inputs.image-tag }}" run: | git config user.name "GitHub Action" git config user.email "action@github.com" - git add . - git commit -m "Bump docker tag for ${{ inputs.service-identifier }} on ${{ inputs.stage }} to ${{ inputs.image-tag }}" + # Stage only the two files the earlier steps edited; a repo-wide + # `git add .` would sweep any other working-tree state into the + # bump commit. + git add "$APP_PATH/values.yaml" "$CLUSTER_PATH/config.yaml" + git commit -m "$COMMIT_MSG" for attempt in $(seq 1 10); do echo "Push attempt $attempt..." @@ -163,15 +167,18 @@ jobs: echo "Rebase clean, retrying push..." else echo "Rebase conflict, re-applying changes on top of latest main..." + # Hard-reset rather than soft: soft leaves the old tree in the + # index, and a subsequent broad `git add` would commit a diff + # that silently reverts changes between the old and new base. git rebase --abort - git reset --soft origin/main + git reset --hard origin/main sed -i "s/tag: .*/tag: ${{ inputs.image-tag }}/" "$APP_PATH/values.yaml" sed -i "s/revision: .*/revision: \"${GITHUB_SHA::8}\"/" "$APP_PATH/values.yaml" sed -i "s/build: .*/build: ${{ github.run_number }}/" "$APP_PATH/values.yaml" previousHash=$(yq e .currentHash "$CLUSTER_PATH/config.yaml") yq e '.previousHash = strenv(previousHash)' -i "$CLUSTER_PATH/config.yaml" currentHash=${GITHUB_SHA::8} yq e '.currentHash = strenv(currentHash)' -i "$CLUSTER_PATH/config.yaml" - git add . - git commit -m "Bump docker tag for ${{ inputs.service-identifier }} on ${{ inputs.stage }} to ${{ inputs.image-tag }}" + git add "$APP_PATH/values.yaml" "$CLUSTER_PATH/config.yaml" + git commit -m "$COMMIT_MSG" fi sleep 2 done