feat(gitops): annotate-only mode for Flux image automation#152
Closed
monotek wants to merge 2 commits into
Closed
Conversation
When a gitops-dev/stage/prod line provides a path but no field, update_file now writes the deploy.staffbase.com/* annotations without updating the image tag. The image-update block is guarded on a non-empty field; annotation writes stay unconditional. This supports apps migrating from the apperator Application CR to the staffbase-application Helm chart, where the image tag is owned by Flux image automation (ImageRepository/ImagePolicy/ImageUpdateAutomation). The action must stop writing the tag for those apps but keep stamping commitSha and repositoryFullName, which image automation never knows. The two-token "<path> <field>" form is unchanged (image update + annotations). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The Inputs table was missing four inputs declared in action.yml: docker-build-outputs and the upwind-client-id / upwind-organization-id / upwind-client-secret trio. Add them so the table matches action.yml. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds an annotate-only mode for GitOps updates so the action can stamp deploy.staffbase.com/* deployment annotations even when Flux image automation owns the tag: field and should not be modified by this action.
Changes:
- Guard image/tag updates in
update_filebehind a non-empty<field>while keeping annotation writes unconditional. - Add unit + integration Bats coverage for both annotate-only and existing field-based update behavior.
- Document the new path-only
<path>input form in the README (and clarify related inputs).
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
scripts/lib/gitops-functions.sh |
Adds a field-present guard so tag updates are skipped when a line is path-only, while still writing deployment annotations. |
tests/lib-gitops-functions.bats |
Adds tests covering annotate-only mode (mocked yq + real-yq integration) and an end-to-end process_file_updates path-only case. |
README.md |
Documents annotate-only mode usage and updates input descriptions accordingly. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds an annotate-only mode to
update_file: when agitops-dev/gitops-stage/gitops-prodline provides a path only (no field), the action writes thedeploy.staffbase.com/*annotations without updating the image tag.The image-update block is now guarded on a non-empty
field; the annotation writes stay unconditional. The line parser already leavesfieldempty for a path-only line, so no parser change was needed.Why
Staffbase is migrating apps from the apperator
ApplicationCR to thestaffbase-applicationHelm chart (HelmRelease overlays inmops). In the new model the image tag is owned by Flux image automation (ImageRepository/ImagePolicy/ImageUpdateAutomation), which scans the registry and commits thetag:line back tomopsitself.So for migrated apps this action must stop writing the tag — but must keep writing the annotations.
flux-deployment-reporterreadscommitSha+repositoryFullNameoff the reconciled resource to report deployments to Swarmia for DORA metrics, and those are build-time facts only this action knows (image automation only ever knows the tag, never the source commit/repo). Keeping this action as the annotation-writer also yields a full commit SHA in every environment, including prod, where tags are CalVer (2025.50.14) and carry no SHA.Known transient skew
versionis still set toINPUT_TAG(the freshly built tag). It may briefly lead the actualtag:until image automation selects the new build. It converges, and the reporter dedupes on(commitSha, version), so it self-heals.Backward compatibility
The two-token
<path> <field>form is unchanged — image update and annotations, exactly as today. Apperator apps still mid-migration keep working. No new required input; the path-only line is the trigger.Tests
update_filewith empty field: skips image update, still writes all three annotations (mock + real-yqintegration on thehelmrelease.yamlfixture, asserting thetag:is untouched).update_filewith field: regression test that the tag is updated and annotations written.process_file_updatespath-only line end-to-end.Out of scope
The reporter change to list HelmRelease (
helm.toolkit.fluxcd.io/v2) in addition to the apperatorApplicationCR is handled separately in theflux-deployment-reporterrepo — the annotation keys/values are identical regardless of resource kind, so no change is needed here.Dependency